<?php
/**
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; under version 2
* of the License (non-upgradable).
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Copyright (c) 2014-2020 (original work) Open Assessment Technologies SA;
*/
namespace oat\taoDacSimple\controller;
use common_exception_Error;
use common_exception_Unauthorized;
use core_kernel_classes_Class;
use core_kernel_classes_Resource;
use Exception;
use oat\oatbox\log\LoggerAwareTrait;
use oat\tao\model\taskQueue\QueueDispatcher;
use oat\tao\model\taskQueue\TaskLogActionTrait;
use oat\taoDacSimple\model\AdminService;
use oat\taoDacSimple\model\PermissionProvider;
use oat\taoDacSimple\model\PermissionsService;
use oat\taoDacSimple\model\PermissionsServiceException;
use oat\taoDacSimple\model\PermissionsServiceFactory;
use tao_actions_CommonModule;
use tao_models_classes_RoleService;
use oat\taoDacSimple\model\tasks\ChangePermissionsTask;
use function GuzzleHttp\Psr7\stream_for;
use oat\oatbox\user\UserService;
use oat\generis\model\OntologyRdfs;
/**
* This controller is used to manage permission administration
*
* @author Open Assessment Technologies SA
* @package taoDacSimple
* @subpackage actions
* @license GPL-2.0
*
*/
class AdminAccessController extends tao_actions_CommonModule
{
use TaskLogActionTrait;
use LoggerAwareTrait;
/**
* Manage permissions
*
* @requiresRight id GRANT
*
* @throws common_exception_Error
*/
public function adminPermissions(): void
{
$resource = new core_kernel_classes_Resource($this->getRequestParameter('id'));
$accessRights = AdminService::getUsersPermissions($resource->getUri());
$this->setData('privileges', PermissionProvider::getRightLabels());
$users = [];
$roles = [];
foreach ($accessRights as $uri => $privileges) {
$identity = new core_kernel_classes_Resource($uri);
if ($identity->isInstanceOf(tao_models_classes_RoleService::singleton()->getRoleClass())) {
$roles[$uri] = [
'label' => $identity->getLabel(),
'privileges' => $privileges,
];
unset($accessRights[$uri]);
}
}
if (!empty($accessRights)) {
$userService = $this->getServiceLocator()->get(UserService::SERVICE_ID);
$usersInfo = $userService->getUsers(array_keys($accessRights));
foreach ($usersInfo as $uri => $user) {
$labels = $user->getPropertyValues(OntologyRdfs::RDFS_LABEL);
$users[$uri] = [
'label' => empty($labels) ? 'unknown user' : reset($labels),
'privileges' => $accessRights[$uri],
];
}
}
$this->setData('users', $users);
$this->setData('roles', $roles);
$this->setData('isClass', $resource->isClass());
$permissionsServiceFactory = $this->getServiceLocator()->get(PermissionsServiceFactory::SERVICE_ID);
$this->setData('recursive', $permissionsServiceFactory->getOption(PermissionsServiceFactory::OPTION_RECURSIVE_BY_DEFAULT));
$this->setData('uri', $resource->getUri());
$this->setData('label', _dh($resource->getLabel()));
$this->setView('AdminAccessController/index.tpl');
}
/**
* Add privileges for a group of users on resources. It works for add or modify privileges
*
* @requiresRight resource_id GRANT
*/
public function savePermissions(): void
{
$recursive = ($this->getRequest()->getParameter('recursive') === '1');
try {
$taskParameters = [
ChangePermissionsTask::PARAM_RECURSIVE => $recursive,
ChangePermissionsTask::PARAM_RESOURCE => $this->getResourceFromRequest(),
ChangePermissionsTask::PARAM_PRIVILEGES => $this->getPrivilegesFromRequest()
];
/** @var QueueDispatcher $queueDispatcher */
$queueDispatcher = $this->getServiceLocator()->get(QueueDispatcher::SERVICE_ID);
$task = $queueDispatcher->createTask(new ChangePermissionsTask(), $taskParameters, 'Processing permissions');
$this->returnTaskJson($task);
} catch (common_exception_Unauthorized $e) {
$this->response = $this->getPsrResponse()->withStatus(403, __('Unable to process your request'));
} catch (PermissionsServiceException $e) {
$this->response = $this->getPsrResponse()
->withStatus(400, $e->getMessage())
->withBody(stream_for(json_encode(['success' => false, 'message' => $e->getMessage()])))
->withHeader('Content-Type', 'application/json');
} catch (Exception $e) {
$this->logError($e->getMessage());
$this->returnJson(['success' => false], 500);
}
}
/**
* Find users to assign access rights
*/
public function findUser()
{
$params = $this->getGetParameter('params');
$query = $params['query'];
/** @var UserService $userService */
$userService = $this->getServiceLocator()->get(UserService::SERVICE_ID);
$data = [];
foreach ($userService->findUser($query) as $user) {
$labels = $user->getPropertyValues(OntologyRdfs::RDFS_LABEL);
$label = empty($labels) ? __('unknown user') : reset($labels);
$data[] = [
'id' => $user->getIdentifier(),
'label' => $label,
OntologyRdfs::RDFS_LABEL => $label,//@deprecated
];
}
$response = [
'success' => true,
'page' => 1,
'total' => 1,
'records' => count($data),
'data' => $data,
];
return $this->returnJson($response);
}
private function getPrivilegesFromRequest(): array
{
if ($this->hasRequestParameter('privileges')) {
$privileges = $this->getRequestParameter('privileges');
} else {
$privileges = [];
foreach ($this->getRequest()->getParameter('users') as $userId => $data) {
unset($data['type']);
$privileges[$userId] = array_keys($data);
}
}
return $privileges;
}
/**
* @return string
*
* @throws common_exception_Error
*/
private function getResourceFromRequest(): string
{
if ($this->hasRequestParameter('uri')) {
$resourceId = $this->getRequest()->getParameter('uri');
} else {
$resourceId = (string)$this->getRequest()->getParameter('resource_id');
}
return $resourceId;
}
}