From d8f6d8568396816a6bfaca1e01211384e803cf91 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sun, 11 Sep 2016 16:08:03 -0400 Subject: Add project restrictions for custom roles --- app/Helper/ProjectRoleHelper.php | 130 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 app/Helper/ProjectRoleHelper.php (limited to 'app/Helper/ProjectRoleHelper.php') diff --git a/app/Helper/ProjectRoleHelper.php b/app/Helper/ProjectRoleHelper.php new file mode 100644 index 00000000..34905b52 --- /dev/null +++ b/app/Helper/ProjectRoleHelper.php @@ -0,0 +1,130 @@ +memoryCache->proxy($this->projectUserRoleModel, 'getUserRole', $project_id, $this->userSession->getId()); + } + + /** + * Return true if the task can be moved by the connected user + * + * @param array $task + * @return bool + */ + public function isDraggable(array $task) + { + if ($task['is_active'] == 1 && $this->helper->user->hasProjectAccess('BoardViewController', 'save', $task['project_id'])) { + $role = $this->getProjectUserRole($task['project_id']); + + if ($this->role->isCustomProjectRole($role)) { + $srcColumnIds = $this->columnMoveRestrictionCacheDecorator->getAllSrcColumns($task['project_id'], $role); + return isset($srcColumnIds[$task['column_id']]); + } + + return true; + } + + return false; + } + + /** + * Check if the user can move a task + * + * @param int $project_id + * @param int $src_column_id + * @param int $dst_column_id + * @return bool|int + */ + public function canMoveTask($project_id, $src_column_id, $dst_column_id) + { + $role = $this->getProjectUserRole($project_id); + + if ($this->role->isCustomProjectRole($role)) { + return $this->columnMoveRestrictionModel->isAllowed( + $project_id, + $role, + $src_column_id, + $dst_column_id + ); + } + + return true; + } + + /** + * Return true if the user can remove a task + * + * Regular users can't remove tasks from other people + * + * @public + * @param array $task + * @return bool + */ + public function canRemoveTask(array $task) + { + if (isset($task['creator_id']) && $task['creator_id'] == $this->userSession->getId()) { + return true; + } + + if ($this->userSession->isAdmin() || $this->getProjectUserRole($task['project_id']) === Role::PROJECT_MANAGER) { + return true; + } + + return false; + } + + /** + * Check project access + * + * @param string $controller + * @param string $action + * @param integer $project_id + * @return bool + */ + public function checkProjectAccess($controller, $action, $project_id) + { + if (! $this->userSession->isLogged()) { + return false; + } + + if ($this->userSession->isAdmin()) { + return true; + } + + if (! $this->helper->user->hasAccess($controller, $action)) { + return false; + } + + $role = $this->getProjectUserRole($project_id); + + if ($this->role->isCustomProjectRole($role)) { + $restrictions = $this->projectRoleRestrictionModel->getAllByRole($project_id, $role); + $result = $this->projectRoleRestrictionModel->isAllowed($restrictions, $controller, $action); + $result = $result && $this->projectAuthorization->isAllowed($controller, $action, Role::PROJECT_MEMBER); + } else { + $result = $this->projectAuthorization->isAllowed($controller, $action, $role); + } + + return $result; + } +} -- cgit v1.2.3