Merge pull request #227 from ReCodEx/new-roles

Martin Kruliš · web-flow · commit f898ff1aa0ed · 2018-08-02T17:48:19.000+02:00
New roles added and set role endpoint properly registered.
diff --git a/app/V1Module/presenters/GroupsPresenter.php b/app/V1Module/presenters/GroupsPresenter.php
@@ -648,7 +648,7 @@ public function checkAddSupervisor(string $id, string $userId) {
       new Identity($user, null)
     );
 
-    if (!$this->groupAcl->canAddSupervisor($group, $user) || !$userAcl->canSupervise($group)) {
+    if (!$this->groupAcl->canAddSupervisor($group, $user) || !$userAcl->canBecomeSupervisor($group)) {
       throw new ForbiddenRequestException();
     }
   }
diff --git a/app/V1Module/router/RouterFactory.php b/app/V1Module/router/RouterFactory.php
@@ -335,6 +335,7 @@ private static function createUsersRoutes(string $prefix): RouteList {
     $router[] = new PostRoute("$prefix/<id>", "Users:updateProfile");
     $router[] = new PostRoute("$prefix/<id>/settings", "Users:updateSettings");
     $router[] = new PostRoute("$prefix/<id>/create-local", "Users:createLocalAccount");
+    $router[] = new PostRoute("$prefix/<id>/role", "Users:setRole");
     return $router;
   }
 
diff --git a/app/V1Module/security/ACL/IGroupPermissions.php b/app/V1Module/security/ACL/IGroupPermissions.php
@@ -31,6 +31,6 @@ function canAssignExercise(Group $group, Exercise $exercise): bool;
   function canCreateExercise(Group $group): bool;
   function canViewPublicDetail(Group $group): bool;
   function canAddStudentToArchivedGroup($group, $user): bool;
-  function canSupervise(Group $group): bool;
+  function canBecomeSupervisor(Group $group): bool;
   function canSendEmail(Group $group): bool;
 }
diff --git a/app/V1Module/security/ACL/IInstancePermissions.php b/app/V1Module/security/ACL/IInstancePermissions.php
@@ -6,16 +6,14 @@
 use App\Model\Entity\Licence;
 
 interface IInstancePermissions {
-  function canAddGroup(Instance $instance): bool;
   function canViewAll(): bool;
   function canViewDetail(Instance $instance): bool;
   function canViewGroups(Instance $instance): bool;
-  function canViewUsers(Instance $instance): bool;
   function canViewLicences(Instance $instance): bool;
   function canAddLicence(Instance $instance): bool;
   function canUpdateLicence(Licence $licence): bool;
   function canRemoveLicence(Licence $licence): bool;
   function canAdd(): bool;
   function canUpdate(Instance $instance): bool;
   function canRemove(Instance $instance): bool;
-}
+}
diff --git a/app/V1Module/security/Roles.php b/app/V1Module/security/Roles.php
@@ -13,15 +13,19 @@ class Roles
   use Nette\SmartObject;
 
   public const STUDENT_ROLE = "student";
+  public const SUPERVISOR_STUDENT_ROLE = "supervisor-student";
   public const SUPERVISOR_ROLE = "supervisor";
+  public const EMPOWERED_SUPERVISOR_ROLE = "empowered-supervisor";
   public const SUPERADMIN_ROLE = "superadmin";
 
   /**
    * Array containing all above roles for better searching.
    */
   public const ROLES = [
     self::STUDENT_ROLE,
+    self::SUPERVISOR_STUDENT_ROLE,
     self::SUPERVISOR_ROLE,
+    self::EMPOWERED_SUPERVISOR_ROLE.
     self::SUPERADMIN_ROLE
   ];
 
diff --git a/app/config/permissions.neon b/app/config/permissions.neon
@@ -4,9 +4,16 @@ roles:
     - name: student
       parents: unauthenticated
 
-    - name: supervisor
+    - name: supervisor-student
       parents: student
 
+    - name: supervisor
+      parents: supervisor-student
+
+    - name: empowered-supervisor
+      parents: supervisor
+
+
     - name: superadmin
 permissions:
     - allow: true
@@ -130,9 +137,9 @@ permissions:
 
     - allow: true
       resource: group
-      role: supervisor
+      role: supervisor-student
       actions:
-          - supervise
+          - becomeSupervisor
 
     ########################
     # Instance permissions #
@@ -145,7 +152,6 @@ permissions:
         - viewAll
         - viewDetail
         - viewGroups
-        - viewUsers
         - viewLicences
 
     - allow: true
@@ -155,28 +161,16 @@ permissions:
         - viewAll
         - viewDetail
 
-    - allow: true
-      role: supervisor
-      resource: instance
-      actions: addGroup
-      conditions: instance.isMember
-
     - allow: true
       role: student
       resource: instance
       actions:
           - viewGroups
 
-    - allow: true
-      role: supervisor
-      resource: instance
-      actions: []
-
     - allow: true
       role: superadmin # TODO instance admin role
       resource: instance
       actions:
-          - viewUsers
           - viewLicences
       conditions:
           - instance.isMember
@@ -239,7 +233,7 @@ permissions:
         - user.isSameUser
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: user
       actions:
           - viewDetail
@@ -499,22 +493,22 @@ permissions:
           - referenceExerciseSolution.isExerciseAuthor
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: exercise
       actions:
           - viewDetail
       conditions:
           - exercise.isPublic
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: exercise
       actions:
           - viewAll
           - viewAllAuthors
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: group
       actions:
           - createExercise
@@ -553,7 +547,7 @@ permissions:
             - file.isRelatedToAssignment
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: uploadedFile
       actions:
           - download
@@ -563,7 +557,7 @@ permissions:
           - file.isExerciseOrAssignmentPublic
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: uploadedFile
       actions:
           - viewDetail
@@ -600,7 +594,7 @@ permissions:
           - viewAll
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: hardwareGroup
       actions:
           - viewAll
@@ -617,14 +611,14 @@ permissions:
           - viewAll
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: pipeline
       actions:
           - viewDetail
           - viewAll
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: pipeline
       actions:
           - update
@@ -646,7 +640,7 @@ permissions:
         - viewCourses
 
     - allow: true
-      role: supervisor
+      role: supervisor-student
       resource: sis
       actions:
         - createTerm

Original file line number	Diff line number	Diff line change
`@@ -648,7 +648,7 @@ public function checkAddSupervisor(string $id, string $userId) {`
`648`	`648`	`new Identity($user, null)`
`649`	`649`	`);`
`650`	`650`
`651`		`- if (!$this->groupAcl->canAddSupervisor($group, $user) \|\| !$userAcl->canSupervise($group)) {`
	`651`	`+ if (!$this->groupAcl->canAddSupervisor($group, $user) \|\| !$userAcl->canBecomeSupervisor($group)) {`
`652`	`652`	`throw new ForbiddenRequestException();`
`653`	`653`	`}`
`654`	`654`	`}`
Original file line number	Diff line number	Diff line change
`@@ -335,6 +335,7 @@ private static function createUsersRoutes(string $prefix): RouteList {`
`335`	`335`	`$router[] = new PostRoute("$prefix/<id>", "Users:updateProfile");`
`336`	`336`	`$router[] = new PostRoute("$prefix/<id>/settings", "Users:updateSettings");`
`337`	`337`	`$router[] = new PostRoute("$prefix/<id>/create-local", "Users:createLocalAccount");`
	`338`	`+ $router[] = new PostRoute("$prefix/<id>/role", "Users:setRole");`
`338`	`339`	`return $router;`
`339`	`340`	`}`
`340`	`341`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,6 @@ function canAssignExercise(Group $group, Exercise $exercise): bool;`
`31`	`31`	`function canCreateExercise(Group $group): bool;`
`32`	`32`	`function canViewPublicDetail(Group $group): bool;`
`33`	`33`	`function canAddStudentToArchivedGroup($group, $user): bool;`
`34`		`- function canSupervise(Group $group): bool;`
	`34`	`+ function canBecomeSupervisor(Group $group): bool;`
`35`	`35`	`function canSendEmail(Group $group): bool;`
`36`	`36`	`}`