[Instrument] Remove exception from NDB_BVL_Instrument::factory

This removes the exception from NDB_BVL_Instrument::factory(), so that
it's possible to call hasAccess on an instrument. Currently the hasAccess
or Factory call mix concerns, making it difficult for a module to check
if a user has access to an instrument.

Author: driusan

htdocs/survey.php

@@ -107,6 +107,11 @@ function initialize()
             $this->loris,
             $this->TestName,
         );
+        $user = \User::singleton();
+        if ($instrumentObj->_hasAccess($user) !== true) {
+            throw new \Exception("Permission denied", 403);
+        }
+
         $subtests       = $instrumentObj->getSubtestList();
         $this->NumPages = count($subtests) + 1;
 

modules/api/php/endpoints/candidate/visit/instruments.class.inc

@@ -131,6 +131,10 @@ class Instruments extends Endpoint implements \LORIS\Middleware\ETagCalculator
                 '',
                 true
             );
+            $user = $request->getAttribute('user');
+            if($instrument->_hasAccess($user) == false) {
+                return new \LORIS\Http\Response\JSON\Forbidden();
+            };
         } catch (\Exception $e) {
             return new \LORIS\Http\Response\JSON\NotFound();
         }

modules/api/php/endpoints/project/instruments.class.inc

@@ -108,6 +108,10 @@ class Instruments extends Endpoint implements \LORIS\Middleware\ETagCalculator
                 '',
                 true
             );
+            $user = $request->getAttribute("user");
+            if ($instrument->_hasAccess($user) == false) {
+                return new \LORIS\Http\Response\JSON\Forbidden();
+            }
         } catch (\Exception $e) {
             return new \LORIS\Http\Response\JSON\NotFound();
         }

modules/conflict_resolver/php/endpoints/unresolved.class.inc

@@ -252,6 +252,11 @@ class Unresolved extends Endpoint implements ETagCalculator
             '',
             true
         );
+        if ($instrument->_hasAccess($user) == false) {
+            return new \LORIS\Http\Response\JSON\NotFound(
+                'Permission denied for ' . $conflict['TableName']
+            );
+        }
         $instrument->_saveValues(
             [$conflict['FieldName'] => $conflict['CorrectAnswer']]
         );

modules/datadict/php/datadict.class.inc

@@ -61,6 +61,7 @@ class Datadict extends \DataFrameworkMenu
         $instruments     = \Utility::getAllInstruments();
         $dictInstruments = [];
         $lorisinstance   = $this->lorisinstance;
+        $user = \User::singleton();
         foreach ($instruments as $instrument => $name) {
             // Since the testname does not always match the table name in the
             // database we need to instantiate the object to get the table name
@@ -71,6 +72,13 @@ class Datadict extends \DataFrameworkMenu
                     '',
                     ''
                 );
+                if ($iObj->_hasAccess($user)) {
+                    $this->logger->debug(
+                        "Skipping $instrument in field options"
+                        . " because user does not have permission"
+                    );
+                    continue;
+                }
             } catch (\Exception $e) {
                 error_log(
                     "There was a problem instantiating the instrument ".

modules/instruments/php/module.class.inc

@@ -83,6 +83,12 @@ class Module extends \Module
             $commentID,
             $page
         );
+        $user      = $request->getAttribute("user");
+        if ($instrument->_hasAccess($user) == false) {
+            return (new \Laminas\Diactoros\Response())
+                ->withStatus(403)
+                ->withBody(new \LORIS\Http\StringStream("Permission denied"));
+        }
 
         $request = $request->withAttribute('pageclass', $instrument);
 
@@ -165,9 +171,15 @@ class Module extends \Module
         $tests = array_keys(\Utility::getAllInstruments());
 
         $dict = [];
+        $user = \User::singleton();
         foreach ($tests as $testname) {
             try {
                 $inst   = \NDB_BVL_Instrument::factory($loris, $testname, "", "");
+                if ($inst->_hasAccess($user) == false) {
+                    $this->logger->debug("Skipping dictionary for $testname"
+                      . " due to permissions.");
+                    continue;
+                }
                 $cat    = new \LORIS\Data\Dictionary\Category(
                     $testname,
                     $inst->getFullName()

modules/instruments/php/visitsummary.class.inc

@@ -52,6 +52,7 @@ class VisitSummary extends \NDB_Page
             return $this->_handleGET(
                 new CandID($params['CandID']),
                 $params['VisitLabel'],
+                $user,
             );
         default:
             return new \LORIS\Http\Response\JSON\MethodNotAllowed(
@@ -61,15 +62,16 @@ class VisitSummary extends \NDB_Page
     }
 
     /**
-     * Helper to specifically handle PATCH HTTP methods to the endpoint.
+     * Helper to specifically handle GET HTTP methods to the endpoint.
      *
      * @param CandID $candid     The CandID for the visit.
      * @param string $visitLabel The visit label string.
+     * @param \User  $user       The user accessing the endpoint
      *
      * @return ResponseInterface
      */
     private function _handleGET(
-        CandID $candid, string $visitLabel
+        CandID $candid, string $visitLabel, \User $user
     ) : ResponseInterface {
         $DB = \NDB_Factory::singleton()->database();
 
@@ -111,6 +113,9 @@ class VisitSummary extends \NDB_Page
                 '',
                 false
             );
+            if ($instrument->_hasAccess($user) == false) {
+                continue;
+            }
             if ($instrument === null) {
                 $bvl_result[$key]['Completion'] = 0;
             } else {

php/libraries/NDB_BVL_Instrument.class.inc

@@ -308,17 +308,6 @@ abstract class NDB_BVL_Instrument extends NDB_Page
             $base . "project/instruments/$instrument.rules"
         );
 
-        $user   = \User::singleton();
-        $access = $obj->_hasAccess($user);
-
-        // check that user has access
-        if ($access == false) {
-            throw new Exception(
-                "You do not have access to this page.",
-                403
-            );
-        }
-
         return $obj;
     }
 
@@ -380,9 +369,7 @@ abstract class NDB_BVL_Instrument extends NDB_Page
                     return true;
                 }
             }
-
-            //no user permissions match required instrument permissions
-            throw new Exception("You do not have access to this page.", 403);
+            return false;
         }
     }