Refactor ACL

rjmackay · rjmackay · commit 1a6973fd3b67 · 2017-07-19T16:16:53.000+12:00
- Replace PermissionAccess trait with AclTrait. This *only* handles injecting the ACL
- Move enabling/disabling custom roles into Acl implementation
- Add default roles+permissions into Acl
diff --git a/application/classes/Ushahidi/Repository/Form/Stage.php b/application/classes/Ushahidi/Repository/Form/Stage.php
@@ -18,15 +18,15 @@
 use Ushahidi\Core\Traits\UserContext;
 
 use Ushahidi\Core\Traits\AdminAccess;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 class Ushahidi_Repository_Form_Stage extends Ushahidi_Repository implements
 	FormStageRepository
 {
 	use UserContext;
 
-	// Provides `hasPermission`
-	use PermissionAccess;
+	// Provides `acl`
+	use AclTrait;
 
 	use PostValueRestrictions;
 
diff --git a/application/classes/Ushahidi/Repository/Post.php b/application/classes/Ushahidi/Repository/Post.php
@@ -25,7 +25,7 @@
 use Ushahidi\Core\Usecase\Set\SetPostRepository;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\Permissions\ManagePosts;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Tool\Permissions\Permissionable;
 use Ushahidi\Core\Traits\PostValueRestrictions;
@@ -48,8 +48,8 @@ class Ushahidi_Repository_Post extends Ushahidi_Repository implements
 	// Use the JSON transcoder to encode properties
 	use Ushahidi_JsonTranscodeRepository;
 
-	// Provides `hasPermission`
-	use PermissionAccess;
+	// Provides `acl`
+	use AclTrait;
 
 	// Checks if user is Admin
 	use AdminAccess;
@@ -492,7 +492,7 @@ protected function setSearchConditions(SearchData $search)
 		if (!$user->id) {
 			$query->where("$table.status", '=', 'published');
 		} elseif (!$this->isUserAdmin($user) and
-				  !$this->hasPermission($user, Permission::MANAGE_POSTS)) {
+				  !$this->acl->hasPermission($user, Permission::MANAGE_POSTS)) {
 			$query
 				->and_where_open()
 				->where("$table.status", '=', 'published')
diff --git a/application/classes/Ushahidi/Validator/Post/Create.php b/application/classes/Ushahidi/Validator/Post/Create.php
@@ -20,7 +20,7 @@
 use Ushahidi\Core\Entity\PostSearchData;
 use Ushahidi\Core\Tool\Validator;
 use Ushahidi\Core\Traits\UserContext;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\Permissions\ManagePosts;
 use Ushahidi\Core\Usecase\Post\UpdatePostRepository;
@@ -30,8 +30,8 @@ class Ushahidi_Validator_Post_Create extends Validator
 {
 	use UserContext;
 
-	// Provides `hasPermission`
-	use PermissionAccess;
+	// Provides `acl`
+	use AclTrait;
 
 	// Checks if user is Admin
 	use AdminAccess;
@@ -189,7 +189,7 @@ public function checkApprovalRequired (Validation $validation, $status, $fullDat
 
 		$user = $this->getUser();
 		// Do we have permission to publish this post?
-		$userCanChangeStatus = ($this->isUserAdmin($user) or $this->hasPermission($user, Permission::MANAGE_POSTS));
+		$userCanChangeStatus = ($this->isUserAdmin($user) or $this->acl->hasPermission($user, Permission::MANAGE_POSTS));
 		// .. if yes, any status is ok.
 		if ($userCanChangeStatus) {
 			return;
diff --git a/src/App/Acl.php b/src/App/Acl.php
@@ -13,27 +13,73 @@
 
 use Ushahidi\Core\Tool\Permissions\Acl as AclInterface;
 use Ushahidi\Core\Entity\User;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Entity\RoleRepository;
 
 class Acl implements AclInterface
 {
 	protected $role_repo;
+	protected $roles_enabled = false;
+	const DEFAULT_ROLES = [
+		'user'  => [Permission::EDIT_OWN_POSTS]
+	];
 
 	public function setRoleRepo(RoleRepository $role_repo)
 	{
 		$this->role_repo = $role_repo;
 	}
 
+	public function setRolesEnabled($roles_enabled)
+	{
+		$this->roles_enabled = $roles_enabled;
+	}
+
+	/**
+	 * Check if custom roles are enabled for this deployment
+	 * @return boolean
+	 */
+	protected function hasRolesEnabled()
+	{
+		return (bool) $this->roles_enabled;
+	}
+
 	// Acl interface
 	public function hasPermission(User $user, $permission)
 	{
+		// If the user has no role, they have no permissions
 		if (!$user->role) {
 			return false;
 		}
 
+		// Don't check for permissions if we don't have the
+		// roles feature enabled
+		if ($this->hasRolesEnabled()) {
+			return $this->customRoleHasPermission($user, $permission);
+		} else {
+			return $this->defaultHasPermission($user, $permission);
+		}
+	}
+
+	protected function customRoleHasPermission(User $user, $permission)
+	{
 		$role = $this->role_repo->getByName($user->role);
 
 		// Does the user have the permission?
 		return in_array($permission, $role->permissions);
 	}
+
+	protected function defaultHasPermission(User $user, $permission)
+	{
+		// Admin has all permissions
+		// This is probably never actually run, but here just in case
+		if ($user->role === 'admin') {
+			return true;
+		}
+
+		$defaultRoles = static::DEFAULT_ROLES;
+		$rolePermissions = isset($defaultRoles[$user->role]) ? $defaultRoles[$user->role] : [];
+
+		// Does the user have the permission?
+		return in_array($permission, $rolePermissions);
+	}
 }
diff --git a/src/App/Init.php b/src/App/Init.php
@@ -10,6 +10,7 @@
 // Helpers, tools, etc
 $di->set('tool.acl', $di->lazyNew('Ushahidi\App\Acl'));
 $di->setter['Ushahidi\App\Acl']['setRoleRepo'] = $di->lazyGet('repository.role');
+$di->setter['Ushahidi\App\Acl']['setRolesEnabled'] = $di->lazyGet('roles.enabled');
 
 $di->set('tool.hasher.password', $di->lazyNew('Ushahidi\App\Hasher\Password'));
 $di->set('tool.authenticator.password', $di->lazyNew('Ushahidi\App\Authenticator\Password'));
diff --git a/src/Core/Tool/Authorizer/CSVAuthorizer.php b/src/Core/Tool/Authorizer/CSVAuthorizer.php
@@ -18,7 +18,7 @@
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 use Ushahidi\Core\Traits\DataImportAccess;
 
 class CSVAuthorizer implements Authorizer
@@ -33,7 +33,7 @@ class CSVAuthorizer implements Authorizer
 
 	// Check that the user has the necessary permissions
 	// if roles are available for this deployment.
-	use PermissionAccess;
+	use AclTrait;
 
 	// Check if the user can import data
 	use DataImportAccess;
@@ -50,7 +50,7 @@ public function isAllowed(Entity $entity, $privilege)
 		$user = $this->getUser();
 
 		// Allow role with the right permissions
-		if ($this->hasPermission($user, Permission::DATA_IMPORT)) {
+		if ($this->acl->hasPermission($user, Permission::DATA_IMPORT)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Authorizer/ConfigAuthorizer.php b/src/Core/Tool/Authorizer/ConfigAuthorizer.php
@@ -20,7 +20,7 @@
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `ConfigAuthorizer` class is responsible for access checks on `Config` Entities
 class ConfigAuthorizer implements Authorizer
@@ -36,7 +36,7 @@ class ConfigAuthorizer implements Authorizer
 
 	// Check that the user has the necessary permissions
 	// if roles are available for this deployment.
-	use PermissionAccess;
+	use AclTrait;
 
 	/**
 	 * Public config groups
@@ -62,7 +62,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// Allow role with the right permissions to do everything else
-		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
+		if ($this->acl->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Authorizer/DataProviderAuthorizer.php b/src/Core/Tool/Authorizer/DataProviderAuthorizer.php
@@ -17,7 +17,7 @@
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\PrivAccess;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `DataProviderAuthorizer` class is responsible for access checks on `DataProvider` Entities
 class DataProviderAuthorizer implements Authorizer
@@ -33,7 +33,7 @@ class DataProviderAuthorizer implements Authorizer
 
 	// Check that the user has the necessary permissions
 	// if roles are available for this deployment.
-	use PermissionAccess;
+	use AclTrait;
 
 	// Authorizer
     public function isAllowed(Entity $entity, $privilege)
@@ -42,7 +42,7 @@ public function isAllowed(Entity $entity, $privilege)
 		$user = $this->getUser();
 
 		// Allow role with the right permissions
-		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
+		if ($this->acl->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Authorizer/FormAuthorizer.php b/src/Core/Tool/Authorizer/FormAuthorizer.php
@@ -21,7 +21,7 @@
 use Ushahidi\Core\Traits\ParentAccess;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `FormAuthorizer` class is responsible for access checks on `Forms`
 class FormAuthorizer implements Authorizer
@@ -41,7 +41,7 @@ class FormAuthorizer implements Authorizer
 	use PrivateDeployment;
 
 	// Check that the user has the necessary permissions
-	use PermissionAccess;
+	use AclTrait;
 
 	// It requires a `FormRepository` to load parent posts too.
 	protected $form_repo;
@@ -66,7 +66,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// Allow role with the right permissions
-		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
+		if ($this->acl->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Authorizer/PostAuthorizer.php b/src/Core/Tool/Authorizer/PostAuthorizer.php
@@ -25,7 +25,7 @@
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivateDeployment;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `PostAuthorizer` class is responsible for access checks on `Post` Entities
 class PostAuthorizer implements Authorizer
@@ -47,7 +47,7 @@ class PostAuthorizer implements Authorizer
 
     // Check that the user has the necessary permissions
     // if roles are available for this deployment.
-    use PermissionAccess;
+    use AclTrait;
 
     /**
      * Get a list of all possible privilges.
@@ -87,7 +87,7 @@ public function isAllowed(Entity $entity, $privilege)
         }
 
         // First check whether there is a role with the right permissions
-        if ($this->hasPermission($user, Permission::MANAGE_POSTS)) {
+        if ($this->acl->hasPermission($user, Permission::MANAGE_POSTS)) {
             return true;
         }
 
@@ -150,7 +150,7 @@ public function isAllowed(Entity $entity, $privilege)
         // ownership but those are already checked above
         if ($this->isUserOwner($entity, $user)
             && in_array($privilege, ['update', 'delete'])
-            && $this->hasPermission($user, Permission::EDIT_OWN_POSTS)) {
+            && $this->acl->hasPermission($user, Permission::EDIT_OWN_POSTS)) {
             return true;
         }
 
diff --git a/src/Core/Tool/Authorizer/SetAuthorizer.php b/src/Core/Tool/Authorizer/SetAuthorizer.php
@@ -21,7 +21,7 @@
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `SetAuthorizer` class is responsible for access checks on `Sets`
 class SetAuthorizer implements Authorizer
@@ -42,7 +42,7 @@ class SetAuthorizer implements Authorizer
 
 	// Check that the user has the necessary permissions
 	// if roles are available for this deployment.
-	use PermissionAccess;
+	use AclTrait;
 
 	protected function isVisibleToUser(Set $entity, $user)
 	{
@@ -66,7 +66,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// First check whether there is a role with the right permissions
-		if ($this->hasPermission($user, Permission::MANAGE_POSTS)) {
+		if ($this->acl->hasPermission($user, Permission::MANAGE_POSTS)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Authorizer/TagAuthorizer.php b/src/Core/Tool/Authorizer/TagAuthorizer.php
@@ -20,7 +20,7 @@
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `TagAuthorizer` class is responsible for access checks on `Tags`
 class TagAuthorizer implements Authorizer
@@ -39,7 +39,7 @@ class TagAuthorizer implements Authorizer
 
 	// Check that the user has the necessary permissions
 	// if roles are available for this deployment.
-	use PermissionAccess;
+	use AclTrait;
 
 	protected function isUserOfRole(Tag $entity, $user)
 	{
@@ -63,7 +63,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// First check whether there is a role with the right permissions
-		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
+		if ($this->acl->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php
@@ -19,7 +19,7 @@
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
-use Ushahidi\Core\Traits\PermissionAccess;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 // The `UserAuthorizer` class is responsible for access checks on `Users`
 class UserAuthorizer implements Authorizer
@@ -37,7 +37,7 @@ class UserAuthorizer implements Authorizer
 	use PrivateDeployment;
 
 	// Check that the user has the necessary permissions
-	use PermissionAccess;
+	use AclTrait;
 
 	/**
 	 * Get a list of all possible privilges.
@@ -66,7 +66,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// Role with the Manage Users permission can manage all users
-		if ($this->hasPermission($user, Permission::MANAGE_USERS)) {
+		if ($this->acl->hasPermission($user, Permission::MANAGE_USERS)) {
 			return true;
 		}
 
diff --git a/src/Core/Tool/Permissions/AclTrait.php b/src/Core/Tool/Permissions/AclTrait.php
diff --git a/src/Core/Traits/PermissionAccess.php b/src/Core/Traits/PermissionAccess.php
diff --git a/src/Core/Traits/PostValueRestrictions.php b/src/Core/Traits/PostValueRestrictions.php
diff --git a/src/Init.php b/src/Init.php
