From d8f6d8568396816a6bfaca1e01211384e803cf91 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sun, 11 Sep 2016 16:08:03 -0400 Subject: Add project restrictions for custom roles --- app/Model/ProjectRoleModel.php | 13 ++- app/Model/ProjectRoleRestrictionModel.php | 164 ++++++++++++++++++++++++++++++ 2 files changed, 173 insertions(+), 4 deletions(-) create mode 100644 app/Model/ProjectRoleRestrictionModel.php (limited to 'app/Model') diff --git a/app/Model/ProjectRoleModel.php b/app/Model/ProjectRoleModel.php index 82f22806..ed86d6ed 100644 --- a/app/Model/ProjectRoleModel.php +++ b/app/Model/ProjectRoleModel.php @@ -17,7 +17,7 @@ class ProjectRoleModel extends Base /** * Get list of project roles - * + * * @param int $project_id * @return array */ @@ -70,9 +70,14 @@ class ProjectRoleModel extends Base public function getAllWithRestrictions($project_id) { $roles = $this->getAll($project_id); - $restrictions = $this->columnMoveRestrictionModel->getAll($project_id); - $restrictions = array_column_index($restrictions, 'role_id'); - array_merge_relation($roles, $restrictions, 'restrictions', 'role_id'); + + $column_restrictions = $this->columnMoveRestrictionModel->getAll($project_id); + $column_restrictions = array_column_index($column_restrictions, 'role_id'); + array_merge_relation($roles, $column_restrictions, 'column_restrictions', 'role_id'); + + $project_restrictions = $this->projectRoleRestrictionModel->getAll($project_id); + $project_restrictions = array_column_index($project_restrictions, 'role_id'); + array_merge_relation($roles, $project_restrictions, 'project_restrictions', 'role_id'); return $roles; } diff --git a/app/Model/ProjectRoleRestrictionModel.php b/app/Model/ProjectRoleRestrictionModel.php new file mode 100644 index 00000000..0411838d --- /dev/null +++ b/app/Model/ProjectRoleRestrictionModel.php @@ -0,0 +1,164 @@ + array( + array('controller' => 'TaskCreationController', 'method' => '*'), + ) + ); + + /** + * Get rules + * + * @return array + */ + public function getRules() + { + return array( + self::RULE_TASK_CREATION => t('Task creation is not permitted'), + ); + } + + /** + * Get a single restriction + * + * @param integer $project_id + * @param integer $restriction_id + * @return array|null + */ + public function getById($project_id, $restriction_id) + { + return $this->db + ->table(self::TABLE) + ->eq('project_id', $project_id) + ->eq('restriction_id', $restriction_id) + ->findOne(); + } + + /** + * Get restrictions + * + * @param int $project_id + * @return array + */ + public function getAll($project_id) + { + $rules = $this->getRules(); + $restrictions = $this->db + ->table(self::TABLE) + ->columns( + self::TABLE.'.restriction_id', + self::TABLE.'.project_id', + self::TABLE.'.role_id', + self::TABLE.'.rule' + ) + ->eq(self::TABLE.'.project_id', $project_id) + ->findAll(); + + foreach ($restrictions as &$restriction) { + $restriction['title'] = $rules[$restriction['rule']]; + } + + return $restrictions; + } + + /** + * Get restrictions + * + * @param int $project_id + * @param string $role + * @return array + */ + public function getAllByRole($project_id, $role) + { + $rules = $this->db + ->table(self::TABLE) + ->columns( + self::TABLE.'.restriction_id', + self::TABLE.'.project_id', + self::TABLE.'.role_id', + self::TABLE.'.rule', + 'pr.role' + ) + ->eq(self::TABLE.'.project_id', $project_id) + ->eq('role', $role) + ->left(ProjectRoleModel::TABLE, 'pr', 'role_id', self::TABLE, 'role_id') + ->findAll(); + + foreach ($rules as &$rule) { + $rule['acl'] = $this->ruleMapping[$rule['rule']]; + } + + return $rules; + } + + /** + * Create a new restriction + * + * @param int $project_id + * @param int $role_id + * @param string $rule + * @return bool|int + */ + public function create($project_id, $role_id, $rule) + { + return $this->db->table(self::TABLE) + ->persist(array( + 'project_id' => $project_id, + 'role_id' => $role_id, + 'rule' => $rule, + )); + } + + /** + * Remove a restriction + * + * @param integer $restriction_id + * @return bool + */ + public function remove($restriction_id) + { + return $this->db->table(self::TABLE)->eq('restriction_id', $restriction_id)->remove(); + } + + /** + * Check if the controller/method is allowed + * + * @param array $restrictions + * @param string $controller + * @param string $method + * @return bool + */ + public function isAllowed(array $restrictions, $controller, $method) + { + $controller = strtolower($controller); + $method = strtolower($method); + + foreach ($restrictions as $restriction) { + foreach ($restriction['acl'] as $acl) { + $acl['controller'] = strtolower($acl['controller']); + $acl['method'] = strtolower($acl['method']); + + if ($acl['controller'] === $controller && ($acl['method'] === '*' || $acl['method'] === $method)) { + return false; + } + } + } + + return true; + } +} -- cgit v1.2.3