Refactor PermissionAccess trait to allow checking for multiple permis…

…sions Refactors PermissionAccess not to be tied to getPermission fn on the current class, instead we pass permission as a parameter and use constants on the Permission entity to define possible permission values.
ushahidi · Jul 19, 2017 · 3ae7442 · 3ae7442
1 parent 10501e8
commit 3ae7442
Show file tree

Hide file tree

Showing 21 changed files with 46 additions and 240 deletions.
diff --git a/application/classes/Ushahidi/Repository/Form/Attribute.php b/application/classes/Ushahidi/Repository/Form/Attribute.php
@@ -15,7 +15,6 @@
 use Ushahidi\Core\Entity\FormAttributeRepository;
 use Ushahidi\Core\Entity\FormStageRepository;
 use Ushahidi\Core\Entity\FormRepository;
-use Ushahidi\Core\Traits\PostValueRestrictions;
 use Ushahidi\Core\Traits\UserContext;
 
 use Ramsey\Uuid\Uuid;
@@ -26,8 +25,6 @@ class Ushahidi_Repository_Form_Attribute extends Ushahidi_Repository implements
 {
 	use UserContext;
 
-	use PostValueRestrictions;
-
 	protected $form_stage_repo;
 
 	protected $form_repo;
@@ -97,7 +94,7 @@ public function create(Entity $entity)
 		}
 		return $this->executeInsertAttribute($this->removeNullValues($record));
 	}
-	
+
 	// Override SearchRepository
 	public function setSearchParams(SearchData $search)
 	{

diff --git a/application/classes/Ushahidi/Repository/Form/Stage.php b/application/classes/Ushahidi/Repository/Form/Stage.php
@@ -19,24 +19,20 @@
 
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\ManagePosts;
 
 class Ushahidi_Repository_Form_Stage extends Ushahidi_Repository implements
 	FormStageRepository
 {
 	use UserContext;
 
+	// Provides `hasPermission`
+	use PermissionAccess;
+
 	use PostValueRestrictions;
 
 	// Checks if user is Admin
 	use AdminAccess;
 
-	// Provides `hasPermission`
-	use PermissionAccess;
-
-	// Provides `getPermission`
-	use ManagePosts;
-
 	protected $form_id;
 	protected $form_repo;
 

diff --git a/application/classes/Ushahidi/Repository/Post.php b/application/classes/Ushahidi/Repository/Post.php
@@ -13,6 +13,7 @@
 use Ushahidi\Core\Entity\FormRepository;
 use Ushahidi\Core\Entity\FormAttributeRepository;
 use Ushahidi\Core\Entity\FormStageRepository;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Entity\Post;
 use Ushahidi\Core\Entity\PostValueContainer;
 use Ushahidi\Core\Entity\PostRepository;
@@ -37,8 +38,7 @@
 class Ushahidi_Repository_Post extends Ushahidi_Repository implements
 	PostRepository,
 	UpdatePostRepository,
-	SetPostRepository,
-	Permissionable
+	SetPostRepository
 {
 	use UserContext;
 
@@ -48,9 +48,6 @@ class Ushahidi_Repository_Post extends Ushahidi_Repository implements
 	// Use the JSON transcoder to encode properties
 	use Ushahidi_JsonTranscodeRepository;
 
-	// Provides `getPermission`
-	use ManagePosts;
-
 	// Provides `hasPermission`
 	use PermissionAccess;
 
@@ -495,7 +492,7 @@ protected function setSearchConditions(SearchData $search)
 		if (!$user->id) {
 			$query->where("$table.status", '=', 'published');
 		} elseif (!$this->isUserAdmin($user) and
-				  !$this->hasPermission($user, $this->getPermission())) {
+				  !$this->hasPermission($user, Permission::MANAGE_POSTS)) {
 			$query
 				->and_where_open()
 				->where("$table.status", '=', 'published')

diff --git a/application/classes/Ushahidi/Validator/Post/Create.php b/application/classes/Ushahidi/Validator/Post/Create.php
@@ -14,6 +14,7 @@
 use Ushahidi\Core\Entity\FormStageRepository;
 use Ushahidi\Core\Entity\UserRepository;
 use Ushahidi\Core\Entity\FormRepository;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Entity\PostRepository;
 use Ushahidi\Core\Entity\RoleRepository;
 use Ushahidi\Core\Entity\PostSearchData;
@@ -35,9 +36,6 @@ class Ushahidi_Validator_Post_Create extends Validator
 	// Checks if user is Admin
 	use AdminAccess;
 
-	// Provides `getPermission`
-	use ManagePosts;
-
 	protected $repo;
 	protected $attribute_repo;
 	protected $stage_repo;
@@ -191,7 +189,7 @@ public function checkApprovalRequired (Validation $validation, $status, $fullDat
 
 		$user = $this->getUser();
 		// Do we have permission to publish this post?
-		$userCanChangeStatus = ($this->isUserAdmin($user) or $this->hasPermission($user));
+		$userCanChangeStatus = ($this->isUserAdmin($user) or $this->hasPermission($user, Permission::MANAGE_POSTS));
 		// .. if yes, any status is ok.
 		if ($userCanChangeStatus) {
 			return;

diff --git a/src/Core/Entity/Permission.php b/src/Core/Entity/Permission.php
@@ -19,6 +19,12 @@ class Permission extends StaticEntity
 	protected $name;
 	protected $description;
 
+	// Standard permissions names
+	const DATA_IMPORT      = 'Bulk Data Import';
+	const MANAGE_POSTS     = 'Manage Posts';
+	const MANAGE_SETTINGS  = 'Manage Settings';
+	const MANAGE_USERS     = 'Manage Users';
+
 	// DataTransformer
 	public function getDefinition()
 	{

diff --git a/src/Core/Tool/Authorizer/CSVAuthorizer.php b/src/Core/Tool/Authorizer/CSVAuthorizer.php
@@ -13,17 +13,15 @@
 
 use Ushahidi\Core\Entity;
 use Ushahidi\Core\Entity\CSV;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Tool\Authorizer;
-use Ushahidi\Core\Tool\Permissions\Acl;
-use Ushahidi\Core\Tool\Permissions\Permissionable;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\DataImport;
 use Ushahidi\Core\Traits\DataImportAccess;
 
-class CSVAuthorizer implements Authorizer, Permissionable
+class CSVAuthorizer implements Authorizer
 {
 	use UserContext;
 
@@ -37,9 +35,6 @@ class CSVAuthorizer implements Authorizer, Permissionable
 	// if roles are available for this deployment.
 	use PermissionAccess;
 
-	// Provides `getPermission`
-	use DataImport;
-
 	// Check if the user can import data
 	use DataImportAccess;
 
@@ -55,7 +50,7 @@ public function isAllowed(Entity $entity, $privilege)
 		$user = $this->getUser();
 
 		// Allow role with the right permissions
-		if ($this->hasPermission($user)) {
+		if ($this->hasPermission($user, Permission::DATA_IMPORT)) {
 			return true;
 		}
 

diff --git a/src/Core/Tool/Authorizer/ConfigAuthorizer.php b/src/Core/Tool/Authorizer/ConfigAuthorizer.php
@@ -15,17 +15,15 @@
 use Ushahidi\Core\Entity\Config;
 use Ushahidi\Core\Entity\User;
 use Ushahidi\Core\Entity\UserRepository;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Tool\Authorizer;
-use Ushahidi\Core\Tool\Permissions\Acl;
-use Ushahidi\Core\Tool\Permissions\Permissionable;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\ManageSettings;
 
 // The `ConfigAuthorizer` class is responsible for access checks on `Config` Entities
-class ConfigAuthorizer implements Authorizer, Permissionable
+class ConfigAuthorizer implements Authorizer
 {
 	// The access checks are run under the context of a specific user
 	use UserContext;
@@ -40,9 +38,6 @@ class ConfigAuthorizer implements Authorizer, Permissionable
 	// if roles are available for this deployment.
 	use PermissionAccess;
 
-	// Provides `getPermission`
-	use ManageSettings;
-
 	/**
 	 * Public config groups
 	 * @var [string, ...]
@@ -67,7 +62,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// Allow role with the right permissions to do everything else
-		if ($this->hasPermission($user)) {
+		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 

diff --git a/src/Core/Tool/Authorizer/DataProviderAuthorizer.php b/src/Core/Tool/Authorizer/DataProviderAuthorizer.php
@@ -13,16 +13,14 @@
 
 use Ushahidi\Core\Tool\Authorizer;
 use Ushahidi\Core\Entity;
-use Ushahidi\Core\Tool\Permissions\Acl;
-use Ushahidi\Core\Tool\Permissions\Permissionable;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\ManageSettings;
 
 // The `DataProviderAuthorizer` class is responsible for access checks on `DataProvider` Entities
-class DataProviderAuthorizer implements Authorizer, Permissionable
+class DataProviderAuthorizer implements Authorizer
 {
 	// The access checks are run under the context of a specific user
     use UserContext;
@@ -37,17 +35,14 @@ class DataProviderAuthorizer implements Authorizer, Permissionable
 	// if roles are available for this deployment.
 	use PermissionAccess;
 
-	// Provides `getPermission`
-	use ManageSettings;
-
 	// Authorizer
     public function isAllowed(Entity $entity, $privilege)
     {
 		// These checks are run within the user context.
 		$user = $this->getUser();
-		
+
 		// Allow role with the right permissions
-		if ($this->hasPermission($user)) {
+		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 

diff --git a/src/Core/Tool/Authorizer/FormAuthorizer.php b/src/Core/Tool/Authorizer/FormAuthorizer.php
@@ -14,19 +14,17 @@
 use Ushahidi\Core\Entity;
 use Ushahidi\Core\Entity\Form;
 use Ushahidi\Core\Entity\FormRepository;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Tool\Authorizer;
-use Ushahidi\Core\Tool\Permissions\Acl;
-use Ushahidi\Core\Tool\Permissions\Permissionable;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\ParentAccess;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\ManageSettings;
 
 // The `FormAuthorizer` class is responsible for access checks on `Forms`
-class FormAuthorizer implements Authorizer, Permissionable
+class FormAuthorizer implements Authorizer
 {
 	// The access checks are run under the context of a specific user
 	use UserContext;
@@ -45,9 +43,6 @@ class FormAuthorizer implements Authorizer, Permissionable
 	// Check that the user has the necessary permissions
 	use PermissionAccess;
 
-	// Provides `getPermission`
-	use ManageSettings;
-
 	// It requires a `FormRepository` to load parent posts too.
 	protected $form_repo;
 
@@ -71,7 +66,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// Allow role with the right permissions
-		if ($this->hasPermission($user)) {
+		if ($this->hasPermission($user, Permission::MANAGE_SETTINGS)) {
 			return true;
 		}
 

diff --git a/src/Core/Tool/Authorizer/PostAuthorizer.php b/src/Core/Tool/Authorizer/PostAuthorizer.php
@@ -17,20 +17,18 @@
 use Ushahidi\Core\Entity\FormRepository;
 use Ushahidi\Core\Entity\UserRepository;
 use Ushahidi\Core\Entity\PostRepository;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Tool\Authorizer;
-use Ushahidi\Core\Tool\Permissions\Acl;
-use Ushahidi\Core\Tool\Permissions\Permissionable;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\OwnerAccess;
 use Ushahidi\Core\Traits\ParentAccess;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivateDeployment;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\ManagePosts;
 
 // The `PostAuthorizer` class is responsible for access checks on `Post` Entities
-class PostAuthorizer implements Authorizer, Permissionable
+class PostAuthorizer implements Authorizer
 {
     // The access checks are run under the context of a specific user
     use UserContext;
@@ -51,9 +49,6 @@ class PostAuthorizer implements Authorizer, Permissionable
     // if roles are available for this deployment.
     use PermissionAccess;
 
-    // Provides `getPermission`
-    use ManagePosts;
-
     /**
      * Get a list of all possible privilges.
      * By default, returns standard HTTP REST methods.
@@ -92,7 +87,7 @@ public function isAllowed(Entity $entity, $privilege)
         }
 
         // First check whether there is a role with the right permissions
-        if ($this->hasPermission($user)) {
+        if ($this->hasPermission($user, Permission::MANAGE_POSTS)) {
             return true;
         }
 

diff --git a/src/Core/Tool/Authorizer/SetAuthorizer.php b/src/Core/Tool/Authorizer/SetAuthorizer.php
@@ -14,19 +14,17 @@
 use Ushahidi\Core\Entity;
 use Ushahidi\Core\Entity\User;
 use Ushahidi\Core\Entity\Set;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Tool\Authorizer;
-use Ushahidi\Core\Tool\Permissions\Acl;
-use Ushahidi\Core\Tool\Permissions\Permissionable;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\OwnerAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
 use Ushahidi\Core\Traits\PermissionAccess;
-use Ushahidi\Core\Traits\Permissions\ManagePosts;
 
 // The `SetAuthorizer` class is responsible for access checks on `Sets`
-class SetAuthorizer implements Authorizer, Permissionable
+class SetAuthorizer implements Authorizer
 {
 	// The access checks are run under the context of a specific user
 	use UserContext;
@@ -46,9 +44,6 @@ class SetAuthorizer implements Authorizer, Permissionable
 	// if roles are available for this deployment.
 	use PermissionAccess;
 
-	// Provides `getPermission`
-	use ManagePosts;
-
 	protected function isVisibleToUser(Set $entity, $user)
 	{
 		if ($entity->role) {
@@ -71,7 +66,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// First check whether there is a role with the right permissions
-		if ($this->hasPermission($user)) {
+		if ($this->hasPermission($user, Permission::MANAGE_POSTS)) {
 			return true;
 		}