diff --git a/app/resources/locales/en_US/field.po b/app/resources/locales/en_US/field.po index 9d2b8f184..ddbcde816 100644 --- a/app/resources/locales/en_US/field.po +++ b/app/resources/locales/en_US/field.po @@ -47,6 +47,9 @@ msgstr "Attribute" msgid "comment" msgstr "Comment" +msgid "Cos.member.not" +msgstr "{0} (Not a Member)" + msgid "CoSettings.address_default_type_id" msgstr "Default Address Type" diff --git a/app/src/Controller/AdHocAttributesController.php b/app/src/Controller/AdHocAttributesController.php index b0bfa35aa..125be3c08 100644 --- a/app/src/Controller/AdHocAttributesController.php +++ b/app/src/Controller/AdHocAttributesController.php @@ -34,9 +34,36 @@ use Cake\ORM\TableRegistry; class AdHocAttributesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'AdHocAttributes.tag' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/AddressesController.php b/app/src/Controller/AddressesController.php index abe7d0ac0..db42cee35 100644 --- a/app/src/Controller/AddressesController.php +++ b/app/src/Controller/AddressesController.php @@ -34,9 +34,36 @@ use Cake\ORM\TableRegistry; class AddressesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Addresses.street' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/ApiUsersController.php b/app/src/Controller/ApiUsersController.php index afbae8342..25d5fe17a 100644 --- a/app/src/Controller/ApiUsersController.php +++ b/app/src/Controller/ApiUsersController.php @@ -30,6 +30,8 @@ namespace App\Controller; class ApiUsersController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'ApiUsers.username' => 'asc' @@ -60,4 +62,29 @@ public function generate(string $id) { $this->render('/Standard/add-edit-view'); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'generate' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/AppController.php b/app/src/Controller/AppController.php index 48cc8b1ef..0d56c3359 100644 --- a/app/src/Controller/AppController.php +++ b/app/src/Controller/AppController.php @@ -29,7 +29,7 @@ namespace App\Controller; -use \App\Lib\Enum\TemplateableStatusEnum; +use App\Lib\Enum\TemplateableStatusEnum; use App\Lib\Events\ChangelogEventListener; use App\Lib\Events\CoIdEventListener; use App\Lib\Events\RuleBuilderEventListener; @@ -41,12 +41,12 @@ use Cake\Event\Event; use Cake\Event\EventManager; use Cake\ORM\TableRegistry; +use Cake\Utility\Hash; use InvalidArgumentException; class AppController extends Controller { use \App\Lib\Traits\LabeledLogTrait; - // If set, the current requested CO. Note this may be *unauthenticated* // and so should not be trusted without further authorization. private $cur_co = null; @@ -119,6 +119,14 @@ public function beforeFilter(\Cake\Event\EventInterface $event) { // Determine the requested CO $this->setCO(); + if(isset($this->RegistryAuth)) { + // Components might not be loaded on error, so check + + // We need to populate this in beforeFilter (rather than beforeRender) + // so it's available to CosController::select + $this->populateAvailableCos(); + } + return parent::beforeFilter($event); } @@ -142,14 +150,6 @@ public function beforeRender(\Cake\Event\EventInterface $event) { $this->set('vv_menu_permissions', $this->RegistryAuth->getMenuPermissions()); } - // Pull the set of COs this user is a member of, for rendering via menuMain - $Cos = TableRegistry::getTableLocator()->get("Cos"); - -// XXX filter this based on the current user's eligibility (user should have one active or grace period role) -// and also filter only Active COs, etc -// - do this in CosTable or in RegistryAuth? - $this->set('vv_available_cos', $Cos->find()->toArray()); - // For breadcrumbs, do we have a target model, and if so is it a configuration // model (eg: ApiUsers) or an object model (eg: CoPeople)? if(isset($this->$modelsName) // May not be set under certain error conditions @@ -192,9 +192,9 @@ public function calculatePermissions(?int $id): array { // Can this record be deleted? $canDelete = true; - // Pull the table permissions - $permissions = $table->getPermissions(); - + // Pull the controller permissions + $permissions = $this->getPermissions(); + if($id) { $readOnlyActions = ['view']; @@ -486,6 +486,72 @@ protected function getRedirectGoal(): string { return 'index'; } + /** + * Populate the list of Available COs, primarily for the CO Selector. + * + * @since COmanage Registry v5.0.0 + */ + + protected function populateAvailableCos() { + // Prepare the list of available COs, primarily for the CO Selector. We do + // this here because the menuTop element, which renders on every page, needs it. + + $availableCos = []; + + $userInfo = $this->viewBuilder()->getVar('vv_user'); + + if(!empty($userInfo['username'])) { + // There are two data sets to look at: the COs the current user is a member + // of, and (if the current user is a Platform Admin) all other COs. We then + // bubble the COmanage CO to the top (if present), followed by an alphabetical + // list of member COs, then an alphabetical list of non-member COs. + + $Cos = TableRegistry::getTableLocator()->get("Cos"); + + // Pull the set of COs this user is a member of, for rendering via menuMain + $memberCos = Hash::sort($Cos->getCosForIdentifier(loginIdentifier: $userInfo['username']), '{n}.name', 'asc'); + $allCos = null; + + if($this->RegistryAuth->isPlatformAdmin()) { + // Pull all available (active COs) + $allCos = Hash::sort($Cos->find('all')->where(['Cos.status' => TemplateableStatusEnum::Active])->toArray(), '{n}.name', 'asc'); + } + + // See if the COmanage CO is in the $memberCos list. (If the user is a + // Platform Admin it will always be in the $memberCos list.) + + $COmanageCO = null; + + foreach($memberCos as $key => $co) { + if($co->isCOmanageCO()) { + $COmanageCO = $co; + unset($memberCos[$key]); + } else { + $availableCos[$key] = $co; + } + } + + if($COmanageCO) { + $availableCos = array_merge([$COmanageCO->id => $COmanageCO], $availableCos); + } + + if(!empty($allCos)) { + foreach($allCos as $key => $co) { + if(isset($availableCos[$key])) { + // Already in the list as a member + unset($allCos[$key]); + } else { + $co->name = __d('field', 'Cos.member.not', [$co->name]); + } + } + + $availableCos = array_merge($availableCos, $allCos); + } + } + + $this->set('vv_available_cos', $availableCos); + } + /** * Determine the (requested) current CO and make it available to the * rest of the application. diff --git a/app/src/Controller/CoSettingsController.php b/app/src/Controller/CoSettingsController.php index 9fa1c6b95..647836950 100644 --- a/app/src/Controller/CoSettingsController.php +++ b/app/src/Controller/CoSettingsController.php @@ -33,7 +33,8 @@ use Cake\Log\Log; class CoSettingsController extends StandardController { - + use \App\Lib\Traits\PermissionsTrait; + /** * Manage CO Settings. * @@ -49,4 +50,30 @@ public function manage() { return $this->redirect(['action' => 'edit', $settings->id]); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id). Since each CO's + // CoSetting is created during CO Setup, admins can only edit. + 'entity' => [ + 'delete' => false, + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] // Required for REST API + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => false, + 'index' => ['platformAdmin', 'coAdmin'], // Required for REST API + 'manage' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/Component/RegistryAuthComponent.php b/app/src/Controller/Component/RegistryAuthComponent.php index f2a164595..c3b253c67 100644 --- a/app/src/Controller/Component/RegistryAuthComponent.php +++ b/app/src/Controller/Component/RegistryAuthComponent.php @@ -57,6 +57,8 @@ use \Cake\Http\Exception\UnauthorizedException; use \Cake\ORM\ResultSet; use \Cake\ORM\TableRegistry; +use App\Lib\Enum\SuspendableStatusEnum; +use App\Lib\Enum\TemplateableStatusEnum; class RegistryAuthComponent extends Component { @@ -68,6 +70,9 @@ class RegistryAuthComponent extends Component // Was this an API user? protected bool $authenticatedApiUser = false; + // Cached results + protected array $cache = []; + /** * Authenticate an API User. * @@ -318,21 +323,78 @@ public function isApiUser(): bool { * Determine if the current user is a CO Administrator. * * @since COmanage Registry v5.0.0 - * @return bool True if the current user is a CO Administrator + * @param int $coId CO ID + * @return bool True if the current user is a CO Administrator */ public function isCoAdmin(?int $coId): bool { - if($this->authenticatedApiUser) { - $ApiUsers = TableRegistry::getTableLocator()->get('ApiUsers'); - - $priv = $ApiUsers->getUserPrivilege($this->authenticatedUser); + // We might get called in some contexts without a coId, in which case there + // are no CO Admins. + + if(!$coId) { + return false; + } + + if(!isset($this->cache['isCoAdmin'])) { + $this->cache['isCoAdmin'] = false; - return ($priv === true || $priv === $coId); - } else { -// XXX hardcoded for now until we've bootstrapped the COmanage CO -// XXX we should cache the lookup when we actually do a db query - return ($this->authenticatedUser == 'admin'); + if($this->authenticatedApiUser) { + $ApiUsers = TableRegistry::getTableLocator()->get('ApiUsers'); + + $priv = $ApiUsers->getUserPrivilege($this->authenticatedUser); + + $this->cache['isCoAdmin'] = ($priv === true || $priv === $coId); + } else { + if(!empty($this->authenticatedUser)) { + $this->cache['isCoAdmin'] = $this->isIdentifierAdmin(identifier: $this->authenticatedUser, coId: $coId); + } + } } + + return $this->cache['isCoAdmin']; + } + + /** + * Determine if an identifier represents an administrator in the specified CO. + * + * @since COmanage Registry v5.0.0 + * @param string $identifier Identifier + * @param int $coId CO ID + * @return bool true if the identifier represent an administrator, false otherwise + */ + + protected function isIdentifierAdmin(string $identifier, int $coId): bool { + $Cos = TableRegistry::getTableLocator()->get('Cos'); + + // First see if this Identifier is a login Identifier in the requested CO + // This is similar to CosTable::getCosForIdentifier + $identifiers = $Cos->People + ->Identifiers + ->find('all') + ->where([ + 'Identifiers.identifier' => $identifier, + 'Identifiers.status' => SuspendableStatusEnum::Active, + 'Identifiers.login' => true, + 'Identifiers.person_id IS NOT NULL' + ]) + ->contain(['People' => 'Cos']) + ->all(); + + foreach($identifiers as $i) { + // Both the Person and the CO must be active + if($i->person->isActive() + && $i->person->co->status == TemplateableStatusEnum::Active + && $i->person->co->id == $coId) { + // We found a Person in this CO, now see if it's an admin + // (for which we'll need the admin group) + + $adminGroup = $Cos->Groups->find('adminGroup', ['co_id' => $i->person->co_id])->firstOrFail(); + + return $Cos->Groups->GroupMembers->isMember(groupId: $adminGroup->id, personId: $i->person->id); + } + } + + return false; } /** @@ -343,14 +405,25 @@ public function isCoAdmin(?int $coId): bool { */ public function isPlatformAdmin(): bool { - if($this->authenticatedApiUser) { - $ApiUsers = TableRegistry::getTableLocator()->get('ApiUsers'); + if(!isset($this->cache['isPlatformAdmin'])) { + $this->cache['isPlatformAdmin'] = false; - return ($ApiUsers->getUserPrivilege($this->authenticatedUser) === true); - } else { -// XXX hardcoded for now until we've bootstrapped the COmanage CO -// XXX we should cache the lookup when we actually do a db query - return ($this->authenticatedUser == 'admin'); + if($this->authenticatedApiUser) { + $ApiUsers = TableRegistry::getTableLocator()->get('ApiUsers'); + + $this->cache['isPlatformAdmin'] = ($ApiUsers->getUserPrivilege($this->authenticatedUser) === true); + } else { + if(!empty($this->authenticatedUser)) { + $Cos = TableRegistry::getTableLocator()->get('Cos'); + + // Find the COmanage CO + $COmanageCO = $Cos->find('COmanageCO')->firstOrFail(); + + $this->cache['isPlatformAdmin'] = $this->isIdentifierAdmin(identifier: $this->authenticatedUser, coId: $COmanageCO->id); + } + } } + + return $this->cache['isPlatformAdmin']; } } \ No newline at end of file diff --git a/app/src/Controller/CosController.php b/app/src/Controller/CosController.php index 646de9281..11908b698 100644 --- a/app/src/Controller/CosController.php +++ b/app/src/Controller/CosController.php @@ -36,12 +36,42 @@ use Cake\ORM\TableRegistry; class CosController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Cos.name' => 'asc' ] ]; + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin'], + 'duplicate' => ['platformAdmin'], + 'edit' => ['platformAdmin'], + 'view' => ['platformAdmin'] + ], + // Actions that are permitted on readonly entities (besides view) + 'readOnly' => ['duplicate'], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin'], + 'index' => ['platformAdmin'], + 'select' => ['authenticatedUser'] + ] + ]); + } + /** * Callback run prior to the view rendering. * @@ -76,5 +106,21 @@ public function duplicate(int $id) { public function select() { // Population of vv_available_cos is currently done in AppController + // since it's also used to determine if the "change collaboration" menu + // should render. + + // If only one CO is found, auto-redirect into it. + + $availableCos = $this->viewBuilder()->getVar('vv_available_cos'); + + if($availableCos && count($availableCos) === 1) { + return $this->redirect([ + 'controller' => 'dashboards', + 'action' => 'dashboard', + '?' => [ + 'co_id' => $availableCos[0]->id + ] + ]); + } } } \ No newline at end of file diff --git a/app/src/Controller/CousController.php b/app/src/Controller/CousController.php index f1c954e63..8c79862ea 100644 --- a/app/src/Controller/CousController.php +++ b/app/src/Controller/CousController.php @@ -34,6 +34,8 @@ //use \App\Lib\Enum\PermissionEnum; class CousController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Cous.name' => 'asc' @@ -70,4 +72,28 @@ public function beforeRender(\Cake\Event\EventInterface $event) { return parent::beforeRender($event); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/DashboardsController.php b/app/src/Controller/DashboardsController.php index e33b58bd2..1113f54a1 100644 --- a/app/src/Controller/DashboardsController.php +++ b/app/src/Controller/DashboardsController.php @@ -34,6 +34,36 @@ //use \App\Lib\Enum\PermissionEnum; class DashboardsController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + /* + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin']*/ + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'configuration' => ['platformAdmin', 'coAdmin'], + 'dashboard' => ['platformAdmin', 'coAdmin'] // XXX this is not the correct long term permission + /* 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + */ + ] + ]); + } + /** * Render the CO Configuration Dashboard. * diff --git a/app/src/Controller/EmailAddressesController.php b/app/src/Controller/EmailAddressesController.php index d57b04fad..77a80b8d6 100644 --- a/app/src/Controller/EmailAddressesController.php +++ b/app/src/Controller/EmailAddressesController.php @@ -34,9 +34,36 @@ use Cake\ORM\TableRegistry; class EmailAddressesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'EmailAddresses.mail' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/ExternalIdentitiesController.php b/app/src/Controller/ExternalIdentitiesController.php index e5cbce210..433e1ca6e 100644 --- a/app/src/Controller/ExternalIdentitiesController.php +++ b/app/src/Controller/ExternalIdentitiesController.php @@ -36,6 +36,8 @@ // Use extend MVEAController for breadcrumb rendering. ExternalIdentities is // sort of an MVEA, so maybe it makes sense to treat it as such. class ExternalIdentitiesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'PrimaryName.family' => 'asc' @@ -45,4 +47,30 @@ class ExternalIdentitiesController extends MVEAController { 'PrimaryName.family' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) +// See also CFM-126 +// XXX need to add couAdmin, eventually + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/ExternalIdentityRolesController.php b/app/src/Controller/ExternalIdentityRolesController.php index d0db5af81..c44bc1240 100644 --- a/app/src/Controller/ExternalIdentityRolesController.php +++ b/app/src/Controller/ExternalIdentityRolesController.php @@ -36,10 +36,38 @@ // Use extend MVEAController for breadcrumb rendering. ExternalIdentityRoles is sort of // an MVEA, so maybe it makes sense to treat it as such. class ExternalIdentityRolesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'ExternalIdentityRoles.ordr' => 'asc', 'ExternalIdentityRoles.title' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) +// See also CFM-126 +// XXX need to add couAdmin, eventually + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/GroupMembersController.php b/app/src/Controller/GroupMembersController.php index b7aaa866f..b8e4b244f 100644 --- a/app/src/Controller/GroupMembersController.php +++ b/app/src/Controller/GroupMembersController.php @@ -33,12 +33,39 @@ use Cake\Log\Log; class GroupMembersController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'People.primary_name.name' => 'asc' ] ]; + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // XXX update for couAdmins, group owners, etc + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } + /** * Callback run prior to the request render. * diff --git a/app/src/Controller/GroupNestingsController.php b/app/src/Controller/GroupNestingsController.php index 67f973a1b..407330158 100644 --- a/app/src/Controller/GroupNestingsController.php +++ b/app/src/Controller/GroupNestingsController.php @@ -33,6 +33,8 @@ use Cake\Log\Log; class GroupNestingsController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Group.name' => 'asc' @@ -64,4 +66,29 @@ public function beforeRender(\Cake\Event\EventInterface $event) { return parent::beforeRender($event); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ +// XXX update for couAdmins, group owners, etc + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/GroupOwnersController.php b/app/src/Controller/GroupOwnersController.php index ac278486e..fc2d1ae0d 100644 --- a/app/src/Controller/GroupOwnersController.php +++ b/app/src/Controller/GroupOwnersController.php @@ -33,6 +33,8 @@ use Cake\Log\Log; class GroupOwnersController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'People.primary_name.name' => 'asc' @@ -58,4 +60,29 @@ public function beforeRender(\Cake\Event\EventInterface $event) { return parent::beforeRender($event); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ +// XXX update for couAdmins, group owners, etc + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => false, + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/GroupsController.php b/app/src/Controller/GroupsController.php index 902f7696d..b811394e4 100644 --- a/app/src/Controller/GroupsController.php +++ b/app/src/Controller/GroupsController.php @@ -33,12 +33,50 @@ use Cake\Log\Log; class GroupsController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Groups.name' => 'asc' ] ]; + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // XXX update for couAdmins, etc + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'reconcile' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that are permitted on readonly entities (besides view) + 'readOnly' => ['reconcile'], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ], + // Related models whose permissions we'll need, typically for table views + 'related' => [ + 'GroupMembers', + 'GroupNestings', + 'GroupOwners', + 'HistoryRecords', + 'Identifiers' + ] + ]); + } + /** * Reconcile a Group's memberships. * diff --git a/app/src/Controller/HistoryRecordsController.php b/app/src/Controller/HistoryRecordsController.php index 4abd53c6c..b426d0541 100644 --- a/app/src/Controller/HistoryRecordsController.php +++ b/app/src/Controller/HistoryRecordsController.php @@ -34,9 +34,35 @@ use Cake\ORM\TableRegistry; class HistoryRecordsController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'HistoryRecords.id' => 'desc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => false, + 'edit' => false, + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/IdentifiersController.php b/app/src/Controller/IdentifiersController.php index 27f087267..4634cef36 100644 --- a/app/src/Controller/IdentifiersController.php +++ b/app/src/Controller/IdentifiersController.php @@ -34,9 +34,36 @@ use Cake\ORM\TableRegistry; class IdentifiersController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Identifiers.identifier' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/NamesController.php b/app/src/Controller/NamesController.php index fb3401b1e..37f407260 100644 --- a/app/src/Controller/NamesController.php +++ b/app/src/Controller/NamesController.php @@ -34,12 +34,39 @@ use Cake\ORM\TableRegistry; class NamesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Names.family' => 'asc', 'Names.given' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } /** * Callback run prior to the request render. diff --git a/app/src/Controller/PeopleController.php b/app/src/Controller/PeopleController.php index 74232cbe7..2814b6905 100644 --- a/app/src/Controller/PeopleController.php +++ b/app/src/Controller/PeopleController.php @@ -34,6 +34,8 @@ use Cake\ORM\TableRegistry; class PeopleController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ // XXX this will sort by family name, but it this universally correct? @@ -51,6 +53,31 @@ class PeopleController extends StandardController { ] ]; + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) +// See also CFM-126 + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } + /** * Callback run prior to the request render. * diff --git a/app/src/Controller/PersonRolesController.php b/app/src/Controller/PersonRolesController.php index b03d68f46..fffb4c95e 100644 --- a/app/src/Controller/PersonRolesController.php +++ b/app/src/Controller/PersonRolesController.php @@ -36,10 +36,38 @@ // Use extend MVEAController for breadcrumb rendering. PersonRoles is sort of // an MVEA, so maybe it makes sense to treat it as such. class PersonRolesController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'PersonRoles.ordr' => 'asc', 'PersonRoles.title' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) +// See also CFM-126 +// XXX need to add couAdmin, eventually + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/TelephoneNumbersController.php b/app/src/Controller/TelephoneNumbersController.php index d09f804e4..78d2643d6 100644 --- a/app/src/Controller/TelephoneNumbersController.php +++ b/app/src/Controller/TelephoneNumbersController.php @@ -34,6 +34,8 @@ use Cake\ORM\TableRegistry; class TelephoneNumbersController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'TelephoneNumbers.number' => 'asc' @@ -60,4 +62,29 @@ public function beforeRender(\Cake\Event\EventInterface $event) { return parent::beforeRender($event); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/TypesController.php b/app/src/Controller/TypesController.php index 21f28c3c4..b9304771e 100644 --- a/app/src/Controller/TypesController.php +++ b/app/src/Controller/TypesController.php @@ -33,6 +33,8 @@ use Cake\Log\Log; class TypesController extends StandardController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Types.attribute' => 'asc', @@ -60,4 +62,29 @@ public function restore() { return $this->generateRedirect(null); } + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'], + 'restore' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Controller/UrlsController.php b/app/src/Controller/UrlsController.php index 6223b8486..d71437a6e 100644 --- a/app/src/Controller/UrlsController.php +++ b/app/src/Controller/UrlsController.php @@ -34,9 +34,36 @@ use Cake\ORM\TableRegistry; class UrlsController extends MVEAController { + use \App\Lib\Traits\PermissionsTrait; + public $pagination = [ 'order' => [ 'Urls.url' => 'asc' ] ]; + + /** + * Perform Cake Model initialization. + * + * @since COmanage Registry v5.0.0 + */ + + public function initialize(): void { + parent::initialize(); + + $this->setPermissions([ + // Actions that operate over an entity (ie: require an $id) + 'entity' => [ + 'delete' => ['platformAdmin', 'coAdmin'], + 'edit' => ['platformAdmin', 'coAdmin'], + 'primary' => ['platformAdmin', 'coAdmin'], + 'view' => ['platformAdmin', 'coAdmin'] + ], + // Actions that operate over a table (ie: do not require an $id) + 'table' => [ + 'add' => ['platformAdmin', 'coAdmin'], + 'index' => ['platformAdmin', 'coAdmin'] + ] + ]); + } } \ No newline at end of file diff --git a/app/src/Model/Table/AdHocAttributesTable.php b/app/src/Model/Table/AdHocAttributesTable.php index e5b6c1601..3b901127a 100644 --- a/app/src/Model/Table/AdHocAttributesTable.php +++ b/app/src/Model/Table/AdHocAttributesTable.php @@ -36,7 +36,6 @@ class AdHocAttributesTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\ValidationTrait; @@ -68,21 +67,6 @@ public function initialize(array $config): void { $this->setPrimaryLink(['external_identity_id', 'external_identity_role_id', 'person_id', 'person_role_id']); $this->setRequiresCO(true); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/AddressesTable.php b/app/src/Model/Table/AddressesTable.php index 6da5d10f0..a23316cbc 100644 --- a/app/src/Model/Table/AddressesTable.php +++ b/app/src/Model/Table/AddressesTable.php @@ -39,7 +39,6 @@ class AddressesTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\TypeTrait; @@ -96,21 +95,6 @@ public function initialize(array $config): void { 'attribute' => 'Addresses.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/ApiUsersTable.php b/app/src/Model/Table/ApiUsersTable.php index 4da54c7d7..1f7c82133 100644 --- a/app/src/Model/Table/ApiUsersTable.php +++ b/app/src/Model/Table/ApiUsersTable.php @@ -43,7 +43,6 @@ class ApiUsersTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\ValidationTrait; @@ -80,21 +79,6 @@ public function initialize(array $config): void { 'class' => 'SuspendableStatusEnum' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'generate' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/CoSettingsTable.php b/app/src/Model/Table/CoSettingsTable.php index dbf323679..b0d018d78 100644 --- a/app/src/Model/Table/CoSettingsTable.php +++ b/app/src/Model/Table/CoSettingsTable.php @@ -52,7 +52,6 @@ class CoSettingsTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; @@ -149,22 +148,6 @@ public function initialize(array $config): void { 'attribute' => 'Urls.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id). Since each CO's - // CoSetting is created during CO Setup, admins can only edit. - 'entity' => [ - 'delete' => false, - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] // Required for REST API - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => false, - 'index' => ['platformAdmin', 'coAdmin'], // Required for REST API - 'manage' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/CosTable.php b/app/src/Model/Table/CosTable.php index b5f6e9fa1..bf1753ce8 100644 --- a/app/src/Model/Table/CosTable.php +++ b/app/src/Model/Table/CosTable.php @@ -33,14 +33,15 @@ use Cake\ORM\RulesChecker; use Cake\ORM\Table; use Cake\ORM\TableRegistry; +use Cake\Utility\Hash; use Cake\Validation\Validator; +use \App\Lib\Enum\SuspendableStatusEnum; use \App\Lib\Enum\TemplateableStatusEnum; class CosTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\ValidationTrait; @@ -87,24 +88,6 @@ public function initialize(array $config): void { 'class' => 'TemplateableStatusEnum' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin'], - 'duplicate' => ['platformAdmin'], - 'edit' => ['platformAdmin'], - 'view' => ['platformAdmin'] - ], - // Actions that are permitted on readonly entities (besides view) - 'readOnly' => ['duplicate'], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin'], - 'index' => ['platformAdmin'], - 'select' => ['authenticatedUser'] - ] - ]); } /** @@ -159,6 +142,49 @@ public function findCOmanageCO(Query $query): Query { return $query->where(['lower(name)' => 'comanage']); } + /** + * Obtain the set of COs for the specified Identifier. The Identifier must + * be a login identifier, Active, and attached to an Active or Grace Period + * Person in an Active CO. If the Identifier belongs to a Platform Admin, all + * Active COs will be returned. + * + * @since COmanage Registry v5.0.0 + * @param string $loginIdentifier Login Identifier + * @return array Array of COs + */ + + public function getCosForIdentifier(string $loginIdentifier): array { + // Start by pulling the active Identifier records where $loginIdentifier is + // flagged for login and attached to a Person (not an External Identity). + + $identifiers = $this->People + ->Identifiers + ->find('all') + ->where([ + 'Identifiers.identifier' => $loginIdentifier, + 'Identifiers.status' => SuspendableStatusEnum::Active, + 'Identifiers.login' => true, + 'Identifiers.person_id IS NOT NULL' + ]) + ->contain(['People' => 'Cos']) + ->all(); + + $cos = []; + + // Did we find an Identifier attached to a Person in the COmanage CO? + + foreach($identifiers as $i) { + // Both the Person and the CO must be active + if($i->person->isActive() + && $i->person->co->status == TemplateableStatusEnum::Active) { + // Keying on co_id should eliminate duplicates + $cos[ $i->person->co_id ] = $i->person->co; + } + } + + return $cos; + } + /** * Callback after model save. * @@ -178,7 +204,7 @@ public function localAfterSave(\Cake\Event\EventInterface $event, \Cake\Datasour } elseif($entity->getOriginal('name') != $entity->get('name')) { // AR-CO-7 The name was changed, so we may need to update the system groups - $this->Groups->addDefaults(coId: $entity->id, couId: null, rename: true); + $this->Groups->addDefaults(coId: $entity->id, rename: true); } } diff --git a/app/src/Model/Table/CousTable.php b/app/src/Model/Table/CousTable.php index 7b9506a0f..d00e45960 100644 --- a/app/src/Model/Table/CousTable.php +++ b/app/src/Model/Table/CousTable.php @@ -39,7 +39,6 @@ class CousTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\SearchFilterTrait; use \App\Lib\Traits\TableMetaTrait; @@ -77,20 +76,6 @@ public function initialize(array $config): void { $this->setPrimaryLink('co_id'); $this->setRequiresCO(true); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); $this->setAutoViewVars([ 'parent_ids' => [ diff --git a/app/src/Model/Table/DashboardsTable.php b/app/src/Model/Table/DashboardsTable.php index 55b45fed8..f7fa37989 100644 --- a/app/src/Model/Table/DashboardsTable.php +++ b/app/src/Model/Table/DashboardsTable.php @@ -33,7 +33,6 @@ class DashboardsTable extends Table { use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; @@ -61,23 +60,5 @@ public function initialize(array $config): void { $this->setPrimaryLink('co_id'); $this->setRequiresCO(true); $this->setAllowUnkeyedPrimaryCO(['configuration', 'dashboard']); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - /* - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin']*/ - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'configuration' => ['platformAdmin', 'coAdmin'], - 'dashboard' => ['platformAdmin', 'coAdmin'] // XXX this is not the correct long term permission - /* 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - */ - ] - ]); } } \ No newline at end of file diff --git a/app/src/Model/Table/EmailAddressesTable.php b/app/src/Model/Table/EmailAddressesTable.php index bb8155764..a6d3f78ac 100644 --- a/app/src/Model/Table/EmailAddressesTable.php +++ b/app/src/Model/Table/EmailAddressesTable.php @@ -37,7 +37,6 @@ class EmailAddressesTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\TypeTrait; @@ -91,21 +90,6 @@ public function initialize(array $config): void { 'attribute' => 'EmailAddresses.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/ExternalIdentitiesTable.php b/app/src/Model/Table/ExternalIdentitiesTable.php index 604e4888b..2383d6933 100644 --- a/app/src/Model/Table/ExternalIdentitiesTable.php +++ b/app/src/Model/Table/ExternalIdentitiesTable.php @@ -39,7 +39,6 @@ class ExternalIdentitiesTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -114,22 +113,6 @@ public function initialize(array $config): void { 'class' => 'StatusEnum' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) -// See also CFM-126 -// XXX need to add couAdmin, eventually - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } diff --git a/app/src/Model/Table/ExternalIdentityRolesTable.php b/app/src/Model/Table/ExternalIdentityRolesTable.php index 987648b41..75187358d 100644 --- a/app/src/Model/Table/ExternalIdentityRolesTable.php +++ b/app/src/Model/Table/ExternalIdentityRolesTable.php @@ -39,7 +39,6 @@ class ExternalIdentityRolesTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -102,22 +101,6 @@ public function initialize(array $config): void { 'attribute' => 'PersonRoles.affiliation' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) -// See also CFM-126 -// XXX need to add couAdmin, eventually - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/GroupMembersTable.php b/app/src/Model/Table/GroupMembersTable.php index 5bb5db115..9243f83ae 100644 --- a/app/src/Model/Table/GroupMembersTable.php +++ b/app/src/Model/Table/GroupMembersTable.php @@ -43,7 +43,6 @@ class GroupMembersTable extends Table { use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; use \App\Lib\Traits\LabeledLogTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -83,21 +82,6 @@ public function initialize(array $config): void { 'Groups', 'People.PrimaryName' ]); - - $this->setPermissions([ -// XXX update for couAdmins, group owners, etc - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/GroupNestingsTable.php b/app/src/Model/Table/GroupNestingsTable.php index ebd30ab8e..748bdaa7f 100644 --- a/app/src/Model/Table/GroupNestingsTable.php +++ b/app/src/Model/Table/GroupNestingsTable.php @@ -40,7 +40,6 @@ class GroupNestingsTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -81,21 +80,6 @@ public function initialize(array $config): void { $this->setEditContains(['Groups', 'TargetGroups']); $this->setIndexContains(['Groups', 'TargetGroups']); - - $this->setPermissions([ -// XXX update for couAdmins, group owners, etc - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/GroupOwnersTable.php b/app/src/Model/Table/GroupOwnersTable.php index fcd14362d..bbf6b5b84 100644 --- a/app/src/Model/Table/GroupOwnersTable.php +++ b/app/src/Model/Table/GroupOwnersTable.php @@ -41,7 +41,6 @@ class GroupOwnersTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -75,21 +74,6 @@ public function initialize(array $config): void { $this->setEditContains(['Groups', 'People.PrimaryName']); $this->setIndexContains(['Groups', 'People.PrimaryName']); - - $this->setPermissions([ -// XXX update for couAdmins, group owners, etc - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => false, - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/GroupsTable.php b/app/src/Model/Table/GroupsTable.php index 9567dca50..5257efeb0 100644 --- a/app/src/Model/Table/GroupsTable.php +++ b/app/src/Model/Table/GroupsTable.php @@ -46,7 +46,6 @@ class GroupsTable extends Table { use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; use \App\Lib\Traits\LabeledLogTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\ValidationTrait; @@ -94,36 +93,6 @@ public function initialize(array $config): void { 'class' => 'SuspendableStatusEnum' ] ]); - - $this->setPermissions([ -// XXX update for couAdmins, etc - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'reconcile' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that are permitted on readonly entities (besides view) - 'readOnly' => ['reconcile'], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ], - // Related models whose permissions we'll need, typically for table views - 'related' => [ -// XXX As a first pass, this (combined with the implementation in AppController::calculatePermissions) -// will render a link to group-members?group_id=X for all groups in the index view -// groups?co_id=2. This may or may not be right in the long term, eg for private -// groups. Maybe it's OK for now, since all groups are visible to all members of the CO. - 'GroupMembers', - 'GroupNestings', - 'GroupOwners', - 'HistoryRecords', - 'Identifiers' - ] - ]); } /** @@ -262,6 +231,23 @@ public function buildRules(RulesChecker $rules): RulesChecker { return $rules; } + /** + * Find a CO's Administrators group. + * + * @since COmanage Registry v5.0.0 + * @param \Cake\ORM\Query $query Query + * @param array $options Options: co_id (required) + * @return \Cake\ORM\Query Query + */ + + public function findAdminGroup(Query $query, array $options): Query { + return $query->where([ + 'co_id' => $options['co_id'], + 'status' => SuspendableStatusEnum::Active, + 'group_type' => GroupTypeEnum::Admins + ]); + } + /** * Obtain an iterator for all members of the requested Group. * diff --git a/app/src/Model/Table/HistoryRecordsTable.php b/app/src/Model/Table/HistoryRecordsTable.php index 027ea79bd..55af42c4c 100644 --- a/app/src/Model/Table/HistoryRecordsTable.php +++ b/app/src/Model/Table/HistoryRecordsTable.php @@ -34,7 +34,6 @@ class HistoryRecordsTable extends Table { use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -99,20 +98,6 @@ public function initialize(array $config): void { 'ExternalIdentities' => ['PrimaryName'], 'Groups' ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => false, - 'edit' => false, - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/IdentifiersTable.php b/app/src/Model/Table/IdentifiersTable.php index fb098453c..7b702a1b8 100644 --- a/app/src/Model/Table/IdentifiersTable.php +++ b/app/src/Model/Table/IdentifiersTable.php @@ -38,7 +38,6 @@ class IdentifiersTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\TypeTrait; @@ -108,21 +107,6 @@ public function initialize(array $config): void { 'class' => 'TemplateableStatusEnum' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/NamesTable.php b/app/src/Model/Table/NamesTable.php index 46219e4f5..40e0798a3 100644 --- a/app/src/Model/Table/NamesTable.php +++ b/app/src/Model/Table/NamesTable.php @@ -42,7 +42,6 @@ class NamesTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\TypeTrait; @@ -99,21 +98,6 @@ public function initialize(array $config): void { 'attribute' => 'Names.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/PeopleTable.php b/app/src/Model/Table/PeopleTable.php index d7288c949..8f0d0ae0e 100644 --- a/app/src/Model/Table/PeopleTable.php +++ b/app/src/Model/Table/PeopleTable.php @@ -43,7 +43,6 @@ class PeopleTable extends Table { use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; use \App\Lib\Traits\LabeledLogTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -126,21 +125,6 @@ public function initialize(array $config): void { 'attribute' => 'Names.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) -// See also CFM-126 - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/PersonRolesTable.php b/app/src/Model/Table/PersonRolesTable.php index c3df8dcbf..5d21c565f 100644 --- a/app/src/Model/Table/PersonRolesTable.php +++ b/app/src/Model/Table/PersonRolesTable.php @@ -43,7 +43,6 @@ class PersonRolesTable extends Table { use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; use \App\Lib\Traits\LabeledLogTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\QueryModificationTrait; use \App\Lib\Traits\TableMetaTrait; @@ -144,22 +143,6 @@ public function initialize(array $config): void { 'model' => 'Cous' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) -// See also CFM-126 -// XXX need to add couAdmin, eventually - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/TelephoneNumbersTable.php b/app/src/Model/Table/TelephoneNumbersTable.php index 65808fcfa..c0a4d7ece 100644 --- a/app/src/Model/Table/TelephoneNumbersTable.php +++ b/app/src/Model/Table/TelephoneNumbersTable.php @@ -38,7 +38,6 @@ class TelephoneNumbersTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\TypeTrait; @@ -92,21 +91,6 @@ public function initialize(array $config): void { 'attribute' => 'TelephoneNumbers.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/TypesTable.php b/app/src/Model/Table/TypesTable.php index 4322c71dd..2bed1063b 100644 --- a/app/src/Model/Table/TypesTable.php +++ b/app/src/Model/Table/TypesTable.php @@ -40,7 +40,6 @@ class TypesTable extends Table { use \App\Lib\Traits\AutoViewVarsTrait; use \App\Lib\Traits\CoLinkTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\SearchFilterTrait; use \App\Lib\Traits\TableMetaTrait; @@ -113,21 +112,6 @@ public function initialize(array $config): void { 'class' => 'SuspendableStatusEnum' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'], - 'restore' => ['platformAdmin', 'coAdmin'] - ] - ]); } /** diff --git a/app/src/Model/Table/UrlsTable.php b/app/src/Model/Table/UrlsTable.php index 2539464f8..036c6a542 100644 --- a/app/src/Model/Table/UrlsTable.php +++ b/app/src/Model/Table/UrlsTable.php @@ -37,7 +37,6 @@ class UrlsTable extends Table { use \App\Lib\Traits\ChangelogBehaviorTrait; use \App\Lib\Traits\CoLinkTrait; use \App\Lib\Traits\HistoryTrait; - use \App\Lib\Traits\PermissionsTrait; use \App\Lib\Traits\PrimaryLinkTrait; use \App\Lib\Traits\TableMetaTrait; use \App\Lib\Traits\TypeTrait; @@ -85,21 +84,6 @@ public function initialize(array $config): void { 'attribute' => 'Urls.type' ] ]); - - $this->setPermissions([ - // Actions that operate over an entity (ie: require an $id) - 'entity' => [ - 'delete' => ['platformAdmin', 'coAdmin'], - 'edit' => ['platformAdmin', 'coAdmin'], - 'primary' => ['platformAdmin', 'coAdmin'], - 'view' => ['platformAdmin', 'coAdmin'] - ], - // Actions that operate over a table (ie: do not require an $id) - 'table' => [ - 'add' => ['platformAdmin', 'coAdmin'], - 'index' => ['platformAdmin', 'coAdmin'] - ] - ]); } /**