From 2534f2255537b0acfdde4b7e9a8dca4892a9f737 Mon Sep 17 00:00:00 2001
From: Martin Krulis <krulis@d3s.mff.cuni.cz>
Date: Wed, 4 Oct 2023 13:34:32 +0200
Subject: [PATCH] Creating new permission scope for working with reference
 solutions.

---
 app/V1Module/security/TokenScope.php | 38 +++++++++++-
 app/config/permissions.neon          | 86 ++++++++++++++++++++++------
 2 files changed, 103 insertions(+), 21 deletions(-)

diff --git a/app/V1Module/security/TokenScope.php b/app/V1Module/security/TokenScope.php
index 0ff0b9b8..c10adb88 100644
--- a/app/V1Module/security/TokenScope.php
+++ b/app/V1Module/security/TokenScope.php
@@ -4,14 +4,46 @@
 
 use Nette\StaticClass;
 
+/**
+ * Namespace for scope constants.
+ */
 class TokenScope
 {
     use StaticClass;
 
-    public const CHANGE_PASSWORD = "change-password";
+    /**
+     * The default scope with no additional restrictions.
+     */
     public const MASTER = "master";
-    public const EMAIL_VERIFICATION = "email-verification";
-    public const REFRESH = "refresh";
+
+    /**
+     * Read-only scope restricts operations to data retrieval only.
+     */
     public const READ_ALL = "read-all";
+
+    /**
+     * Used by 3rd party plagiarism detection tools to fetch solutions and feed similarities back.
+     */
     public const PLAGIARISM = "plagiarism";
+
+    /**
+     * Operations with reference solutions only. Can be used to insert additional solutions (e.g., created by GPT),
+     * as reference solutions to exercises.
+     */
+    public const REF_SOLUTIONS = "ref-solutions";
+
+    /**
+     * Special scope used in password-retrieval links. The user can only change the local password.
+     */
+    public const CHANGE_PASSWORD = "change-password";
+
+    /**
+     * Special scope used in password verification links. The user can only mark email address verified.
+     */
+    public const EMAIL_VERIFICATION = "email-verification";
+
+    /**
+     * Usually used in combination with other scopes. Allows refreshing the token.
+     */
+    public const REFRESH = "refresh";
 }
diff --git a/app/config/permissions.neon b/app/config/permissions.neon
index a30d3077..2471c60e 100644
--- a/app/config/permissions.neon
+++ b/app/config/permissions.neon
@@ -575,6 +575,21 @@ permissions:
           - viewList
           - viewAllTags
 
+    - allow: true
+      role: scope-ref-solutions
+      resource: exercise
+      actions:
+          - viewAll
+          - viewAllAuthors
+          - viewDetail
+          - viewConfig
+          - viewLimits
+          - viewScoreConfig
+          - viewAssignments
+          - viewList
+          - viewAllTags
+          - addReferenceSolution
+
     - allow: true
       role: student
       resource: exercise
@@ -688,6 +703,59 @@ permissions:
       conditions:
           - exercise.isAuthorOrAdmin
 
+    - allow: true
+      role: supervisor-student
+      resource: exercise
+      actions:
+          - viewAll
+          - viewAllAuthors
+          - viewAllTags
+          - create  # this is a generic rule (used to determine whether the user can be admin/author)
+
+    - allow: true
+      role: supervisor-student
+      resource: group
+      actions:
+          - createExercise  # this is an explicit rule tested in creation endpoint (exercise is always created in a group)
+      conditions:
+          - group.isSupervisor
+          - group.isNotArchived
+
+    #######################
+    # Reference solutions #
+    #######################
+
+    - allow: true
+      role: scope-read-all
+      resource: referenceExerciseSolution
+      actions:
+          - viewDetail
+
+    - allow: true
+      role: scope-ref-solutions
+      resource: referenceExerciseSolution
+      actions:
+          - viewDetail
+          - promote
+
+    - allow: true
+      role: scope-ref-solutions
+      resource: referenceExerciseSolution
+      actions:
+          - evaluate
+          - deleteEvaluation
+          - setVisibility
+          - delete
+      conditions:
+          - referenceExerciseSolution.isExerciseNotArchived
+          - or:
+              - referenceExerciseSolution.isAuthor
+              - and:
+                  - referenceExerciseSolution.isPublic
+                  - or:
+                      - referenceExerciseSolution.isExerciseAuthorOrAdmin
+                      - referenceExerciseSolution.isExerciseSuperGroupAdmin
+
     - allow: true
       role: supervisor-student
       resource: referenceExerciseSolution
@@ -730,24 +798,6 @@ permissions:
           - referenceExerciseSolution.isExerciseNotArchived
           - referenceExerciseSolution.isExerciseAuthorOrAdmin
 
-    - allow: true
-      role: supervisor-student
-      resource: exercise
-      actions:
-          - viewAll
-          - viewAllAuthors
-          - viewAllTags
-          - create  # this is a generic rule (used to determine whether the user can be admin/author)
-
-    - allow: true
-      role: supervisor-student
-      resource: group
-      actions:
-          - createExercise  # this is an explicit rule tested in creation endpoint (exercise is always created in a group)
-      conditions:
-          - group.isSupervisor
-          - group.isNotArchived
-
     #############################
     # Uploaded file permissions #
     #############################