Initial implementation of Approval Enroller Plugin (CFM-337)

app/config/schema/schema.json

@@ -575,10 +575,10 @@
       "columns": {
         "id": {},
         "subject_person_id": { "type": "integer", "foreignkey": { "table": "people", "column": "id" } },
-        "subject_group_id": { "type": "integer", "foreignkey": { "table": "people", "column": "id" } },
+        "subject_group_id": { "type": "integer", "foreignkey": { "table": "groups", "column": "id" } },
         "actor_person_id": { "type": "integer", "foreignkey": { "table": "people", "column": "id" } },
         "recipient_person_id": { "type": "integer", "foreignkey": { "table": "people", "column": "id" } },
-        "recipient_group_id": { "type": "integer", "foreignkey": { "table": "people", "column": "id" } },
+        "recipient_group_id": { "type": "integer", "foreignkey": { "table": "groups", "column": "id" } },
         "resolver_person_id": { "type": "integer", "foreignkey": { "table": "people", "column": "id" } },
         "action": {
           "comment": "revert this to use the library definition after feature-cfm31 merge",
@@ -636,12 +636,18 @@
         "authz_group_id": { "type": "integer", "foreignkey": { "table": "groups", "column": "id" }},
         "collect_enrollee_email": { "type": "boolean" },
         "redirect_on_duplicate": { "type": "string", "size": 256 },
-        "redirect_on_finalize": { "type": "string", "size": 256 }
+        "redirect_on_finalize": { "type": "string", "size": 256 },
+        "finalization_message_template_id": { "type": "integer", "foreignkey": { "table": "message_templates", "column": "id" }},
+        "notification_group_id": { "type": "integer", "foreignkey": { "table": "groups", "column": "id" }},
+        "notification_message_template_id": { "type": "integer", "foreignkey": { "table": "message_templates", "column": "id" }}
       },
       "indexes": {
         "enrollment_flows_i1": { "columns": [ "co_id" ]},
         "enrollment_flows_i2": { "needed": false, "columns": [ "authz_cou_id" ]},
-        "enrollment_flows_i3": { "needed": false, "columns": [ "authz_group_id" ]}
+        "enrollment_flows_i3": { "needed": false, "columns": [ "authz_group_id" ]},
+        "enrollment_flows_i4": { "needed": false, "columns": [ "finalization_message_template_id" ]},
+        "enrollment_flows_i5": { "needed": false, "columns": [ "notification_group_id" ]},
+        "enrollment_flows_i6": { "needed": false, "columns": [ "notification_message_template_id" ]}
       }
     },
 
@@ -654,12 +660,18 @@
         "plugin": {},
         "ordr": {},
         "actor_type": { "type": "string", "size": 2 },
+        "approver_group_id": { "type": "integer", "foreignkey": { "table": "groups", "column": "id" }},
         "message_template_id": {},
-        "redirect_on_handoff": { "type": "string", "size": 256 }
+        "redirect_on_handoff": { "type": "string", "size": 256 },
+        "notification_group_id": { "type": "integer", "foreignkey": { "table": "groups", "column": "id" }},
+        "notification_message_template_id": { "type": "integer", "foreignkey": { "table": "message_templates", "column": "id" }}
       },
       "indexes": {
         "enrollment_flow_steps_i1": { "columns": [ "enrollment_flow_id" ]},
-        "enrollment_flow_steps_i2": { "needed": false, "columns": [ "message_template_id" ]}
+        "enrollment_flow_steps_i2": { "needed": false, "columns": [ "message_template_id" ]},
+        "enrollment_flow_steps_i3": { "needed": false, "columns": [ "notification_group_id" ]},
+        "enrollment_flow_steps_i4": { "needed": false, "columns": [ "notification_message_template_id" ]},
+        "enrollment_flow_steps_i5": { "needed": false, "columns": [ "approver_group_id" ]}
       }
     },
 

app/plugins/CoreEnroller/resources/locales/en_US/core_enroller.po

@@ -64,14 +64,8 @@ msgstr "DefaultCodeLength"
 msgid "enumeration.VerificationDefaultsEnum.60"
 msgstr "DefaultVerificationValidity"
 
-msgid "enumeration.VerificationModeEnum.0"
-msgstr "None"
-
-msgid "enumeration.VerificationModeEnum.1"
-msgstr "One"
-
-msgid "enumeration.VerificationModeEnum.A"
-msgstr "All"
+msgid "error.ApprovalCollectors.comment"
+msgstr "Comment is required"
 
 msgid "error.EmailVerifiers.candidate"
 msgstr "Requested address is not a valid candidate"
@@ -109,6 +103,9 @@ msgstr "This Invitation has expired"
 msgid "error.PetitionAcceptances.processed"
 msgstr "This Invitation has already been processed"
 
+msgid "information.ApprovalCollectors.review"
+msgstr "Please approve or deny Petition {0}."
+
 msgid "information.EmailVerifiers.done"
 msgstr "All email addresses in this Petition have been verified. You may continue on to the next Enrollment Step."
 
@@ -142,6 +139,27 @@ msgstr "New code sent"
 msgid "information.EmailVerifiers.abort"
 msgstr "Abort"
 
+msgid "field.ApprovalCollectors.denial_message_template_id"
+msgstr "Denial Message Template"
+
+msgid "field.ApprovalCollectors.denial_message_template_id.desc"
+msgstr "Message Template to use when notifying the Enrollee of a denial (no denial message is sent if not set)"
+
+msgid "field.ApprovalCollectors.mode.desc"
+msgstr "How many members of the Approver Group must approve Petitions for this Enrollment Flow Step"
+
+msgid "field.ApprovalCollectors.redirect_on_denial"
+msgstr "Redirect on Denial"
+
+msgid "field.ApprovalCollectors.redirect_on_denial.desc"
+msgstr "If the Petition is denied, the Approver will be redirected here instead of the default handoff page"
+
+msgid "field.ApprovalCollectors.require_comment"
+msgstr "Require Comment"
+
+msgid "field.ApprovalCollectors.require_comment.desc"
+msgstr "If set, the Approver must add a comment when approving or denying Petitions for this Enrollment Flow Step"
+
 msgid "field.AttributeCollectors.valid_through.default.after.desc"
 msgstr "Days After Finalization"
 
@@ -302,6 +320,15 @@ msgstr "Petition Attributes recorded"
 msgid "result.basicattr.finalized"
 msgstr "Name, Email Address, and Person Role created during finalization"
 
+msgid "result.ApprovalCollectors.approved"
+msgstr "Petition Approved"
+
+msgid "result.ApprovalCollectors.denied"
+msgstr "Petition Denied"
+
+msgid "result.ApprovalCollectors.status"
+msgstr "Petition {0} by {1} at {2} ({3})"
+
 msgid "result.EmailVerifiers.verified"
 msgstr "Verified {0} of {1} available {2}"
 

app/plugins/CoreEnroller/src/Controller/ApprovalCollectorsController.php

@@ -0,0 +1,151 @@
+<?php
+/**
+ * COmanage Registry Approval Collectors Controller
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link          https://www.internet2.edu/comanage COmanage Project
+ * @package       registry-plugins
+ * @since         COmanage Registry v5.2.0
+ * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+declare(strict_types=1);
+
+namespace CoreEnroller\Controller;
+
+use App\Controller\StandardEnrollerController;
+use App\Lib\Util\DeliveryUtilities;
+use Cake\ORM\TableRegistry;
+use \App\Lib\Enum\StatusEnum;
+
+class ApprovalCollectorsController extends StandardEnrollerController {
+  public $paginate = [
+    'order' => [
+      'ApprovalCollectors.id' => 'asc'
+    ]
+  ];
+
+  /**
+   * Dispatch an Enrollment Flow Step.
+   * 
+   * @since  COmanage Registry v5.2.0
+   * @param  string  $id    Approval Collector ID
+   */
+
+  public function dispatch(string $id) {
+    $request = $this->getRequest();
+    $session = $request->getSession();
+    // $username = $session->read('Auth.external.user');
+
+    $petition = $this->getPetition();
+    $coId = $this->getCOID();
+
+    if($request->is('post')) {
+      $cfg = $this->ApprovalCollectors->get($id);
+
+      try {
+        // Record approval or denial
+
+        $approved = $this->requestParam('approved');
+        $comment = $this->requestParam('comment');
+
+        // record() will handle updatind the Petition status and performing other
+        // recordkeeping transactions, including enforcing comment if required
+
+        $this->ApprovalCollectors->record(
+          petitionId:           $petition->id,
+          approvalCollectorId:  (int)$id,
+          approverPersonId:     $this->RegistryAuth->getPersonID($coId),
+          approved:             $approved == StatusEnum::Approved,
+          comment:              $comment
+        );
+
+        if($approved == StatusEnum::Denied) {
+          // If we have a denial Message Template, send the notification to the enrollee
+          // email address. We don't currently support using a Notification, since in most
+          // cases the Enrollee will not have a Person record yet. (There are some edge
+          // cases around processes like Additional Role Enrollment where we might want
+          // to be able to Notify the Person using their existing preferred Email Address,
+          // but for now we don't support that.)
+
+          if(!empty($cfg->denial_message_template_id)
+             && !empty($petition->enrollee_email)) {
+            $MessageTemplates = TableRegistry::getTableLocator()->get('MessageTemplates');
+
+            // Generate the message and send
+
+            $template = $MessageTemplates->get($cfg->denial_message_template_id);
+
+            $template->setContextPetition($petition);
+
+            $template->generateMessage();
+
+            // Send the message. sendEmailToAddress will throw an Exception if SMTP failed,
+            // but if there is no SMTP server configured we'll just get false back.
+
+            if(!DeliveryUtilities::sendEmailToAddress(
+              coId:       $this->getCOID(),
+              recipient:  $petition->enrollee_email,
+              subject:    $template->getMessagePart('subject'),
+              body_text:  $template->getMessagePart('body_text'),
+              body_html:  $template->getMessagePart('body_html')
+            )) {
+              throw new \RuntimeException("Message delivery failed"); // XXX I18n. can we get an exception from sendEmailToAddress instead?
+            }
+          }
+
+          // If we have a redirect on denial configured, send the Approver there
+          if(!empty($cfg->redirect_on_denial)) {
+            return $this->redirect($cfg->redirect_on_denial);
+          } else {
+            // Redirect to the default Enrollment Handoff URL for this CO
+            return $this->redirect("/$coId/default-handoff");
+          }
+        }
+
+        // Where do we redirect? On approval, it's possible that the next step has the
+        // same Approver's group on handoff, in which case we just let the flow continue.
+        // However on denial, we need to stop the flow. So basically we need a separate
+        // "redirect on denial" target (or we use the default Enrollment Flow handoff if
+        // not configured).
+
+        // Redirect to the next step
+
+        return $this->finishStep(
+          enrollmentFlowStepId: $cfg->enrollment_flow_step_id,
+          petitionId:           $petition->id,
+          comment:              __d('core_enroller', 'result.ApprovalCollectors.' . ($approved == StatusEnum::Approved ? 'approved' : 'denied'))
+        );
+      }
+      catch(\Exception $e) {
+        $this->llog('error', $e->getMessage());
+
+        $this->Flash->error($e->getMessage());
+      }
+    }
+
+    // Check for existing values in case we're re-running the step
+    $this->set('petition_approvals',
+               $this->ApprovalCollectors->PetitionApprovals->find()
+                    ->where(['petition_id' => $petition->id, 'approval_collector_id' => $id])
+                    ->first());
+
+    $this->render('/Standard/dispatch');
+  }
+}

app/plugins/CoreEnroller/src/Controller/BasicAttributeCollectorsController.php

@@ -78,7 +78,6 @@ public function dispatch(string $id) {
     $this->set('vv_required_name_fields', $settings->name_required_fields_array());
 
     if($this->request->is(['post', 'put'])) {
-
       try {
         $this->BasicAttributeCollectors->upsert(
           id:         (int)$id,
@@ -102,6 +101,12 @@ public function dispatch(string $id) {
         $this->Flash->error($e->getMessage());
       }
     }
+
+    // Check for existing values in case we're re-running the step
+    $this->set('petition_basic_attribute_sets',
+               $this->BasicAttributeCollectors->PetitionBasicAttributeSets->find()
+                    ->where(['petition_id' => $petition->id, 'basic_attribute_collector_id' => $id])
+                    ->first());
 
     // Fall through and let the form render
 

app/plugins/CoreEnroller/src/Controller/EmailVerifiersController.php

@@ -36,7 +36,7 @@
 use App\Lib\Util\StringUtilities;
 use Cake\Http\Exception\BadRequestException;
 use Cake\ORM\TableRegistry;
-use CoreEnroller\Lib\Enum\VerificationModeEnum;
+use \App\Lib\Enum\AllTernaryEnum;
 use \App\Lib\Enum\HttpStatusCodesEnum;
 
 class EmailVerifiersController extends StandardEnrollerController {
@@ -168,10 +168,10 @@ public function dispatch(string $id) {
     $doneCount = count($verifiedAddresses);
     $totalCount = count($candidateAddresses);
     $allDone = $doneCount == $totalCount;
-    $minimumMet = $cfg->mode == VerificationModeEnum::None
-                  || ($cfg->mode == VerificationModeEnum::One
+    $minimumMet = $cfg->mode == AllTernaryEnum::None
+                  || ($cfg->mode == AllTernaryEnum::One
                       && $doneCount > 0)
-                  || ($cfg->mode == VerificationModeEnum::All
+                  || ($cfg->mode == AllTernaryEnum::All
                       && $allDone);
 
     $this->set('vv_all_done', $allDone);

app/plugins/CoreEnroller/src/Model/Entity/ApprovalCollector.php

@@ -0,0 +1,51 @@
+<?php
+/**
+ * COmanage Registry Approval Collector Entity
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link          https://www.internet2.edu/comanage COmanage Project
+ * @package       registry-plugins
+ * @since         COmanage Registry v5.2.0
+ * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+declare(strict_types=1);
+
+namespace CoreEnroller\Model\Entity;
+
+use Cake\ORM\Entity;
+
+class ApprovalCollector extends Entity {
+  use \App\Lib\Traits\EntityMetaTrait;
+
+  /**
+   * Fields that can be mass assigned using newEntity() or patchEntity().
+   *
+   * Note that when '*' is set to true, this allows all unspecified fields to
+   * be mass assigned. For security purposes, it is advised to set '*' to false
+   * (or remove it), and explicitly make individual fields accessible as needed.
+   *
+   * @var array<string, bool>
+   */
+  protected $_accessible = [
+    '*' => true,
+    'id' => false,
+    'slug' => false,
+  ];
+}