From d8f6d8568396816a6bfaca1e01211384e803cf91 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sun, 11 Sep 2016 16:08:03 -0400 Subject: Add project restrictions for custom roles --- app/Helper/BoardHelper.php | 22 ------- app/Helper/ProjectRoleHelper.php | 130 +++++++++++++++++++++++++++++++++++++++ app/Helper/UserHelper.php | 55 +---------------- 3 files changed, 131 insertions(+), 76 deletions(-) create mode 100644 app/Helper/ProjectRoleHelper.php (limited to 'app/Helper') diff --git a/app/Helper/BoardHelper.php b/app/Helper/BoardHelper.php index 9e8e78ac..f5df3db2 100644 --- a/app/Helper/BoardHelper.php +++ b/app/Helper/BoardHelper.php @@ -24,26 +24,4 @@ class BoardHelper extends Base { return $this->userMetadataCacheDecorator->get(UserMetadataModel::KEY_BOARD_COLLAPSED.$project_id, 0) == 1; } - - /** - * Return true if the task can be moved by the connected user - * - * @param array $task - * @return bool - */ - public function isDraggable(array $task) - { - if ($task['is_active'] == 1 && $this->helper->user->hasProjectAccess('BoardViewController', 'save', $task['project_id'])) { - $role = $this->helper->user->getProjectUserRole($task['project_id']); - - if ($this->role->isCustomProjectRole($role)) { - $srcColumnIds = $this->columnMoveRestrictionCacheDecorator->getAllSrcColumns($task['project_id'], $role); - return isset($srcColumnIds[$task['column_id']]); - } - - return true; - } - - return false; - } } diff --git a/app/Helper/ProjectRoleHelper.php b/app/Helper/ProjectRoleHelper.php new file mode 100644 index 00000000..34905b52 --- /dev/null +++ b/app/Helper/ProjectRoleHelper.php @@ -0,0 +1,130 @@ +memoryCache->proxy($this->projectUserRoleModel, 'getUserRole', $project_id, $this->userSession->getId()); + } + + /** + * Return true if the task can be moved by the connected user + * + * @param array $task + * @return bool + */ + public function isDraggable(array $task) + { + if ($task['is_active'] == 1 && $this->helper->user->hasProjectAccess('BoardViewController', 'save', $task['project_id'])) { + $role = $this->getProjectUserRole($task['project_id']); + + if ($this->role->isCustomProjectRole($role)) { + $srcColumnIds = $this->columnMoveRestrictionCacheDecorator->getAllSrcColumns($task['project_id'], $role); + return isset($srcColumnIds[$task['column_id']]); + } + + return true; + } + + return false; + } + + /** + * Check if the user can move a task + * + * @param int $project_id + * @param int $src_column_id + * @param int $dst_column_id + * @return bool|int + */ + public function canMoveTask($project_id, $src_column_id, $dst_column_id) + { + $role = $this->getProjectUserRole($project_id); + + if ($this->role->isCustomProjectRole($role)) { + return $this->columnMoveRestrictionModel->isAllowed( + $project_id, + $role, + $src_column_id, + $dst_column_id + ); + } + + return true; + } + + /** + * Return true if the user can remove a task + * + * Regular users can't remove tasks from other people + * + * @public + * @param array $task + * @return bool + */ + public function canRemoveTask(array $task) + { + if (isset($task['creator_id']) && $task['creator_id'] == $this->userSession->getId()) { + return true; + } + + if ($this->userSession->isAdmin() || $this->getProjectUserRole($task['project_id']) === Role::PROJECT_MANAGER) { + return true; + } + + return false; + } + + /** + * Check project access + * + * @param string $controller + * @param string $action + * @param integer $project_id + * @return bool + */ + public function checkProjectAccess($controller, $action, $project_id) + { + if (! $this->userSession->isLogged()) { + return false; + } + + if ($this->userSession->isAdmin()) { + return true; + } + + if (! $this->helper->user->hasAccess($controller, $action)) { + return false; + } + + $role = $this->getProjectUserRole($project_id); + + if ($this->role->isCustomProjectRole($role)) { + $restrictions = $this->projectRoleRestrictionModel->getAllByRole($project_id, $role); + $result = $this->projectRoleRestrictionModel->isAllowed($restrictions, $controller, $action); + $result = $result && $this->projectAuthorization->isAllowed($controller, $action, Role::PROJECT_MEMBER); + } else { + $result = $this->projectAuthorization->isAllowed($controller, $action, $role); + } + + return $result; + } +} diff --git a/app/Helper/UserHelper.php b/app/Helper/UserHelper.php index 17c66616..8c2567b9 100644 --- a/app/Helper/UserHelper.php +++ b/app/Helper/UserHelper.php @@ -3,7 +3,6 @@ namespace Kanboard\Helper; use Kanboard\Core\Base; -use Kanboard\Core\Security\Role; /** * User helpers @@ -133,66 +132,14 @@ class UserHelper extends Base */ public function hasProjectAccess($controller, $action, $project_id) { - if (! $this->userSession->isLogged()) { - return false; - } - - if ($this->userSession->isAdmin()) { - return true; - } - - if (! $this->hasAccess($controller, $action)) { - return false; - } - $key = 'project_access:'.$controller.$action.$project_id; $result = $this->memoryCache->get($key); if ($result === null) { - $role = $this->getProjectUserRole($project_id); - - if ($this->role->isCustomProjectRole($role)) { - $role = Role::PROJECT_MEMBER; - } - - $result = $this->projectAuthorization->isAllowed($controller, $action, $role); + $result = $this->helper->projectRole->checkProjectAccess($controller, $action, $project_id); $this->memoryCache->set($key, $result); } return $result; } - - /** - * Get project role for the current user - * - * @access public - * @param integer $project_id - * @return string - */ - public function getProjectUserRole($project_id) - { - return $this->memoryCache->proxy($this->projectUserRoleModel, 'getUserRole', $project_id, $this->userSession->getId()); - } - - /** - * Return true if the user can remove a task - * - * Regular users can't remove tasks from other people - * - * @public - * @param array $task - * @return bool - */ - public function canRemoveTask(array $task) - { - if (isset($task['creator_id']) && $task['creator_id'] == $this->userSession->getId()) { - return true; - } - - if ($this->userSession->isAdmin() || $this->getProjectUserRole($task['project_id']) === Role::PROJECT_MANAGER) { - return true; - } - - return false; - } } -- cgit v1.2.3