From 4e0952232771d8f10c60b441ef316d5a3a06539d Mon Sep 17 00:00:00 2001 From: Nils Haagen Date: Mon, 3 Feb 2025 09:21:39 +0100 Subject: [PATCH] IndAss: add permissions (create/publish records) --- ...ss.ilIndividualAssessmentAccessHandler.php | 30 ++++++++----- ...class.ilIndividualAssessmentSetupAgent.php | 43 ++++++++++++++++++- .../class.ilIndividualAssessmentMemberGUI.php | 18 +++----- lang/ilias_de.lang | 12 ++++-- lang/ilias_en.lang | 16 ++++--- 5 files changed, 84 insertions(+), 35 deletions(-) diff --git a/Modules/IndividualAssessment/classes/AccessControl/class.ilIndividualAssessmentAccessHandler.php b/Modules/IndividualAssessment/classes/AccessControl/class.ilIndividualAssessmentAccessHandler.php index 34626dfbb27d..c5f765fe4040 100644 --- a/Modules/IndividualAssessment/classes/AccessControl/class.ilIndividualAssessmentAccessHandler.php +++ b/Modules/IndividualAssessment/classes/AccessControl/class.ilIndividualAssessmentAccessHandler.php @@ -25,6 +25,11 @@ class ilIndividualAssessmentAccessHandler implements IndividualAssessmentAccessH { public const DEFAULT_ROLE = 'il_iass_member'; + public const RBAC_OP_CREATE_RECORDS = 'create_records'; + public const ORGU_OP_CREATE_RECORDS = 'ou_create_records'; + public const RBAC_OP_PUBLISH_RECORDS = 'publish_records'; + public const ORGU_OP_PUBLISH_RECORDS = 'ou_publish_records'; + protected ilObjIndividualAssessment $iass; protected ilAccessHandler $handler; protected ilRbacAdmin $admin; @@ -50,7 +55,7 @@ public function __construct( */ public function checkRBACAccessToObj(string $operation): bool { - if($this->simulateMember()) { + if ($this->simulateMember()) { return $this->checkMemberRoleForPermission($operation); } else { return $this->isSystemAdmin() || @@ -72,6 +77,7 @@ public function checkRBACOrPositionAccessToObj(string $operation) ); } + /* if ($operation == "write_learning_progress") { return $this->handler->checkRbacOrPositionPermissionAccess( // This feels super odd, but this is actually ok because we do not have @@ -82,6 +88,7 @@ public function checkRBACOrPositionAccessToObj(string $operation) $this->iass->getRefId() ); } + */ throw new \LogicException("Unknown rbac/position-operation: $operation"); } @@ -100,13 +107,13 @@ protected function checkMemberRoleForPermission(string $operation): bool $this->review->getParentRoleIds($ref_id), static fn(array $role): bool => str_starts_with($role['title'], 'il_crs_member_') ); - if($roles === []) { + if ($roles === []) { return false; } $role = array_shift($roles); $active_ops = $this->review->getActiveOperationsOfRole($ref_id, $role['rol_id']); - foreach($active_ops as $op) { - if($this->review->getOperation($op)['operation'] === $operation) { + foreach ($active_ops as $op) { + if ($this->review->getOperation($op)['operation'] === $operation) { return true; } } @@ -189,7 +196,13 @@ public function mayViewAllUsers(): bool public function mayGradeAnyUser(): bool { - return $this->checkRBACOrPositionAccessToObj('write_learning_progress'); + //return $this->checkRBACOrPositionAccessToObj('write_learning_progress'); + return $this->handler->checkRbacOrPositionPermissionAccess( + self::RBAC_OP_CREATE_RECORDS, + self::ORGU_OP_CREATE_RECORDS, + $this->iass->getRefId() + ); + } public function mayGradeUser(int $user_id): bool @@ -197,11 +210,8 @@ public function mayGradeUser(int $user_id): bool return (count( $this->handler->filterUserIdsByRbacOrPositionOfCurrentUser( - // This feels super odd, but this is actually ok because we do not have - // a dedicated RBAC permission to write_learning_progress. - // See: https://mantis.ilias.de/view.php?id=36056#c89865 - "read_learning_progress", - "write_learning_progress", + self::RBAC_OP_CREATE_RECORDS, + self::ORGU_OP_CREATE_RECORDS, $this->iass->getRefId(), [$user_id] ) diff --git a/Modules/IndividualAssessment/classes/Setup/class.ilIndividualAssessmentSetupAgent.php b/Modules/IndividualAssessment/classes/Setup/class.ilIndividualAssessmentSetupAgent.php index 42d626ef729d..c266e7655a74 100644 --- a/Modules/IndividualAssessment/classes/Setup/class.ilIndividualAssessmentSetupAgent.php +++ b/Modules/IndividualAssessment/classes/Setup/class.ilIndividualAssessmentSetupAgent.php @@ -54,9 +54,16 @@ public function getInstallObjective(Setup\Config $config = null): Setup\Objectiv */ public function getUpdateObjective(Setup\Config $config = null): Setup\Objective { - return new ilDatabaseUpdateStepsExecutedObjective( - new ilIndividualAssessmentRectifyMembersTableDBUpdateSteps() + return new Setup\ObjectiveCollection( + 'Indivial Asessment', + true, + new ilDatabaseUpdateStepsExecutedObjective( + new ilIndividualAssessmentRectifyMembersTableDBUpdateSteps(), + ), + ...$this->getPermissionObjectives() ); + + } /** @@ -82,4 +89,36 @@ public function getMigrations(): array { return []; } + + + protected function getPermissionObjectives(): array + { + return [ + new ilAccessCustomRBACOperationAddedObjective( + ilIndividualAssessmentAccessHandler::RBAC_OP_CREATE_RECORDS, + "Create Records for Users", + "object", + 9010, + ["iass"] + ), + new \ilOrgUnitOperationRegisteredObjective( + ilIndividualAssessmentAccessHandler::ORGU_OP_CREATE_RECORDS, + 'Create Records for Users', + ilOrgUnitOperationContext::CONTEXT_IASS + ), + new ilAccessCustomRBACOperationAddedObjective( + ilIndividualAssessmentAccessHandler::RBAC_OP_PUBLISH_RECORDS, + "Publish Records", + "object", + 9020, + ["iass"] + ), + new \ilOrgUnitOperationRegisteredObjective( + ilIndividualAssessmentAccessHandler::ORGU_OP_PUBLISH_RECORDS, + 'Publish Records', + ilOrgUnitOperationContext::CONTEXT_IASS + ) + ]; + } + } diff --git a/Modules/IndividualAssessment/classes/class.ilIndividualAssessmentMemberGUI.php b/Modules/IndividualAssessment/classes/class.ilIndividualAssessmentMemberGUI.php index b43cfd895d94..1763a4b410ac 100644 --- a/Modules/IndividualAssessment/classes/class.ilIndividualAssessmentMemberGUI.php +++ b/Modules/IndividualAssessment/classes/class.ilIndividualAssessmentMemberGUI.php @@ -177,7 +177,7 @@ protected function downloadFile(): void { $identifier = $this->getMember()->getGrading()->getFile(); $resource_id = $this->irss->manage()->find($identifier); - if($resource_id) { + if ($resource_id) { $this->irss->consume()->download($resource_id)->run(); } } @@ -353,7 +353,7 @@ protected function getUploadResult(): HandlerResult protected function getRemoveResult(string $identifier): HandlerResult { $resource_id = $this->irss->manage()->find($identifier); - if($resource_id) { + if ($resource_id) { $this->irss->manage()->remove($resource_id, $this->stakeholder); $status = HandlerResult::STATUS_OK; $message = $this->lng->txt('iass_file_deleted'); @@ -368,7 +368,7 @@ protected function getRemoveResult(string $identifier): HandlerResult public function getInfoResult(string $identifier): ?FileInfoResult { $resource_id = $this->irss->manage()->find($identifier); - if(! $resource_id) { + if (! $resource_id) { return null; } $resource = $this->irss->manage()->getResource($resource_id); @@ -388,7 +388,7 @@ public function getInfoForExistingFiles(array $file_ids): array $file_ids = array_filter($file_ids, fn($id) => $id !== ""); return array_map(function ($id) { $resource_id = $this->irss->manage()->find($identifier); - if(! $resource_id) { + if (! $resource_id) { return null; } $resource = $this->irss->manage()->getResource($resource_id); @@ -510,7 +510,7 @@ protected function userMayGrade(): bool { return $this->getAccessHandler()->isSystemAdmin() || - (!$this->targetWasEditedByOtherUser($this->getMember()) && $this->getAccessHandler()->mayGradeUser($this->getMember()->id())) + ($this->getAccessHandler()->mayGradeUser($this->getMember()->id())) ; } @@ -524,14 +524,6 @@ protected function userMayAmend(): bool return $this->getAccessHandler()->mayAmendAllUsers(); } - protected function targetWasEditedByOtherUser(ilIndividualAssessmentMember $member): bool - { - return - (int) $member->examinerId() !== $this->user->getId() && - 0 !== (int) $member->examinerId() - ; - } - protected function isFinalized(): bool { return $this->getMember()->finalized(); diff --git a/lang/ilias_de.lang b/lang/ilias_de.lang index 629f6f4da4ba..1d9aa9b1e64d 100644 --- a/lang/ilias_de.lang +++ b/lang/ilias_de.lang @@ -10407,7 +10407,7 @@ iass#:#iass_amend_saved#:#Geänderte Prüfungsdaten wurden gespeichert. iass#:#iass_assessment_not_completed#:#Noch nicht abgeschlossen iass#:#iass_cancel#:#Abbrechen iass#:#iass_changed_by#:#Nachträglich geändert -iass#:#iass_confirm_finalize#:#Abschließen +iass#:#iass_confirm_finalize#:#Abschließen und veröffentlichen iass#:#iass_consultation_hours#:#Sprechstunden iass#:#iass_contact#:#Name iass#:#iass_contact_info#:#Kontaktinformationen @@ -10431,7 +10431,7 @@ iass#:#iass_filter_failed#:#Nur nicht bestanden iass#:#iass_filter_finalized#:#Nur bestandene iass#:#iass_filter_not_finalized#:#Nur nicht abgeschlossene iass#:#iass_filter_not_started#:#Nur nicht bewertete -iass#:#iass_finalize#:#Abschließen +iass#:#iass_finalize#:#Abschließen und veröffentlichen iass#:#iass_finalize_info#:#Die Individuelle Bewertung wird abgeschlossen. iass#:#iass_finalize_user_qst#:#Soll die Bewertung des Teilnehmers wirklich final abgeschlossen werden? Änderungen an der Bewertung sind hinterher nicht mehr möglich. iass#:#iass_further_field_headline#:#Detaillierte Informationen @@ -10442,8 +10442,8 @@ iass#:#iass_internal_note_info#:#Dieser Text ist nur für Personen sichtbar, die iass#:#iass_location#:#Ort iass#:#iass_mails#:#E-Mail iass#:#iass_may_not_finalize#:#Prüfung kann noch nicht abschließend bewertet werden. Bitte geben Sie eine Bewertung ab. -iass#:#iass_membership_finalized#:#Bewertung abgeschlossen. -iass#:#iass_membership_saved#:#Bewertung wurde gespeichert aber noch nicht final abgeschlossen. +iass#:#iass_membership_finalized#:#Bewertung veröffentlicht. +iass#:#iass_membership_saved#:#Bewertung wurde gespeichert aber noch nicht veröffentlicht. iass#:#iass_mess_notification_completed#:#Sie haben die Prüfung „%s“ bestanden. Beachten Sie bitte auch die folgende Notiz zur Prüfung. iass#:#iass_mess_notification_failed#:#Sie haben die Prüfung „%s“ leider nicht bestanden. Beachten Sie bitte auch die folgende Notiz zur Prüfung. iass#:#iass_notify#:#Ergebnis dem Teilnehmer zugänglich machen @@ -12938,6 +12938,8 @@ orgu#:#org_op_edit_individual_plan#:#Individuellen Plan bearbeiten orgu#:#org_op_edit_submissions_grades#:#Abgaben von anderen Benutzern bearbeiten orgu#:#org_op_manage_members#:#Mitglieder bearbeiten orgu#:#org_op_manage_participants#:#Teilnehmer verwalten +orgu#:#org_op_ou_create_records#:#Bewertungen vornehmen +orgu#:#org_op_ou_publish_records#:#Bewertungen veröffentlichen und abschließen orgu#:#org_op_read_employee_talk#:#Auf Gespräche lesend zugreifen orgu#:#org_op_read_learning_progress#:#Lernfortschritt von anderen Benutzern einsehen orgu#:#org_op_score_participants#:#Teilnehmer bewerten @@ -14194,6 +14196,7 @@ rbac#:#nwss_edit_permission#:#Rechteeinstellungen in der News- und Webfeeds-Admi rbac#:#nwss_read#:#Lesezugriff auf News- und Webfeeds-Administration rbac#:#nwss_visible#:#News- und Webfeeds-Administration ist sichtbar rbac#:#nwss_write#:#Einstellungen in der News- und Webfeeds-Administration bearbeiten +rbac#:#obj_records#:#Bewertungen vornehmen rbac#:#obj_skee#:#Kompetenzbaum rbac#:#org_op_access_results#:#Zugriff auf Ergebnisse untergeordneter Benutzer rbac#:#org_op_edit_submissions_grades#:#Abgaben von anderen Benutzern bearbeiten @@ -14278,6 +14281,7 @@ rbac#:#ps_export_member_data#:#Export von Mitgliederdaten in Gruppen und Kursen rbac#:#ps_read#:#Lesezugriff auf Datenschutz- und Sicherheitseinstellungen rbac#:#ps_visible#:#Datenschutz- und Sicherheitseinstellungen sind sichtbar rbac#:#ps_write#:#Bearbeiten der Datenschutz- und Sicherheitseinstellungen erlauben +rbac#:#publish_records#:#Bewertungen veröffentlichen und abschließen rbac#:#push_desktop_items#:#Inhalte empfehlen rbac#:#qpl_copy#:#Fragenpool kopieren rbac#:#qpl_delete#:#Fragenpool löschen oder verschieben diff --git a/lang/ilias_en.lang b/lang/ilias_en.lang index 334c82a11491..be2697af697a 100644 --- a/lang/ilias_en.lang +++ b/lang/ilias_en.lang @@ -10407,7 +10407,7 @@ iass#:#iass_amend_saved#:#Amended record has been saved. iass#:#iass_assessment_not_completed#:#Not completed yet iass#:#iass_cancel#:#Cancel iass#:#iass_changed_by#:#Changed after finalization -iass#:#iass_confirm_finalize#:#Finalize +iass#:#iass_confirm_finalize#:#Publish and freeze iass#:#iass_consultation_hours#:#Consultation hours iass#:#iass_contact#:#Name iass#:#iass_contact_info#:#Contact information @@ -10431,9 +10431,9 @@ iass#:#iass_filter_failed#:#Failed only iass#:#iass_filter_finalized#:#Completed only iass#:#iass_filter_not_finalized#:#Drafts only iass#:#iass_filter_not_started#:#Not started only -iass#:#iass_finalize#:#Finalize -iass#:#iass_finalize_info#:#Individual Assessment will be finalized. -iass#:#iass_finalize_user_qst#:#Should the participant's status really be finalised? No changes possible thereafter. +iass#:#iass_finalize#:#Publish and freeze +iass#:#iass_finalize_info#:#Individual Assessment will be published and frozen. +iass#:#iass_finalize_user_qst#:#Should the participant's status really be published? No changes possible thereafter. iass#:#iass_further_field_headline#:#Detailed Information iass#:#iass_graded_by#:#Graded by iass#:#iass_info_emails_expl#:#You may provide several addresses separated by comma. @@ -10442,8 +10442,8 @@ iass#:#iass_internal_note_info#:#Internal notes are only visible for tutors but iass#:#iass_location#:#Location iass#:#iass_mails#:#E-Mail iass#:#iass_may_not_finalize#:#Examinee may not be finalised. Please grade the user first. -iass#:#iass_membership_finalized#:#Record finalised -iass#:#iass_membership_saved#:#Record saved, not yet finalised +iass#:#iass_membership_finalized#:#Record published and frozen +iass#:#iass_membership_saved#:#Record saved, not yet published iass#:#iass_mess_notification_completed#:#You passed the assessment %s. Please check the following grading record for details: iass#:#iass_mess_notification_failed#:#You failed the assessment %s. Please check the following grading record for details: iass#:#iass_notify#:#Make Result available to Participant @@ -12938,6 +12938,8 @@ orgu#:#org_op_edit_individual_plan#:#Edit Individual Plan orgu#:#org_op_edit_submissions_grades#:#Edit submissions of other users orgu#:#org_op_manage_members#:#Manage Members orgu#:#org_op_manage_participants#:#Manage Participants +orgu#:#org_op_ou_create_records#:#Create Records for Users +orgu#:#org_op_ou_publish_records#:#Publish and freeze Records orgu#:#org_op_read_employee_talk#:#Read access talk appointments orgu#:#org_op_read_learning_progress#:#View learning progress of other users orgu#:#org_op_score_participants#:#Score Participants @@ -14194,6 +14196,7 @@ rbac#:#nwss_edit_permission#:#User can change permission settings in News and We rbac#:#nwss_read#:#User has read access to ews and Web Feeds administration rbac#:#nwss_visible#:#News and Web Feeds administration is visible rbac#:#nwss_write#:#User can edit settings in News and Web Feeds administration +rbac#:#obj_records#:#Create Records for Users rbac#:#obj_skee#:#Competence Tree rbac#:#org_op_access_results#:#Access Results of Subordinated Users rbac#:#org_op_edit_submissions_grades#:#Edit submissions of other users @@ -14278,6 +14281,7 @@ rbac#:#ps_export_member_data#:#User can export member data in courses and groups rbac#:#ps_read#:#User has read access to Privacy/Security administration rbac#:#ps_visible#:#Privacy/Security administration is visible rbac#:#ps_write#:#User can edit settings in Privacy/Security administration +rbac#:#publish_records#:#Publish and freeze Records rbac#:#push_desktop_items#:#Recommend Content rbac#:#qpl_copy#:#User can copy question pool for tests rbac#:#qpl_delete#:#User can move or delete question pool