Skip to content
Permalink
0b6cd7b04b
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
203 lines (170 sloc) 6.57 KB
<?php
/**
* COmanage Match Authorization Component
*
* Portions licensed to the University Corporation for Advanced Internet
* Development, Inc. ("UCAID") under one or more contributor license agreements.
* See the NOTICE file distributed with this work for additional information
* regarding copyright ownership.
*
* UCAID licenses this file to you under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with the
* License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* @link http://www.internet2.edu/comanage COmanage Project
* @package match
* @since COmanage Match v1.0.0
* @license Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
*/
declare(strict_types = 1);
namespace App\Controller\Component;
use Cake\Controller\Component;
use Cake\ORM\TableRegistry;
use \App\Lib\Enum\PermissionEnum;
class AuthorizationComponent extends Component {
// Cached copy of permissions, by username
protected $userPermissions = null;
/**
* Class initializations.
*
* @since COmanage Match v1.0.0
*/
public function initialize(array $config) {
parent::initialize($config);
$this->Permissions = TableRegistry::get('Permissions');
}
/**
* Calculate Match permissions for the specified user.
*
* @since COmanage Match v1.0.0
* @param String $username Username of subject to obtain permissions for
* @return Array of authorizations, as documented above
*/
protected function getPermissions($username) {
if(!empty($this->userPermissions[$username])) {
return $this->userPermissions[$username];
}
$this->userPermissions[$username] = [
// Platform Admin
'cmadmin' => false,
// Matchgrid Permissions, keyed on Matchgrid ID
'matchgrids' => []
];
// Pull the permissions from the database
$perms = $this->Permissions->findForUser($username);
foreach($perms as $mgid => $p) {
if($p == PermissionEnum::None) {
// Skip None permissions.
continue;
}
if($p == PermissionEnum::PlatformAdmin) {
$this->userPermissions[$username]['cmadmin'] = true;
} elseif($mgid) {
// Currently Permissions are hierarchical (ie: MatchgridAdmin implies
// ReconciliationManager), but this could change in the future, so we
// track everything separately.
$this->userPermissions[$username]['matchgrids'][$mgid][$p] = true;
}
}
return $this->userPermissions[$username];
}
/**
* Obtain the Matchgrid Permission for the specified user.
*
* @since COmanage Match v1.0.0
* @param String $username Username
* @param Integer $matchgridId Matchgrid ID
* @return PermissionEnum Permission
*/
public function getGridPermissions($username, $matchgridId) {
$perms = $this->getPermissions($username);
if(!isset($perms['matchgrids'][$matchgridId])) {
return [];
}
return $perms['matchgrids'][$matchgridId];
}
/**
* Determine if the specified user is a match administrator for the specified matchgrid.
*
* @since COmanage Match v1.0.0
* @param String $username Username
* @param Integer $matchgridId Matchgrid ID
* @return boolean true if $username is a match administrator for $matchgridId
*/
public function isMatchAdmin($username, $matchgridId) {
$perms = $this->getPermissions($username);
if($matchgridId
&& isset($perms['matchgrids'][$matchgridId][PermissionEnum::MatchgridAdmin])
&& $perms['matchgrids'][$matchgridId][PermissionEnum::MatchgridAdmin]) {
return true;
}
return false;
}
/**
* Determine if the specified user is a platform administrator.
*
* @since COmanage Match v1.0.0
* @param String $username Username
* @return boolean true if $username is a platform administrator
*/
public function isPlatformAdmin($username) {
$perms = $this->getPermissions($username);
return $perms['cmadmin'];
}
/**
* Determine if the specified user is a reconciliation manager for the specified matchgrid.
*
* @since COmanage Match v1.0.0
* @param String $username Username
* @param Integer $matchgridId Matchgrid ID
* @return boolean true if $username is a reconciliation manager for $matchgridId
*/
public function isReconciliationManager($username, $matchgridId) {
$perms = $this->getPermissions($username);
if($matchgridId
&& isset($perms['matchgrids'][$matchgridId][PermissionEnum::ReconciliationManager])
&& $perms['matchgrids'][$matchgridId][PermissionEnum::ReconciliationManager]) {
return true;
}
return false;
}
/**
* Obtain permissions for rendering menu options
*
* @since COmanage Match v1.0.0
* @param String $username Username of subject to obtain permissions for
* @param Integer $matchgridId Matchgrid ID to obtain permissions for, if known
* @return Array of authorizations, keyed on menu item
*/
public function menuPermissions($username, $matchgridId=null) {
$perms = $this->getPermissions($username);
$platformAdmin = $this->isPlatformAdmin($username);
$mgAdmin = $this->isMatchAdmin($username, $matchgridId);
$recMgr = $this->isReconciliationManager($username, $matchgridId);
return [
// Manage configuration of the current matchgrid
'api_users' => $platformAdmin || $mgAdmin,
'attribute_groups' => $platformAdmin || $mgAdmin,
'attribute_maps' => $platformAdmin || $mgAdmin,
'attributes' => $platformAdmin || $mgAdmin,
'matchgrid_settings' => $platformAdmin || $mgAdmin,
'rules' => $platformAdmin || $mgAdmin,
'systems_of_record' => $platformAdmin || $mgAdmin,
'reconcile' => $platformAdmin || $mgAdmin || $recMgr,
// Permissions specific to a matchgrid
'gridroles' => $perms['matchgrids'],
// Overall permission to manage the matchgrids
'matchgrids' => $platformAdmin,
// Overall permission to manage permissions
'permissions' => $platformAdmin
];
}
}