Added capability for organisation administrators to accept/reject join requests, remove members, edit their details and reset their passwords

2022-02-22 18:11:59 +00:00
parent 5456902f77
commit 0dbfbef594
14 changed files with 582 additions and 9 deletions
--- a/src/Controller/OrganisationMembersController.php
+++ b/src/Controller/OrganisationMembersController.php
@@ -310,6 +310,83 @@ class OrganisationMembersController extends SimpleController
        return $response->withJson([], 200);
    }

+    /**
+     * Processes the request to remove a member from an organisation.
+     *
+     * Removes a member from the specified organisation.
+     * Before doing so, checks that:
+     * 1. The user has permission to remove the user from the organisation;
+     * 2. The submitted data is valid.
+     * This route requires authentication.
+     *
+     * Request type: DELETE
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws NotFoundException   If organisation is not found
+     * @throws ForbiddenException  If user is not authorized to access page
+     * @throws BadRequestException
+     */
+    public function remove(Request $request, Response $response, $args)
+    {
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+        /** @var \UserFrosting\Sprinkle\Core\Alert\AlertStream $ms */
+        $ms = $this->ci->alerts;
+
+
+        $organisation = $this->getOrganisationFromParams($args);
+        $user = $this->getUserFromParams($args);
+
+        // If the organisation/user doesn't exist, return 404
+        if (!$organisation || !$user) {
+            throw new NotFoundException();
+        }
+
+        // Access-controlled page
+        if (!$authorizer->checkAccess($currentUser, 'update_organisation_field', [
+            'organisation' => $organisation,
+            'fields' => [ 'members' ],
+        ])) {
+            throw new ForbiddenException();
+        }
+
+        // Check if the user is a member of the organisation, pending or no relation at all
+        $memberCheck = $organisation->members()->where('user_id', $currentUser->id)->withPivot('flag_approved')->first();
+        $adminCheck = $organisation->administrators()->where('user_id', $currentUser->id)->withPivot('flag_approved')->first();
+        if (!($memberCheck && $memberCheck->pivot->flag_approved) && !($adminCheck && $adminCheck->pivot->flag_approved)) {
+            $ms->addMessageTranslated('danger', 'ORGANISATION.MEMBER.NOT_FOUND', [
+                'name' => $organisation->name,
+                'user_name' => $user->user_name
+            ]);
+            return $response->withJson([], 400);
+        }
+
+        // Begin transaction - DB will be rolled back if an exception occurs
+        Capsule::transaction(function () use ($organisation, $user, $currentUser) {
+            $user->organisations(true)->detach($organisation->id);
+
+            // Create activity record
+            $this->ci->userActivityLogger->info("User {$currentUser->user_name} removed user {$user->user_name} from organisation {$organisation->name}.", [
+                'type'    => 'organisation_member_remove',
+                'user_id' => $currentUser->id,
+            ]);
+        });
+
+        $ms->addMessageTranslated('success', 'ORGANISATION.MEMBER.REMOVE_SUCCESSFUL', [
+            'name' => $organisation->ame,
+            'user_name' => $user->user_name,
+        ]);
+
+        return $response->withJson([], 200);
+    }
+

    /**
     * Accepts a request to join organisation.
@@ -642,7 +719,9 @@ class OrganisationMembersController extends SimpleController

        $sprunje = $classMapper->createInstance('user_sprunje', $classMapper, $params);
        $sprunje->extendQuery(function ($query) use ($classMapper, $organisation) {
-            return $query->where('organisation_id', $organisation->id);
+            return $query
+                ->where('organisation_id', $organisation->id)
+                ->addSelect('organisation_members.flag_approved AS membership_approved');
        });

        // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
@@ -740,6 +819,152 @@ class OrganisationMembersController extends SimpleController
        ]);
    }

+    /**
+     * Get remove member confirmation modal.
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws NotFoundException   If organisation/member is not found
+     * @throws ForbiddenException  If user is not authorized to access page
+     * @throws BadRequestException
+     */
+    public function getModalConfirmRemove(Request $request, Response $response, $args)
+    {
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+
+        // GET parameters
+        $params = $request->getQueryParams();
+
+        $organisation = $this->getOrganisationFromParams($params);
+
+        $user = $this->getUserFromParams($params);
+
+        // Check organisation & user exists
+        if (!$organisation || !$user) {
+            throw new NotFoundException();
+        }
+
+
+        // Access-controlled page
+        if (!$authorizer->checkAccess($currentUser, 'update_organisation_field', [
+            'organisation' => $organisation,
+            'fields'       => [ 'members' ],
+        ])) {
+            throw new ForbiddenException();
+        }
+
+        return $this->ci->view->render($response, 'modals/confirm-remove-organisation-member.html.twig', [
+            'organisation' => $organisation,
+            'user' => $user,
+            'form'  => [
+                'action' => "api/organisations/o/{$organisation->slug}/members/m/{$user->user_name}",
+            ],
+        ]);
+    }
+
+    /**
+     * Get accept member confirmation modal.
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws NotFoundException   If organisation/member is not found
+     * @throws ForbiddenException  If user is not authorized to access page
+     * @throws BadRequestException
+     */
+    public function getModalConfirmAccept(Request $request, Response $response, $args)
+    {
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+
+        // GET parameters
+        $params = $request->getQueryParams();
+
+        $organisation = $this->getOrganisationFromParams($params);
+
+        $user = $this->getUserFromParams($params);
+
+        // Check organisation & user exists
+        if (!$organisation || !$user) {
+            throw new NotFoundException();
+        }
+
+        // Access-controlled page
+        if (!$authorizer->checkAccess($currentUser, 'accept_organisation_join_request', [
+            'organisation' => $organisation,
+        ])) {
+            throw new ForbiddenException();
+        }
+
+        return $this->ci->view->render($response, 'modals/confirm-accept-organisation-join-request.html.twig', [
+            'organisation' => $organisation,
+            'user' => $user,
+            'form'  => [
+                'action' => "api/organisations/o/{$organisation->slug}/members/m/{$user->user_name}/accept",
+            ],
+        ]);
+    }
+
+    /**
+     * Get reject member confirmation modal.
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws NotFoundException   If organisation/member is not found
+     * @throws ForbiddenException  If user is not authorized to access page
+     * @throws BadRequestException
+     */
+    public function getModalConfirmReject(Request $request, Response $response, $args)
+    {
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+
+        // GET parameters
+        $params = $request->getQueryParams();
+
+        $organisation = $this->getOrganisationFromParams($params);
+
+        $user = $this->getUserFromParams($params);
+
+        // Check organisation & user exists
+        if (!$organisation || !$user) {
+            throw new NotFoundException();
+        }
+
+        // Access-controlled page
+        if (!$authorizer->checkAccess($currentUser, 'accept_organisation_join_request', [
+            'organisation' => $organisation,
+        ])) {
+            throw new ForbiddenException();
+        }
+
+        return $this->ci->view->render($response, 'modals/confirm-reject-organisation-join-request.html.twig', [
+            'organisation' => $organisation,
+            'user' => $user,
+            'form'  => [
+                'action' => "api/organisations/o/{$organisation->slug}/members/m/{$user->user_name}/reject",
+            ],
+        ]);
+    }
+

    /**
     * Send approval email for specified organisation and confirmation to user.
--- a/src/Database/Models/Organisation.php
+++ b/src/Database/Models/Organisation.php
@@ -107,14 +107,19 @@ class Organisation extends Model implements OrganisationInterface, TokenOwnerInt
    /**
     * Get a list of members within this organisation.
     */
-    public function members()
+    public function members($withAdmins = false)
    {
        /** @var \UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
        $classMapper = static::$ci->classMapper;

-        return $this
-            ->belongsToMany($classMapper->getClassMapping('user'), 'organisation_members', 'organisation_id', 'user_id')
-            ->where('flag_admin', false);
+        $query = $this
+            ->belongsToMany($classMapper->getClassMapping('user'), 'organisation_members', 'organisation_id', 'user_id');
+
+        if ($withAdmins !== true) {
+            $query = $query->where('flag_admin', false);
+        }
+
+        return $query;
    }

    /**
--- a/src/Database/Seeds/OrganisationPermissions.php
+++ b/src/Database/Seeds/OrganisationPermissions.php
@@ -167,6 +167,19 @@ class OrganisationPermissions extends BaseSeed
                'conditions'  => 'always()',
                'description' => 'View a page containing a list of deleted organisations.',
            ]),
+
+            'update_org_user_field' => new Permission([
+                'slug'        => 'update_user_field',
+                'name'        => 'Edit organisation member',
+                'conditions'  => "can_admin_via_orgs(self.id, user.id) && subset(fields,['name','email','locale','password','phone_number'])",
+                'description' => 'Edit users who are in an organisation they are a member of.',
+            ]),
+            'view_org_user_field' => new Permission([
+                'slug'        => 'view_user_field',
+                'name'        => 'View organisation member',
+                'conditions'  => "similar_orgs(self.id, user.id) && in(property,['user_name','name','locale','email','phone_number','activities'])",
+                'description' => 'View certain properties of any user in their organisation.',
+            ]),
        ];
    }

@@ -245,6 +258,8 @@ class OrganisationPermissions extends BaseSeed
                $permissions['leave_organisation']->id,
                $permissions['register_organisation']->id,
                $permissions['accept_organisation_join_request']->id,
+                $permissions['update_org_user_field']->id,
+                $permissions['view_org_user_field']->id,
            ]);
        }
    }
--- a/src/ServicesProvider/ServicesProvider.php
+++ b/src/ServicesProvider/ServicesProvider.php
@@ -18,6 +18,7 @@ use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use UserFrosting\Sprinkle\Core\Log\MixedFormatter;
 use UserFrosting\Sprinkle\Organisations\Database\Models\Interfaces\OrganisationInterface;
+use UserFrosting\Sprinkle\Organisations\Database\Models\User;
 use UserFrosting\Sprinkle\Organisations\Twig\OrganisationsExtension;
 use UserFrosting\Sprinkle\Organisations\Repository\OrganisationApprovalRepository;
 use UserFrosting\Sprinkle\Organisations\Repository\OrganisationMembershipApprovalRepository;
@@ -96,6 +97,26 @@ class ServicesProvider
                    ->count() > 0;
            });

+            /*
+             * Check if $admin_id can modify $user_id via any of their joint organisations
+             *
+             * @param  int  $admin_id      the id of the admin user (normally currentUser->id).
+             * @param  int  $user_id       the id of the target user.
+             * @return bool true if $admin_id is an administrator of an organisation with $user_id in.
+             */
+            $new_authorizer->addCallback('can_admin_via_orgs', function ($admin_id, $user_id) {
+                $admin = User::findInt($admin_id);
+                $user = User::findInt($user_id);
+
+                foreach($admin->adminForOrganisations()->get() as $org) {
+                    if ($org->members(true)->where('user_id', $user_id)->count() > 0) {
+                        return true;
+                    }
+                }
+
+                return false;
+            });
+
            return $new_authorizer;
        });