fixes role assignation

claroline · Jan 28, 2021 · d65c108 · d65c108
1 parent dbe7c88
commit d65c108
Show file tree

Hide file tree

Showing 34 changed files with 387 additions and 680 deletions.
diff --git a/src/main/app/API/Crud.php b/src/main/app/API/Crud.php
@@ -378,6 +378,8 @@ public function dispatch($action, $when, array $args)
             }
         }
 
+        // TODO : let the event explain why it has blocked the process
+        // for now we will do nothing and the user will not know why.
         return $generic->isAllowed() && $specific->isAllowed() && $isAllowed;
     }
 

diff --git a/src/main/core/API/Crud/User/GroupCrud.php b/src/main/core/API/Crud/User/GroupCrud.php
@@ -2,32 +2,72 @@
 
 namespace Claroline\CoreBundle\API\Crud\User;
 
+use Claroline\AppBundle\API\Crud;
 use Claroline\AppBundle\Event\Crud\CreateEvent;
+use Claroline\AppBundle\Event\Crud\PatchEvent;
+use Claroline\AuthenticationBundle\Security\Authentication\Authenticator;
 use Claroline\CoreBundle\Entity\Group;
+use Claroline\CoreBundle\Entity\Role;
 use Claroline\CoreBundle\Entity\User;
+use Claroline\CoreBundle\Manager\RoleManager;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 
 class GroupCrud
 {
-    /**
-     * @param TokenStorageInterface $tokenStorage
-     */
-    public function __construct(TokenStorageInterface $tokenStorage)
-    {
+    /** @var TokenStorageInterface */
+    private $tokenStorage;
+    /** @var Authenticator */
+    private $authenticator;
+    /** @var RoleManager */
+    private $roleManager;
+
+    public function __construct(
+        TokenStorageInterface $tokenStorage,
+        Authenticator $authenticator,
+        RoleManager $roleManager
+    ) {
         $this->tokenStorage = $tokenStorage;
+        $this->authenticator = $authenticator;
+        $this->roleManager = $roleManager;
     }
 
-    /**
-     * @param CreateEvent $event
-     */
     public function preCreate(CreateEvent $event)
     {
-        /** @var Group $role */
+        /** @var Group $group */
         $group = $event->getObject();
         $user = $this->tokenStorage->getToken()->getUser();
 
         if ($user instanceof User) {
             $group->addOrganization($user->getMainOrganization());
         }
     }
+
+    public function prePatch(PatchEvent $event)
+    {
+        /** @var Group $group */
+        $group = $event->getObject();
+
+        // trying to add a new role to a group
+        if (Crud::COLLECTION_ADD === $event->getAction() && 'role' === $event->getProperty()) {
+            /** @var Role $role */
+            $role = $event->getValue();
+
+            if ($group->hasRole($role->getName()) || !$this->roleManager->validateRoleInsert($event->getObject(), $event->getValue())) {
+                $event->block();
+            }
+        }
+    }
+
+    public function postPatch(PatchEvent $event)
+    {
+        /** @var Group $group */
+        $group = $event->getObject();
+        /** @var User $currentUser */
+        $currentUser = $this->tokenStorage->getToken()->getUser();
+
+        // refresh token to get updated roles if the current user is in the group
+        if ('role' === $event->getProperty() && $currentUser instanceof User && $group->containsUser($currentUser)) {
+            $this->authenticator->createToken($currentUser);
+        }
+    }
 }
diff --git a/src/main/core/API/Crud/User/RoleCrud.php b/src/main/core/API/Crud/User/RoleCrud.php
@@ -2,19 +2,40 @@
 
 namespace Claroline\CoreBundle\API\Crud\User;
 
+use Claroline\AppBundle\API\Crud;
 use Claroline\AppBundle\Event\Crud\CreateEvent;
 use Claroline\AppBundle\Event\Crud\DeleteEvent;
+use Claroline\AppBundle\Event\Crud\PatchEvent;
+use Claroline\AuthenticationBundle\Security\Authentication\Authenticator;
+use Claroline\CoreBundle\Entity\AbstractRoleSubject;
+use Claroline\CoreBundle\Entity\Group;
 use Claroline\CoreBundle\Entity\Role;
+use Claroline\CoreBundle\Entity\User;
+use Claroline\CoreBundle\Manager\RoleManager;
 use Doctrine\DBAL\Driver\Connection;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 
 class RoleCrud
 {
     /** @var Connection */
     private $conn;
+    /** @var TokenStorageInterface */
+    private $tokenStorage;
+    /** @var Authenticator */
+    private $authenticator;
+    /** @var RoleManager */
+    private $manager;
 
-    public function __construct(Connection $conn)
-    {
+    public function __construct(
+        Connection $conn,
+        TokenStorageInterface $tokenStorage,
+        Authenticator $authenticator,
+        RoleManager $manager
+    ) {
         $this->conn = $conn;
+        $this->tokenStorage = $tokenStorage;
+        $this->authenticator = $authenticator;
+        $this->manager = $manager;
     }
 
     public function preCreate(CreateEvent $event)
@@ -74,4 +95,38 @@ public function preDelete(DeleteEvent $event)
             $event->block();
         }
     }
+
+    public function prePatch(PatchEvent $event)
+    {
+        /** @var Role $role */
+        $role = $event->getObject();
+
+        // checks if we can add users/groups to the role
+        if (Crud::COLLECTION_ADD === $event->getAction() && in_array($event->getProperty(), ['user', 'group'])) {
+            /** @var AbstractRoleSubject $ars */
+            $ars = $event->getValue();
+            if ($ars->hasRole($role->getName()) || !$this->manager->validateRoleInsert($ars, $role)) {
+                $event->block();
+            }
+        }
+    }
+
+    public function postPatch(PatchEvent $event)
+    {
+        // refresh token to get updated roles if this is the current user or if he is in the group
+        if (in_array($event->getProperty(), ['user', 'group'])) {
+            $currentUser = $this->tokenStorage->getToken()->getUser();
+
+            $refresh = false;
+            if ($event->getValue() instanceof User) {
+                $refresh = $this->authenticator->isAuthenticatedUser($event->getValue());
+            } elseif ($event->getValue() instanceof Group && $currentUser instanceof User) {
+                $refresh = $currentUser->hasGroup($event->getValue());
+            }
+
+            if ($refresh) {
+                $this->authenticator->createToken($currentUser);
+            }
+        }
+    }
 }
diff --git a/src/main/core/API/Crud/User/UserCrud.php b/src/main/core/API/Crud/User/UserCrud.php
@@ -2,12 +2,16 @@
 
 namespace Claroline\CoreBundle\API\Crud\User;
 
+use Claroline\AppBundle\API\Crud;
 use Claroline\AppBundle\API\Options;
 use Claroline\AppBundle\Event\Crud\CreateEvent;
 use Claroline\AppBundle\Event\Crud\DeleteEvent;
+use Claroline\AppBundle\Event\Crud\PatchEvent;
 use Claroline\AppBundle\Event\Crud\UpdateEvent;
 use Claroline\AppBundle\Persistence\ObjectManager;
+use Claroline\AuthenticationBundle\Security\Authentication\Authenticator;
 use Claroline\CoreBundle\Entity\Group;
+use Claroline\CoreBundle\Entity\Role;
 use Claroline\CoreBundle\Entity\User;
 use Claroline\CoreBundle\Library\Configuration\PlatformConfigurationHandler;
 use Claroline\CoreBundle\Library\Configuration\PlatformDefaults;
@@ -25,6 +29,8 @@ class UserCrud
 {
     /** @var TokenStorageInterface */
     private $tokenStorage;
+    /** @var Authenticator */
+    private $authenticator;
     /** @var ObjectManager */
     private $om;
     /** @var PlatformConfigurationHandler */
@@ -44,6 +50,7 @@ class UserCrud
 
     public function __construct(
         TokenStorageInterface $tokenStorage,
+        Authenticator $authenticator,
         ObjectManager $om,
         PlatformConfigurationHandler $config,
         RoleManager $roleManager,
@@ -54,6 +61,7 @@ public function __construct(
         NotificationUserParametersManager $notificationManager
     ) {
         $this->tokenStorage = $tokenStorage;
+        $this->authenticator = $authenticator;
         $this->om = $om;
         $this->config = $config;
         $this->roleManager = $roleManager;
@@ -64,9 +72,6 @@ public function __construct(
         $this->notificationManager = $notificationManager;
     }
 
-    /**
-     * @param CreateEvent $event
-     */
     public function preCreate(CreateEvent $event)
     {
         $restrictions = $this->config->getParameter('restrictions') ?? [];
@@ -162,9 +167,6 @@ public function create(User $user, $options = [])
         return $user;
     }
 
-    /**
-     * @param DeleteEvent $event
-     */
     public function preDelete(DeleteEvent $event)
     {
         /** @var User $user */
@@ -201,9 +203,6 @@ public function preDelete(DeleteEvent $event)
         $this->om->flush();
     }
 
-    /**
-     * @param UpdateEvent $event
-     */
     public function preUpdate(UpdateEvent $event)
     {
         $oldData = $event->getOldData();
@@ -218,4 +217,33 @@ public function preUpdate(UpdateEvent $event)
             // TODO: create if not exist
         }
     }
+
+    public function prePatch(PatchEvent $event)
+    {
+        /** @var User $user */
+        $user = $event->getObject();
+
+        // trying to add a new role to a user
+        if (Crud::COLLECTION_ADD === $event->getAction() && 'role' === $event->getProperty()) {
+            /** @var Role $role */
+            $role = $event->getValue();
+
+            if ($user->hasRole($role->getName()) || !$this->roleManager->validateRoleInsert($user, $role)) {
+                $event->block();
+            }
+        }
+    }
+
+    public function postPatch(PatchEvent $event)
+    {
+        /** @var User $user */
+        $user = $event->getObject();
+        /** @var User $currentUser */
+        $currentUser = $this->tokenStorage->getToken()->getUser();
+
+        // refresh token to get updated roles if the current user has changes in his roles
+        if ('role' === $event->getProperty() && $this->authenticator->isAuthenticatedUser($user)) {
+            $this->authenticator->createToken($currentUser);
+        }
+    }
 }
diff --git a/src/main/core/API/Serializer/User/RoleSerializer.php b/src/main/core/API/Serializer/User/RoleSerializer.php
@@ -90,7 +90,6 @@ public function serialize(Role $role, array $options = []): array
 
         if (!in_array(Options::SERIALIZE_MINIMAL, $options)) {
             $serialized['meta'] = $this->serializeMeta($role);
-            $serialized['restrictions'] = $this->serializeRestrictions($role);
 
             if ($role->getWorkspace()) {
                 $serialized['workspace'] = $this->workspaceSerializer->serialize($role->getWorkspace(), [Options::SERIALIZE_MINIMAL]);
@@ -151,13 +150,6 @@ public function serializeMeta(Role $role): array
         return $meta;
     }
 
-    public function serializeRestrictions(Role $role): array
-    {
-        return [
-            'maxUsers' => $role->getMaxUsers(),
-        ];
-    }
-
     private function serializeTools(Role $role, string $workspaceId = null): array
     {
         $tools = [];
@@ -198,7 +190,6 @@ public function deserialize(array $data, Role $role, array $options = []): Role
         }
 
         $this->sipe('meta.personalWorkspaceCreationEnabled', 'setPersonalWorkspaceCreationEnabled', $data, $role);
-        $this->sipe('restrictions.maxUsers', 'setMaxUsers', $data, $role);
 
         // we should test role type before trying to set the workspace
         if (!empty($data['workspace']) && !empty($data['workspace']['id'])) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -378,6 +378,8 @@ public function dispatch($action, $when, array $args) @@
                 }
             }
+            // TODO : let the event explain why it has blocked the process
+            // for now we will do nothing and the user will not know why.
             return $generic->isAllowed() && $specific->isAllowed() && $isAllowed;
         }
@@ Expand Down @@