<?php
/**
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; under version 2
* of the License (non-upgradable).
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Copyright (c) 2002-2008 (original work) Public Research Centre Henri Tudor & University of Luxembourg (under the project TAO & TAO2);
* 2008-2010 (update and modification) Deutsche Institut für Internationale Pädagogische Forschung (under the project TAO-TRANSFER);
* 2009-2012 (update and modification) Public Research Centre Henri Tudor (under the project TAO-SUSTAIN & TAO-DEV);
* 2012-2018 (update and modification) Open Assessment Technologies SA;
*
*/
namespace oat\funcAcl\controller;
use oat\generis\model\GenerisRdf;
use oat\tao\helpers\ControllerHelper;
use oat\funcAcl\models\AccessService;
use oat\funcAcl\models\ActionAccessService;
use oat\funcAcl\models\ExtensionAccessService;
use oat\funcAcl\models\ModuleAccessService;
use oat\funcAcl\helpers\CacheHelper;
use oat\funcAcl\helpers\MapHelper;
use common_exception_BadRequest;
use oat\tao\model\service\ApplicationService;
use oat\tao\model\accessControl\func\FuncAccessControl;
use oat\funcAcl\models\FuncAcl;
use oat\tao\model\accessControl\func\AclProxy;
/**
* This controller provide the actions to manage the ACLs
*
* @author CRP Henri Tudor - TAO Team - {@link http://www.tao.lu}
* @license GPLv2 http://www.opensource.org/licenses/gpl-2.0.php
* @package tao
*
*/
class Admin extends \tao_actions_CommonModule
{
/**
* Access to this functionality is inherited from
* an included role
*
* @var string
*/
const ACCESS_INHERITED = 'inherited';
/**
* Full access to this functionalities and children
*
* @var string
*/
const ACCESS_FULL = 'full';
/**
* Partial access to thie functionality means
* some children are at least partial accessible
*
* @var string
*/
const ACCESS_PARTIAL = 'partial';
/**
* No access to this functionality or any of its children
*
* @var string
*/
const ACCESS_NONE = 'none';
/**
* Show the list of roles
* @return void
*/
public function index()
{
$this->defaultData();
$rolesc = new \core_kernel_classes_Class(GenerisRdf::CLASS_ROLE);
$roles = [];
foreach ($rolesc->getInstances(true) as $id => $r) {
$roles[] = ['id' => $id, 'label' => $r->getLabel()];
}
usort($roles, function ($a, $b) {
return strcmp($a['label'], $b['label']);
});
$this->setData('roles', $roles);
$this->setView('list.tpl');
}
/**
* @throws \common_exception_Error
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function getModules()
{
$this->beforeAction();
$role = new \core_kernel_classes_Class($this->getRequestParameter('role'));
$included = [];
foreach (\tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) {
$included[$includedRole->getUri()] = $includedRole->getLabel();
}
$extManager = \common_ext_ExtensionsManager::singleton();
$extData = [];
foreach ($extManager->getInstalledExtensions() as $extension) {
if ($extension->getId() != 'generis') {
$extData[] = $this->buildExtensionData($extension, $role->getUri(), array_keys($included));
}
}
usort($extData, function ($a, $b) {
return strcmp($a['label'], $b['label']);
});
$this->returnJson([
'extensions' => $extData,
'includedRoles' => $included,
'locked' => $this->isLocked(),
]);
}
protected function buildExtensionData(\common_ext_Extension $extension, $roleUri, $includedRoleUris)
{
$extAccess = CacheHelper::getExtensionAccess($extension->getId());
$extAclUri = AccessService::singleton()->makeEMAUri($extension->getId());
$atLeastOneAccess = false;
$allAccess = in_array($roleUri, $extAccess);
$inherited = count(array_intersect($includedRoleUris, $extAccess)) > 0;
$controllers = [];
foreach (ControllerHelper::getControllers($extension->getId()) as $controllerClassName) {
$controllerData = $this->buildControllerData($controllerClassName, $roleUri, $includedRoleUris);
$atLeastOneAccess = $atLeastOneAccess || $controllerData['access'] != self::ACCESS_NONE;
$controllers[] = $controllerData;
}
usort($controllers, function ($a, $b) {
return strcmp($a['label'], $b['label']);
});
$access = $inherited ? 'inherited'
: ($allAccess ? 'full'
: ($atLeastOneAccess ? 'partial' : 'none'));
return [
'uri' => $extAclUri,
'label' => $extension->getName(),
'access' => $access,
'modules' => $controllers
];
}
protected function buildControllerData($controllerClassName, $roleUri, $includedRoleUris)
{
$modUri = MapHelper::getUriForController($controllerClassName);
$moduleAccess = CacheHelper::getControllerAccess($controllerClassName);
$uri = explode('#', $modUri);
list($type, $extId, $modId) = explode('_', $uri[1]);
$access = self::ACCESS_NONE;
if (count(array_intersect($includedRoleUris, $moduleAccess['module'])) > 0) {
$access = self::ACCESS_INHERITED;
} elseif (true === in_array($roleUri, $moduleAccess['module'])) {
$access = self::ACCESS_FULL;
} else {
// have a look at actions.
foreach ($moduleAccess['actions'] as $roles) {
if (in_array($roleUri, $roles) || count(array_intersect($includedRoleUris, $roles)) > 0) {
$access = self::ACCESS_PARTIAL;
break;
}
}
}
return [
'uri' => $modUri,
'label' => $modId,
'access' => $access,
];
}
/**
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
private function beforeAction()
{
$this->defaultData();
if (!\tao_helpers_Request::isAjax()) {
throw new common_exception_BadRequest('wrong request mode');
}
}
/**
* @return bool
*/
private function isLocked()
{
$locked = !$this->getServiceLocator()->get(AclProxy::SERVICE_ID) instanceof FuncAcl;
$locked = $locked || !$this->getServiceLocator()->get(ApplicationService::SERVICE_ID)->isDebugMode();
return $locked;
}
/**
* @throws \common_exception_NotFound
*/
private function prodLocker()
{
if ($this->isLocked()) {
throw new \common_exception_NotFound();
}
}
/**
* Shows the access to the actions of a controller for a specific role
*
* @throws \common_exception_Error
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function getActions()
{
$this->beforeAction();
$role = new \core_kernel_classes_Resource($this->getRequestParameter('role'));
$included = [];
foreach (\tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) {
$included[] = $includedRole->getUri();
}
$module = new \core_kernel_classes_Resource($this->getRequestParameter('module'));
$controllerClassName = MapHelper::getControllerFromUri($module->getUri());
$controllerAccess = CacheHelper::getControllerAccess($controllerClassName);
$actions = [];
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$uri = MapHelper::getUriForAction($controllerClassName, $actionName);
$part = explode('#', $uri);
list($type, $extId, $modId, $actId) = explode('_', $part[1]);
$allowedRoles = isset($controllerAccess['actions'][$actionName])
? array_merge($controllerAccess['module'], $controllerAccess['actions'][$actionName])
: $controllerAccess['module'];
$access = count(array_intersect($included, $allowedRoles)) > 0
? self::ACCESS_INHERITED
: (in_array($role->getUri(), $allowedRoles)
? self::ACCESS_FULL
: self::ACCESS_NONE);
$actions[$actId] = [
'uri' => $uri,
'access' => $access,
'locked' => $this->isLocked(),
];
}
ksort($actions);
$this->returnJson($actions);
}
/**
* @throws \common_exception_NotFound
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function removeExtensionAccess()
{
$this->beforeAction();
$this->prodLocker();
$role = $this->getRequestParameter('role');
$uri = $this->getRequestParameter('uri');
$extensionService = ExtensionAccessService::singleton();
$extensionService->remove($role, $uri);
$this->returnJson([
'uri' => $uri,
]);
}
/**
* @throws \common_exception_NotFound
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function addExtensionAccess()
{
$this->beforeAction();
$this->prodLocker();
$role = $this->getRequestParameter('role');
$uri = $this->getRequestParameter('uri');
$extensionService = ExtensionAccessService::singleton();
$extensionService->add($role, $uri);
$this->returnJson([
'uri' => $uri,
]);
}
/**
* @throws \common_exception_NotFound
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function removeModuleAccess()
{
$this->beforeAction();
$this->prodLocker();
$role = $this->getRequestParameter('role');
$uri = $this->getRequestParameter('uri');
$moduleService = ModuleAccessService::singleton();
$moduleService->remove($role, $uri);
$this->returnJson([
'uri' => $uri,
]);
}
/**
* @throws \common_exception_NotFound
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function addModuleAccess()
{
$this->beforeAction();
$this->prodLocker();
$role = $this->getRequestParameter('role');
$uri = $this->getRequestParameter('uri');
$moduleService = ModuleAccessService::singleton();
$moduleService->add($role, $uri);
$this->returnJson([
'uri' => $uri,
]);
}
/**
* @throws \common_exception_NotFound
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function removeActionAccess()
{
$this->beforeAction();
$this->prodLocker();
$role = $this->getRequestParameter('role');
$uri = $this->getRequestParameter('uri');
$actionService = ActionAccessService::singleton();
$actionService->remove($role, $uri);
$this->returnJson([
'uri' => $uri,
]);
}
/**
* @throws \common_exception_NotFound
* @throws \common_ext_ExtensionException
* @throws common_exception_BadRequest
*/
public function addActionAccess()
{
$this->beforeAction();
$this->prodLocker();
$role = $this->getRequestParameter('role');
$uri = $this->getRequestParameter('uri');
$actionService = ActionAccessService::singleton();
$actionService->add($role, $uri);
$this->returnJson([
'uri' => $uri,
]);
}
}