Base presenter and permissions for notifications

Author: Neloop

app/V1Module/presenters/NotificationsPresenter.php

@@ -0,0 +1,44 @@
+<?php
+
+namespace App\V1Module\Presenters;
+
+use App\Exceptions\ForbiddenRequestException;
+use App\Model\Entity\Notification;
+use App\Model\Repository\Notifications;
+use App\Security\ACL\INotificationPermissions;
+
+class NotificationsPresenter extends BasePresenter {
+
+  /**
+   * @var INotificationPermissions
+   * @inject
+   */
+  public $notificationAcl;
+
+  /**
+   * @var Notifications
+   * @inject
+   */
+  public $notifications;
+
+
+  public function checkDefault() {
+    if (!$this->notificationAcl->canViewCurrent()) {
+      throw new ForbiddenRequestException();
+    }
+  }
+
+  /**
+   * Get all notifications which are currently active.
+   * @GET
+   */
+  public function actionDefault() {
+    $notifications = $this->notifications->findAllCurrent();
+    $notifications = array_filter($notifications,
+      function (Notification $notification) {
+        return $this->notificationAcl->canViewDetail($notification);
+      });
+
+    $this->sendSuccessResponse($notifications);
+  }
+}

app/V1Module/security/ACL/INotificationPermissions.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Security\ACL;
+
+use App\Model\Entity\Notification;
+
+interface INotificationPermissions {
+  function canViewAll(): bool;
+  function canViewCurrent(): bool;
+  function canViewDetail(Notification $notification);
+}

app/V1Module/security/Policies/NotificationPermissionPolicy.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Security\Policies;
+
+use App\Model\Entity\Notification;
+use App\Security\Authorizator;
+use App\Security\Identity;
+
+class NotificationPermissionPolicy implements IPermissionPolicy {
+
+  /** @var Authorizator */
+  private $authorizator;
+
+  public function getAssociatedClass() {
+    return Notification::class;
+  }
+
+  public function __construct(Authorizator $authorizator) {
+    $this->authorizator = $authorizator;
+  }
+
+
+  public function hasRole(Identity $identity, Notification $notification) {
+    $user = $identity->getUserData();
+    if (!$user) {
+      return false;
+    }
+
+    // TODO
+  }
+
+  public function isGlobal(Identity $identity, Notification $notification) {
+    return $notification->getGroups()->isEmpty();
+  }
+
+  public function isGroupsMember(Identity $identity, Notification $notification) {
+    $user = $identity->getUserData();
+    if (!$user) {
+      return false;
+    }
+
+    foreach ($notification->getGroups() as $group) {
+      $isMember = $group->isMemberOfSubgroup($user);
+      if ($isMember) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+}

app/config/config.neon

@@ -196,6 +196,7 @@ acl:
     email: App\Security\ACL\IEmailPermissions
     shadowAssignment: App\Security\ACL\IShadowAssignmentPermissions
     shadowAssignmentPoints: App\Security\ACL\IShadowAssignmentPointsPermissions
+    notification: App\Security\ACL\INotificationPermissions
   policies:
     group: App\Security\Policies\GroupPermissionPolicy
     instance: App\Security\Policies\InstancePermissionPolicy
@@ -213,6 +214,7 @@ acl:
     sisBoundGroup: App\Security\Policies\SisBoundGroupPermissionPolicy
     shadowAssignment: App\Security\Policies\ShadowAssignmentPermissionPolicy
     shadowAssignmentPoints: App\Security\Policies\ShadowAssignmentPointsPermissionPolicy
+    notification: App\Security\Policies\NotificationPermissionPolicy
 
 extensions:
   console: Kdyby\Console\DI\ConsoleExtension
@@ -366,6 +368,7 @@ services:
   - App\Model\Repository\SisValidTerms
   - App\Model\Repository\ShadowAssignments
   - App\Model\Repository\ShadowAssignmentPointsRepository
+  - App\Model\Repository\Notifications
 
   # views factories
   - App\Model\View\ExerciseViewFactory

app/config/permissions.neon

@@ -13,8 +13,8 @@ roles:
     - name: empowered-supervisor
       parents: supervisor
 
-
     - name: superadmin
+
 permissions:
     - allow: true
       role: superadmin
@@ -767,3 +767,25 @@ permissions:
           - remove
       conditions:
           - assignmentPoints.isSupervisor
+
+    ############################
+    # Notification permissions #
+    ############################
+
+    - allow: true
+      role: scope-read-all
+      resource: notification
+      actions:
+        - viewAll
+        - viewCurrent
+        - viewDetail
+
+    - allow: true
+      resource: notification
+      actions:
+        - viewDetail
+      conditions:
+        - notification.hasRole
+        - or:
+          - notification.isGlobal
+          - notification.isGroupsMember

app/model/entity/Group.php

@@ -304,6 +304,26 @@ public function isMemberOf(User $user) {
     return $this->getActiveMembers(GroupMembership::TYPE_ALL)->contains($user);
   }
 
+  /**
+   * Is member of this group or any subgroup.
+   * @note Is member or supervisor or admin, whole package of members.
+   * @param User $user
+   * @return bool
+   */
+  public function isMemberOfSubgroup(User $user) {
+    if ($this->isAdminOf($user) || $this->isMemberOf($user)) {
+      return true;
+    }
+
+    foreach ($this->childGroups as $childGroup) {
+      if ($childGroup->isMemberOfSubgroup($user)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
   /**
    * @ORM\ManyToMany(targetEntity="User")
    */

app/model/repository/Notifications.php

@@ -11,4 +11,8 @@ class Notifications extends BaseSoftDeleteRepository {
   public function __construct(EntityManager $em) {
     parent::__construct($em, Notification::class);
   }
+
+  public function findAllCurrent(): array {
+    // TODO
+  }
 }