Add project restrictions for custom roles

author: Frederic Guillot <fred@kanboard.net> 2016-09-11 16:08:03 -0400
committer: Frederic Guillot <fred@kanboard.net> 2016-09-11 16:08:03 -0400
commit: d8f6d8568396816a6bfaca1e01211384e803cf91 (patch)
tree: 16d735faa3f6f9aafb6c78650470e77347cae1ab /app/Helper
parent: a0227cad69aff9486fba1d7b2a19e6da97450100 (diff)
3 files changed, 131 insertions, 76 deletions
diff --git a/app/Helper/BoardHelper.php b/app/Helper/BoardHelper.php
index 9e8e78ac..f5df3db2 100644
--- a/app/Helper/BoardHelper.php
+++ b/app/Helper/BoardHelper.php
@@ -24,26 +24,4 @@ class BoardHelper extends Base
     {
         return $this->userMetadataCacheDecorator->get(UserMetadataModel::KEY_BOARD_COLLAPSED.$project_id, 0) == 1;
     }
-
-    /**
-     * Return true if the task can be moved by the connected user
-     *
-     * @param array $task
-     * @return bool
-     */
-    public function isDraggable(array $task)
-    {
-        if ($task['is_active'] == 1 && $this->helper->user->hasProjectAccess('BoardViewController', 'save', $task['project_id'])) {
-            $role = $this->helper->user->getProjectUserRole($task['project_id']);
-
-            if ($this->role->isCustomProjectRole($role)) {
-                $srcColumnIds = $this->columnMoveRestrictionCacheDecorator->getAllSrcColumns($task['project_id'], $role);
-                return isset($srcColumnIds[$task['column_id']]);
-            }
-
-            return true;
-        }
-
-        return false;
-    }
 }
diff --git a/app/Helper/ProjectRoleHelper.php b/app/Helper/ProjectRoleHelper.php
new file mode 100644
index 00000000..34905b52
--- /dev/null
+++ b/app/Helper/ProjectRoleHelper.php
@@ -0,0 +1,130 @@
+<?php
+
+namespace Kanboard\Helper;
+
+use Kanboard\Core\Base;
+use Kanboard\Core\Security\Role;
+
+/**
+ * Class ProjectRoleHelper
+ *
+ * @package Kanboard\Helper
+ * @author  Frederic Guillot
+ */
+class ProjectRoleHelper extends Base
+{
+    /**
+     * Get project role for the current user
+     *
+     * @access public
+     * @param  integer $project_id
+     * @return string
+     */
+    public function getProjectUserRole($project_id)
+    {
+        return $this->memoryCache->proxy($this->projectUserRoleModel, 'getUserRole', $project_id, $this->userSession->getId());
+    }
+
+    /**
+     * Return true if the task can be moved by the connected user
+     *
+     * @param array $task
+     * @return bool
+     */
+    public function isDraggable(array $task)
+    {
+        if ($task['is_active'] == 1 && $this->helper->user->hasProjectAccess('BoardViewController', 'save', $task['project_id'])) {
+            $role = $this->getProjectUserRole($task['project_id']);
+
+            if ($this->role->isCustomProjectRole($role)) {
+                $srcColumnIds = $this->columnMoveRestrictionCacheDecorator->getAllSrcColumns($task['project_id'], $role);
+                return isset($srcColumnIds[$task['column_id']]);
+            }
+
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if the user can move a task
+     *
+     * @param  int $project_id
+     * @param  int $src_column_id
+     * @param  int $dst_column_id
+     * @return bool|int
+     */
+    public function canMoveTask($project_id, $src_column_id, $dst_column_id)
+    {
+        $role = $this->getProjectUserRole($project_id);
+
+        if ($this->role->isCustomProjectRole($role)) {
+            return $this->columnMoveRestrictionModel->isAllowed(
+                $project_id,
+                $role,
+                $src_column_id,
+                $dst_column_id
+            );
+        }
+
+        return true;
+    }
+
+    /**
+     * Return true if the user can remove a task
+     *
+     * Regular users can't remove tasks from other people
+     *
+     * @public
+     * @param  array $task
+     * @return bool
+     */
+    public function canRemoveTask(array $task)
+    {
+        if (isset($task['creator_id']) && $task['creator_id'] == $this->userSession->getId()) {
+            return true;
+        }
+
+        if ($this->userSession->isAdmin() || $this->getProjectUserRole($task['project_id']) === Role::PROJECT_MANAGER) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Check project access
+     *
+     * @param  string  $controller
+     * @param  string  $action
+     * @param  integer $project_id
+     * @return bool
+     */
+    public function checkProjectAccess($controller, $action, $project_id)
+    {
+        if (! $this->userSession->isLogged()) {
+            return false;
+        }
+
+        if ($this->userSession->isAdmin()) {
+            return true;
+        }
+
+        if (! $this->helper->user->hasAccess($controller, $action)) {
+            return false;
+        }
+
+        $role = $this->getProjectUserRole($project_id);
+
+        if ($this->role->isCustomProjectRole($role)) {
+            $restrictions = $this->projectRoleRestrictionModel->getAllByRole($project_id, $role);
+            $result = $this->projectRoleRestrictionModel->isAllowed($restrictions, $controller, $action);
+            $result = $result && $this->projectAuthorization->isAllowed($controller, $action, Role::PROJECT_MEMBER);
+        } else {
+            $result = $this->projectAuthorization->isAllowed($controller, $action, $role);
+        }
+
+        return $result;
+    }
+}
diff --git a/app/Helper/UserHelper.php b/app/Helper/UserHelper.php
index 17c66616..8c2567b9 100644
--- a/app/Helper/UserHelper.php
+++ b/app/Helper/UserHelper.php
@@ -3,7 +3,6 @@
 namespace Kanboard\Helper;
 
 use Kanboard\Core\Base;
-use Kanboard\Core\Security\Role;
 
 /**
  * User helpers
@@ -133,66 +132,14 @@ class UserHelper extends Base
      */
     public function hasProjectAccess($controller, $action, $project_id)
     {
-        if (! $this->userSession->isLogged()) {
-            return false;
-        }
-
-        if ($this->userSession->isAdmin()) {
-            return true;
-        }
-
-        if (! $this->hasAccess($controller, $action)) {
-            return false;
-        }
-
         $key = 'project_access:'.$controller.$action.$project_id;
         $result = $this->memoryCache->get($key);
 
         if ($result === null) {
-            $role = $this->getProjectUserRole($project_id);
-
-            if ($this->role->isCustomProjectRole($role)) {
-                $role = Role::PROJECT_MEMBER;
-            }
-
-            $result = $this->projectAuthorization->isAllowed($controller, $action, $role);
+            $result = $this->helper->projectRole->checkProjectAccess($controller, $action, $project_id);
             $this->memoryCache->set($key, $result);
         }
 
         return $result;
     }
-
-    /**
-     * Get project role for the current user
-     *
-     * @access public
-     * @param  integer $project_id
-     * @return string
-     */
-    public function getProjectUserRole($project_id)
-    {
-        return $this->memoryCache->proxy($this->projectUserRoleModel, 'getUserRole', $project_id, $this->userSession->getId());
-    }
-
-    /**
-     * Return true if the user can remove a task
-     *
-     * Regular users can't remove tasks from other people
-     *
-     * @public
-     * @param  array $task
-     * @return bool
-     */
-    public function canRemoveTask(array $task)
-    {
-        if (isset($task['creator_id']) && $task['creator_id'] == $this->userSession->getId()) {
-            return true;
-        }
-
-        if ($this->userSession->isAdmin() || $this->getProjectUserRole($task['project_id']) === Role::PROJECT_MANAGER) {
-            return true;
-        }
-
-        return false;
-    }
 }
author	Frederic Guillot <fred@kanboard.net>	2016-09-11 16:08:03 -0400
committer	Frederic Guillot <fred@kanboard.net>	2016-09-11 16:08:03 -0400
commit	d8f6d8568396816a6bfaca1e01211384e803cf91 (patch)
tree	16d735faa3f6f9aafb6c78650470e77347cae1ab /app/Helper
parent	a0227cad69aff9486fba1d7b2a19e6da97450100 (diff)