From 522718f7eecb320798e08797ec1e977ff5750307 Mon Sep 17 00:00:00 2001 From: Craig Williams Date: Wed, 7 Jun 2023 13:41:14 +0100 Subject: [PATCH] Re-built organisation permissions --- config/default.php | 2 + locale/en_US/messages.php | 5 +- src/Controller/OrganisationController.php | 23 +- .../Seeds/OrganisationPermissions.php | 292 +++++++++--------- src/Database/Seeds/OrganisationRoles.php | 2 +- .../columns/organisations-actions.html.twig | 122 ++++++-- .../organisations-admin_count.html.twig | 2 +- .../columns/organisations-join.html.twig | 44 +-- .../organisations-member_count.html.twig | 2 +- templates/tables/organisations.html.twig | 4 +- 10 files changed, 277 insertions(+), 221 deletions(-) diff --git a/config/default.php b/config/default.php index 0432195..b65ff27 100644 --- a/config/default.php +++ b/config/default.php @@ -15,6 +15,7 @@ * SMTP server password: SMTP_PASSWORD */ return [ + 'debug' => [ 'auth' => true ], 'organisation' => [ 'registration' => [ 'require_approval' => true, @@ -25,5 +26,6 @@ return [ 'single_membership' => false, 'timeout' => -1, ], + 'combine_action_buttons' => false, ], ]; diff --git a/locale/en_US/messages.php b/locale/en_US/messages.php index 3e3ed21..2714459 100644 --- a/locale/en_US/messages.php +++ b/locale/en_US/messages.php @@ -202,7 +202,10 @@ return [ 'DELETED' => 'Deleted', 'RETURN' => 'Return', - 'JOIN' => 'Join', + 'JOIN' => [ + 1 => 'Join', + 'CANCEL' => 'Cancel join request', + ], 'LEAVE' => 'Leave', 'ACTION_CANNOT_UNDONE' => 'This action cannot be undone!', diff --git a/src/Controller/OrganisationController.php b/src/Controller/OrganisationController.php index cd51f5b..3e5023e 100644 --- a/src/Controller/OrganisationController.php +++ b/src/Controller/OrganisationController.php @@ -1116,19 +1116,22 @@ class OrganisationController extends SimpleController $tableColumns = [ 'description' ]; - if ($currentUser->organisations(true)->count() == 0) { + if ( + ( + $currentUser->organisations(true)->count() == 0 + || !$config['organisation']['membership']['single_membership'] + ) + && !$config['organisation']['combine_action_buttons'] + ) { $tableColumns[] = 'join'; - } else { - if (!$config['organisation']['membership']['single_membership']) { - $tableColumns[] = 'join'; - } } - if ($currentUser->organisations(true)->wherePivot('flag_admin', true) | - $authorizer->checkAccess($currentUser, 'delete_organisation') | - $authorizer->checkAccess($currentUser, 'update_organisation_field') | - $authorizer->checkAccess($currentUser, 'approve_organisation') | - $authorizer->checkAccess($currentUser, 'merge_organisations')) { + if ($currentUser->organisations(true)->wherePivot('flag_admin', true) + || $authorizer->checkAccess($currentUser, 'delete_organisation') + || $authorizer->checkAccess($currentUser, 'update_organisation_field') + || $authorizer->checkAccess($currentUser, 'approve_organisation') + || $authorizer->checkAccess($currentUser, 'merge_organisations') + || $config['organisation']['combine_action_buttons']) { $tableColumns[] = 'status'; $tableColumns[] = 'actions'; } diff --git a/src/Database/Seeds/OrganisationPermissions.php b/src/Database/Seeds/OrganisationPermissions.php index c1de8cc..f8905f7 100644 --- a/src/Database/Seeds/OrganisationPermissions.php +++ b/src/Database/Seeds/OrganisationPermissions.php @@ -43,6 +43,13 @@ class OrganisationPermissions extends BaseSeed */ protected function getPermissions() { + $roleIds = [ + 'user' => Role::where('slug', 'user')->first()->id, + 'group-admin' => Role::where('slug', 'group-admin')->first()->id, + 'site-admin' => Role::where('slug', 'site-admin')->first()->id, + 'organisations-admin' => Role::where('slug', 'organisations-admin')->first()->id, + ]; + return [ 'create_organisation' => new Permission([ 'slug' => 'create_organisation', @@ -56,24 +63,19 @@ class OrganisationPermissions extends BaseSeed 'conditions' => "in(property,['name','slug','description'])", 'description' => 'View certain properties of any organisation.', ]), - 'view_organisation_members_field' => new Permission([ - 'slug' => 'view_organisation_field', - 'name' => 'View organisation members field', - 'conditions' => "in(property,['members'])", - 'description' => 'View members field of any organisation.', - ]), - 'view_organisation_members' => new Permission([ - 'slug' => 'view_organisation_members', - 'name' => 'View organisation members', - 'conditions' => "always()", - 'description' => 'View members of any organisation.', - ]), 'update_organisation_field' => new Permission([ 'slug' => 'update_organisation_field', 'name' => 'Edit organisation', 'conditions' => 'always()', 'description' => 'Edit basic properties of any organisation.', ]), + 'delete_organisation' => new Permission([ + 'slug' => 'delete_organisation', + 'name' => 'Delete organisation', + 'conditions' => 'always()', + 'description' => 'Delete an organisation.', + ]), + 'approve_organisation' => new Permission([ 'slug' => 'approve_organisation', 'name' => 'Approve/Deny organisation registration', @@ -86,12 +88,6 @@ class OrganisationPermissions extends BaseSeed 'conditions' => 'always()', 'description' => 'Merge two organisations together, including all the members.', ]), - 'delete_organisation' => new Permission([ - 'slug' => 'delete_organisation', - 'name' => 'Delete organisation', - 'conditions' => 'always()', - 'description' => 'Delete an organisation.', - ]), 'restore_organisation' => new Permission([ 'slug' => 'restore_organisation', 'name' => 'Restore organisation', @@ -110,6 +106,46 @@ class OrganisationPermissions extends BaseSeed 'conditions' => "always()", 'description' => 'Accept/Reject organisation join requests.', ]), + + 'uri_organisation' => new Permission([ + 'slug' => 'uri_organisation', + 'name' => 'View organisation', + 'conditions' => 'always()', + 'description' => 'View the organisation page of any organisation.', + ]), + 'uri_organisations' => new Permission([ + 'slug' => 'uri_organisations', + 'name' => 'Organisation management page', + 'conditions' => 'always()', + 'description' => 'View a page containing a list of organisations.', + ]), + 'uri_deleted_organisations' => new Permission([ + 'slug' => 'uri_deleted_organisations', + 'name' => 'Deleted organisation management page', + 'conditions' => 'always()', + 'description' => 'View a page containing a list of deleted organisations.', + ]), + + + // 'view_organisation_members_field' => new Permission([ + // 'slug' => 'view_organisation_field', + // 'name' => 'View organisation members field', + // 'conditions' => "in(property,['members'])", + // 'description' => 'View members field of any organisation.', + // ]), + 'view_organisation_members' => new Permission([ + 'slug' => 'view_organisation_field', + 'name' => 'View organisation members', + 'conditions' => "in(property,['members'])", + 'description' => 'View members of any organisation.', + ]), + 'promote_organisation_member' => new Permission([ + 'slug' => 'promote_organisation_member', + 'name' => 'Promote organisation member/Demote organisation administrator', + 'conditions' => "is_organisation_member(user.id,organisation.id)", + 'description' => 'Promote an organisation member to administrator status or demote an administrator to member status.', + ]), + 'register_organisation' => new Permission([ 'slug' => 'register_organisation', @@ -129,6 +165,15 @@ class OrganisationPermissions extends BaseSeed 'conditions' => 'always()', 'description' => 'Allows members to leave organisations.', ]), + + + 'uri_organisation_own' => new Permission([ + 'slug' => 'uri_organisation', + 'name' => 'View own organisation', + 'conditions' => 'is_organisation_member(self.id,organisation.id)', + 'description' => 'View the organisation page of an organisation you are a member of.', + ]), + 'view_organisation_field_own' => new Permission([ 'slug' => 'view_organisation_field', 'name' => 'View own organisation', @@ -147,76 +192,58 @@ class OrganisationPermissions extends BaseSeed 'conditions' => "is_organisation_admin(self.id,organisation.id)", 'description' => 'Accept/Reject organisation join requests.', ]), - - 'uri_organisation' => new Permission([ - 'slug' => 'uri_organisation', - 'name' => 'View organisation', - 'conditions' => 'always()', - 'description' => 'View the organisation page of any organisation.', - ]), - 'uri_user' => new Permission([ - 'slug' => 'uri_user', - 'name' => 'View organisation member', - 'conditions' => 'can_admin_via_orgs(self.id, user.id)', - 'description' => 'View the user page of any member of your organisation.', - ]), - 'uri_organisation_own' => new Permission([ - 'slug' => 'uri_organisation', - 'name' => 'View own organisation', - 'conditions' => 'is_organisation_member(self.id,organisation.id)', - 'description' => 'View the organisation page of an organisation you are a member of.', - ]), - 'uri_organisations' => new Permission([ - 'slug' => 'uri_organisations', - 'name' => 'Organisation management page', - 'conditions' => 'always()', - 'description' => 'View a page containing a list of organisations.', - ]), - 'uri_deleted_organisations' => new Permission([ - 'slug' => 'uri_deleted_organisations', - 'name' => 'Deleted organisation management page', - 'conditions' => 'always()', - 'description' => 'View a page containing a list of deleted organisations.', - ]), - - 'update_org_user_field' => new Permission([ - 'slug' => 'update_user_field', - 'name' => 'Edit organisation member', - 'conditions' => "subset(fields,['organisations'])", - 'description' => 'Edit users who are in any organisation.', - ]), - 'view_org_user_field' => new Permission([ - 'slug' => 'view_user_field', - 'name' => 'View organisation member', - 'conditions' => "in(property,['organisations'])", - 'description' => 'View certain properties of any user in any organisation.', - ]), - - 'update_org_user_field_own' => new Permission([ - 'slug' => 'update_user_field', - 'name' => 'Edit organisation member', - 'conditions' => "can_admin_via_orgs(self.id, user.id) && subset(fields,['organisations'])", - 'description' => 'Edit users who are in an organisation they are a member of.', - ]), - 'view_org_user_field_own' => new Permission([ - 'slug' => 'view_user_field', - 'name' => 'View organisation member', - 'conditions' => "similar_orgs(self.id, user.id) && in(property,['organisations'])", - 'description' => 'View certain properties of any user in their organisation.', - ]), - - 'promote_organisation_member' => new Permission([ - 'slug' => 'promote_organisation_member', - 'name' => 'Promote organisation member/Demote organisation administrator', - 'conditions' => "is_organisation_member(user.id,organisation.id) || is_organisation_admin(user.id,organisation.id)", - 'description' => 'Promote an organisation member to administrator status or demote and administrator to member status.', - ]), 'promote_organisation_member_own' => new Permission([ 'slug' => 'promote_organisation_member', 'name' => 'Promote organisation member/Demote organisation administrator', - 'conditions' => "is_organisation_admin(self.id,organisation.id) && (is_organisation_member(user.id,organisation.id) || is_organisation_admin(user.id,organisation.id))", + 'conditions' => "is_organisation_admin(self.id,organisation.id) && is_organisation_member(user.id,organisation.id)", 'description' => 'Promote an organisation member from your own organisation to administrator status or demote and administrator to member status.', ]), + + + // 'uri_user_in_organisation' => new Permission([ + // 'slug' => 'uri_user', + // 'name' => 'View user', + // 'conditions' => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id))", + // 'description' => 'View the user page of any user in your group, except the master user and Site and (global) Organisation Administrators (except yourself).', + // ]), + 'view_user_field' => new Permission([ + 'slug' => 'view_user_field', + 'name' => 'View user', + 'conditions' => "in(property,['organisations'])", + 'description' => 'View the organisations property of any user.', + ]), + 'update_user_field' => new Permission([ + 'slug' => 'update_user_field', + 'name' => 'Edit user', + 'conditions' => "!has_role(user.id,{$roleIds['site-admin']}) && subset(fields,['organisations'])", + 'description' => 'Edit organisations for users who are not Site Administrators.', + ]), + + 'view_user_field_group' => new Permission([ + 'slug' => 'view_user_field', + 'name' => 'View user', + 'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])", + 'description' => 'View organisations of any user in your own group, except the master user and Site and Group Administrators (except yourself).', + ]), + 'update_user_field_group' => new Permission([ + 'slug' => 'update_user_field', + 'name' => 'Edit group user', + 'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])", + 'description' => 'Edit organisations for users in your own group who are not Site or Group Administrators, except yourself.', + ]), + + 'view_user_field_organisation' => new Permission([ + 'slug' => 'view_user_field', + 'name' => 'View user', + 'conditions' => "has_matching_organisation(self.id,user.id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['user_name','name','email','locale','roles','group','activities','organisations'])", + 'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).', + ]), + 'update_user_field_organisation' => new Permission([ + 'slug' => 'update_user_field', + 'name' => 'Edit organisation user', + 'conditions' => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])", + 'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.', + ]), ]; } @@ -253,45 +280,35 @@ class OrganisationPermissions extends BaseSeed $roleSiteAdmin = Role::where('slug', 'site-admin')->first(); if ($roleSiteAdmin) { $roleSiteAdmin->permissions()->syncWithoutDetaching([ + $permissions['view_user_field']->id, + $permissions['update_user_field']->id, + + $permissions['create_organisation']->id, - $permissions['approve_organisation']->id, - $permissions['view_organisation_field']->id, - $permissions['view_organisation_members_field']->id, - $permissions['view_organisation_members']->id, - $permissions['update_organisation_field']->id, - - $permissions['merge_organisations']->id, - $permissions['delete_organisation']->id, + + $permissions['approve_organisation']->id, + $permissions['merge_organisations']->id, $permissions['restore_organisation']->id, $permissions['permenent_delete_organisation']->id, + $permissions['accept_organisation_join_request']->id, - $permissions['uri_user']->id, $permissions['uri_organisation']->id, + $permissions['uri_organisations']->id, $permissions['uri_deleted_organisations']->id, - - $permissions['register_organisation']->id, - $permissions['join_organisation']->id, - $permissions['leave_organisation']->id, - - $permissions['view_org_user_field_own']->id, - $permissions['update_org_user_field_own']->id, - $permissions['accept_organisation_join_request_own']->id, - $permissions['promote_organisation_member_own']->id, - - $permissions['view_organisation_field_own']->id, - $permissions['update_organisation_field_own']->id, - - $permissions['accept_organisation_join_request']->id, - $permissions['update_org_user_field']->id, - $permissions['view_org_user_field']->id, + $permissions['view_organisation_members']->id, $permissions['promote_organisation_member']->id, + ]); + } - $permissions['uri_organisation_own']->id, - $permissions['uri_organisations']->id, + $roleGroupAdmin = Role::where('slug', 'group-admin')->first(); + if ($roleGroupAdmin) { + $roleGroupAdmin->permissions()->sync([ + $permissions['view_user_field_group']->id, + $permissions['update_user_field_group']->id, ]); } @@ -299,52 +316,25 @@ class OrganisationPermissions extends BaseSeed if ($roleOrgAdmin) { $roleOrgAdmin->permissions()->syncWithoutDetaching([ $permissions['create_organisation']->id, - $permissions['approve_organisation']->id, - $permissions['view_organisation_field']->id, - $permissions['view_organisation_members_field']->id, - $permissions['view_organisation_members']->id, - $permissions['update_organisation_field']->id, - - $permissions['merge_organisations']->id, - $permissions['delete_organisation']->id, + + $permissions['approve_organisation']->id, + $permissions['merge_organisations']->id, $permissions['restore_organisation']->id, $permissions['permenent_delete_organisation']->id, + $permissions['accept_organisation_join_request']->id, - $permissions['uri_user']->id, $permissions['uri_organisation']->id, + $permissions['uri_organisations']->id, $permissions['uri_deleted_organisations']->id, - - $permissions['register_organisation']->id, - $permissions['join_organisation']->id, - $permissions['leave_organisation']->id, - - $permissions['view_org_user_field_own']->id, - $permissions['update_org_user_field_own']->id, - $permissions['accept_organisation_join_request_own']->id, - $permissions['promote_organisation_member_own']->id, - - $permissions['view_organisation_field_own']->id, - $permissions['update_organisation_field_own']->id, - - $permissions['accept_organisation_join_request']->id, - $permissions['update_org_user_field']->id, - $permissions['view_org_user_field']->id, + $permissions['view_organisation_members']->id, $permissions['promote_organisation_member']->id, - $permissions['uri_organisation_own']->id, - $permissions['uri_organisations']->id, - - - Permission::where('slug', 'create_user')->first()->id, - Permission::where('slug', 'delete_user')->first()->id, - Permission::where('slug', 'update_user_field')->where('conditions', "!has_role(user.id,{$roleSiteAdmin->id}) && subset(fields,['name','email','locale','group','flag_enabled','flag_verified','password'])")->first()->id, - - Permission::where('slug', 'uri_users')->first()->id, - Permission::where('slug', 'uri_user')->where('conditions', 'always()')->first()->id, + #$permissions['view_user_field']->id, + #$permissions['update_user_field']->id, ]); } @@ -355,18 +345,16 @@ class OrganisationPermissions extends BaseSeed $permissions['join_organisation']->id, $permissions['leave_organisation']->id, - $permissions['view_org_user_field_own']->id, - $permissions['update_org_user_field_own']->id, - $permissions['accept_organisation_join_request_own']->id, - $permissions['promote_organisation_member_own']->id, - $permissions['view_organisation_field_own']->id, $permissions['update_organisation_field_own']->id, - + $permissions['accept_organisation_join_request_own']->id, + $permissions['promote_organisation_member_own']->id, + $permissions['uri_organisation_own']->id, $permissions['uri_organisations']->id, - $permissions['uri_user']->id, + $permissions['view_user_field_organisation']->id, + $permissions['update_user_field_organisation']->id, ]); } } diff --git a/src/Database/Seeds/OrganisationRoles.php b/src/Database/Seeds/OrganisationRoles.php index a6be217..f144b20 100644 --- a/src/Database/Seeds/OrganisationRoles.php +++ b/src/Database/Seeds/OrganisationRoles.php @@ -41,7 +41,7 @@ class OrganisationRoles extends BaseSeed new Role([ 'slug' => 'organisations-admin', 'name' => 'Organisations Administrator', - 'description' => 'This role is meant for "organisation administrators", who can basically do anything related to organisations and their members.', + 'description' => 'This role is meant for administrators who can basically do anything related to any organisations.', ]), ]; } diff --git a/templates/tables/columns/organisations-actions.html.twig b/templates/tables/columns/organisations-actions.html.twig index d14cb80..b987ce2 100644 --- a/templates/tables/columns/organisations-actions.html.twig +++ b/templates/tables/columns/organisations-actions.html.twig @@ -1,8 +1,10 @@ \ No newline at end of file diff --git a/templates/tables/columns/organisations-member_count.html.twig b/templates/tables/columns/organisations-member_count.html.twig index 77dee5b..f93a18a 100644 --- a/templates/tables/columns/organisations-member_count.html.twig +++ b/templates/tables/columns/organisations-member_count.html.twig @@ -1,5 +1,5 @@