AVSDev/sprinkle-organisations
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Compare commits

base: AVSDev:daa4e78a27be7c4047b968dee1b30077f29552cf
Branches Tags
AVSDev:main AVSDev:devel
AVSDev:v1.1.1 AVSDev:v1.1.0 AVSDev:v1.0.5 AVSDev:v1.0.4 AVSDev:v1.0.3 AVSDev:v1.0.2 AVSDev:v1.0.1 AVSDev:v1.0 AVSDev:v0.2.1 AVSDev:v0.2 AVSDev:v0.1.1 AVSDev:v0.1
...
compare: AVSDev:dead35067667856bc2bfe16b8b78f2cfe36a5621
Branches Tags
AVSDev:devel AVSDev:main
AVSDev:v1.1.1 AVSDev:v1.1.0 AVSDev:v1.0.5 AVSDev:v1.0.4 AVSDev:v1.0.3 AVSDev:v1.0.2 AVSDev:v1.0.1 AVSDev:v1.0 AVSDev:v0.2.1 AVSDev:v0.2 AVSDev:v0.1.1 AVSDev:v0.1

2 Commits
daa4e78a27 ... dead350676

Author SHA1 Message Date
Craig Williams
dead350676 Tighten organisation admin permissions & password reset workflow 2023-09-07 11:53:39 +01:00
Craig Williams
f3af94a285 Fixed a bug in organisation admin permission check 2023-09-07 10:13:51 +01:00
8 changed files with 201 additions and 5 deletions
Expand all files Collapse all files

27
assets/organisations/js/widgets/members.js
View File

@@ -137,6 +137,33 @@ function bindMemberButtons(el, options) {
}); });
}); });
}); });
// Reset member password button
el.find('.js-member-password').click(function(e) {
e.preventDefault();
var userName = $(this).data('user_name');
$("body").ufModal({
sourceUrl: site.uri.public + '/modals/organisations/o/' + $(this).data('slug') + '/members/reset-password',
ajaxParams: {
slug: $(this).data('slug'),
user_name: $(this).data('user_name')
},
msgTarget: $("#alerts-page")
});
$("body").on('renderSuccess.ufModal', function() {
var modal = $(this).ufModal('getModal');
var form = modal.find('.js-form');
form.ufForm()
.on("submitSuccess.ufForm", function() {
// Navigate or reload page on success
window.location.reload();
});
});
});
} }
// function bindMemberCreationButton(el) { // function bindMemberCreationButton(el) {

6
locale/en_US/messages.php
View File

@@ -155,6 +155,10 @@ return [
'DEMOTE_CONFIRM_EXTRA' => 'Once demoted they will no longer be able to manage members and agents on the organisation\'s behalf.', 'DEMOTE_CONFIRM_EXTRA' => 'Once demoted they will no longer be able to manage members and agents on the organisation\'s behalf.',
'DEMOTE_YES' => 'Yes, demote administrator', 'DEMOTE_YES' => 'Yes, demote administrator',
'DEMOTE_SUCCESSFUL' => 'Successfully demoted administrator <strong>{{user_name}}</strong> from being an administrator of organisation <strong>{{name}}</strong>', 'DEMOTE_SUCCESSFUL' => 'Successfully demoted administrator <strong>{{user_name}}</strong> from being an administrator of organisation <strong>{{name}}</strong>',
'RESET_PASSWORD' => 'Send password reset link',
'SEND_PASSWORD_LINK_CONFIRM' => 'Please confirm that you wish to send a password reset link to:<br><br> <strong>{{user_name}}</strong> ({{email}}).',
'PASSWORD_LINK_SENT' => 'A password reset link has successfully been sent to <strong>{{email}}</strong>.'
], ],
], ],
@@ -168,7 +172,7 @@ return [
'DEMOTE' => 'Demote to member', 'DEMOTE' => 'Demote to member',
'EDIT' => 'Edit member', 'EDIT' => 'Edit member',
'CHANGE_PASSWORD' => 'Change member password', 'RESET_PASSWORD' => 'Send password reset link',
], ],
'ADMIN' => [ 'ADMIN' => [

3
routes/organisation-members.php
View File

@@ -33,6 +33,8 @@ $app->group('/api/organisations/o/{slug}/members', function () {
$this->put('/m/{user_name}/promote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:promote'); $this->put('/m/{user_name}/promote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:promote');
$this->put('/m/{user_name}/demote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:demote'); $this->put('/m/{user_name}/demote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:demote');
$this->post('/m/{user_name}/password-reset', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:createPasswordReset');
})->add('authGuard')->add(new NoCache()); })->add('authGuard')->add(new NoCache());
@@ -45,4 +47,5 @@ $app->group('/modals/organisations/o/{slug}/members', function () {
$this->get('/confirm-reject', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalConfirmReject'); $this->get('/confirm-reject', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalConfirmReject');
$this->get('/confirm-promote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalConfirmPromote'); $this->get('/confirm-promote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalConfirmPromote');
$this->get('/confirm-demote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalConfirmDemote'); $this->get('/confirm-demote', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalConfirmDemote');
$this->get('/reset-password', 'UserFrosting\Sprinkle\Organisations\Controller\OrganisationMembersController:getModalResetPassword');
})->add('authGuard')->add(new NoCache()); })->add('authGuard')->add(new NoCache());

130
src/Controller/OrganisationMembersController.php
View File

@@ -9,6 +9,7 @@
namespace UserFrosting\Sprinkle\Organisations\Controller; namespace UserFrosting\Sprinkle\Organisations\Controller;
use Carbon\Carbon;
use Illuminate\Database\Capsule\Manager as Capsule; use Illuminate\Database\Capsule\Manager as Capsule;
use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Message\ServerRequestInterface as Request;
@@ -918,6 +919,81 @@ class OrganisationMembersController extends SimpleController
return $response->withRedirect($this->ci->router->pathFor('uri_organisation', ['slug' => $organisation->slug])); return $response->withRedirect($this->ci->router->pathFor('uri_organisation', ['slug' => $organisation->slug]));
} }
/**
* Processes the request to send a user a password reset email.
*
* Processes the request from the user update form, checking that:
* 1. The target user's new email address, if specified, is not already in use;
* 2. The logged-in user has the necessary permissions to update the posted field(s);
* 3. We're not trying to disable the master account;
* 4. The submitted data is valid.
* This route requires authentication.
*
* Request type: POST
*
* @param Request $request
* @param Response $response
* @param string[] $args
*
* @throws NotFoundException If user is not found
* @throws ForbiddenException If user is not authorized to access page
*/
public function createPasswordReset(Request $request, Response $response, array $args)
{
/** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
$authorizer = $this->ci->authorizer;
/** @var \UserFrosting\Support\Repository\Repository $config */
$config = $this->ci->config;
/** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
$currentUser = $this->ci->currentUser;
/** @var \UserFrosting\Sprinkle\Core\Alert\AlertStream $ms */
$ms = $this->ci->alerts;
// Get the username from the URL
$user = $this->getUserFromParams($args);
if (!$user) {
throw new NotFoundException();
}
// Access-controlled resource - check that currentUser has permission to edit "password" for this user
if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
'user' => $user,
'fields' => ['password'],
])) {
throw new ForbiddenException();
}
// Begin transaction - DB will be rolled back if an exception occurs
Capsule::transaction(function () use ($user, $config) {
// Create a password reset and shoot off an email
$passwordReset = $this->ci->repoPasswordReset->create($user, $config['password_reset.timeouts.reset']);
// Create and send welcome email with password set link
$message = new TwigMailMessage($this->ci->view, 'mail/password-reset.html.twig');
$message->from($config['address_book.admin'])
->addEmailRecipient(new EmailRecipient($user->email, $user->full_name))
->addParams([
'user' => $user,
'token' => $passwordReset->getToken(),
'request_date' => Carbon::now()->format('Y-m-d H:i:s'),
]);
$this->ci->mailer->send($message);
});
$ms->addMessageTranslated('success', 'ORGANISATION.MEMBER.PASSWORD_LINK_SENT', [
'email' => $user->email,
]);
return $response->withJson([], 200);
}
/** /**
* Returns a list of organisation members. * Returns a list of organisation members.
@@ -1359,6 +1435,60 @@ class OrganisationMembersController extends SimpleController
]); ]);
} }
/**
* Renders the modal form for sending a password reset to a member.
*
* This does NOT render a complete page. Instead, it renders the HTML for the form, which can be embedded in other pages.
* This page requires authentication.
*
* Request type: GET
*
* @param Request $request
* @param Response $response
* @param string[] $args
*
* @throws NotFoundException If user is not found
* @throws ForbiddenException If user is not authorized to access page
*/
public function getModalResetPassword(Request $request, Response $response, array $args)
{
/** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
$authorizer = $this->ci->authorizer;
/** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
$currentUser = $this->ci->currentUser;
/** @var \UserFrosting\Support\Repository\Repository $config */
$config = $this->ci->config;
// GET parameters
$params = $request->getQueryParams();
$user = $this->getUserFromParams($params);
$organisation = $this->getOrganisationFromParams($params);
// Check organisation & user exists
if (!$organisation || !$user) {
throw new NotFoundException();
}
// Access-controlled resource - check that currentUser has permission to edit "password" field for this user
if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
'organisation' => $organisation,
'user' => $user,
'fields' => ['password'],
])) {
throw new ForbiddenException();
}
return $this->ci->view->render($response, 'modals/member-reset-password.html.twig', [
'user' => $user,
'organisation' => $organisation,
'page' => [],
]);
}
/** /**
* Send approval email for specified organisation and confirmation to user. * Send approval email for specified organisation and confirmation to user.

2
src/Database/Seeds/OrganisationPermissions.php
View File

@@ -241,7 +241,7 @@ class OrganisationPermissions extends BaseSeed
'update_user_field_organisation' => new Permission([ 'update_user_field_organisation' => new Permission([
'slug' => 'update_user_field', 'slug' => 'update_user_field',
'name' => 'Edit organisation user', 'name' => 'Edit organisation user',
'conditions' => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])", 'conditions' => "has_matching_organisation(self.id,user.id,1) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])",
'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.', 'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.',
]), ]),
]; ];

2
src/ServicesProvider/ServicesProvider.php
View File

@@ -103,7 +103,7 @@ class ServicesProvider
* @return bool true if $user is an administrator of $organisation. * @return bool true if $user is an administrator of $organisation.
*/ */
$authorizer->addCallback('is_organisation_admin', function ($user_id, $organisation_id) { $authorizer->addCallback('is_organisation_admin', function ($user_id, $organisation_id) {
return Capsule::table('organisation_members') $query = Capsule::table('organisation_members')
->where('user_id', $user_id) ->where('user_id', $user_id)
->where('organisation_id', $organisation_id) ->where('organisation_id', $organisation_id)
->where('flag_admin', true); ->where('flag_admin', true);

32
templates/modals/member-reset-password.html.twig Normal file
View File

@@ -0,0 +1,32 @@
{% extends "modals/modal.html.twig" %}
{% block modal_title %}{{translate("ORGANISATION.MEMBER.RESET_PASSWORD")}}{% endblock %}
{% block modal_body %}
<form class="js-form" method="POST" action="{{site.uri.public}}/api/organisations/o/{{organisation.slug}}/members/m/{{user.user_name}}/password-reset">
{% include "forms/csrf.html.twig" %}
<div class="js-form-alerts">
</div>
<div class="row">
<div class="col-sm-12">
{{translate("ORGANISATION.MEMBER.SEND_PASSWORD_LINK_CONFIRM", {
'user_name': user.user_name,
'email': user.email
})}}
</div>
</div>
<br>
<div class="row">
<div class="col-xs-8 col-sm-4">
<button type="submit" class="btn btn-block btn-lg btn-success">{{translate('CONFIRM')}}</button>
</div>
<div class="col-xs-4 col-sm-3 pull-right">
<button type="button" class="btn btn-block btn-lg btn-link" data-dismiss="modal">{{translate('CANCEL')}}</button>
</div>
</div>
</form>
<!-- Include validation rules -->
<script>
{% include "pages/partials/page.js.twig" %}
</script>
{% endblock %}

4
templates/tables/columns/organisation_members-actions.html.twig
View File

@@ -36,8 +36,8 @@
</a> </a>
</li> </li>
<li> <li>
<a href="#" data-slug="{% endverbatim %}{{organisation.slug}}{% verbatim %}" data-user_name="{{row.user_name}}" class="js-user-password"> <a href="#" data-slug="{% endverbatim %}{{organisation.slug}}{% verbatim %}" data-user_name="{{row.user_name}}" class="js-member-password">
<i class="fas fa-key"></i> {% endverbatim %}{{translate("MEMBER.CHANGE_PASSWORD")}}{% verbatim %} <i class="fas fa-key"></i> {% endverbatim %}{{translate("MEMBER.RESET_PASSWORD")}}{% verbatim %}
</a> </a>
</li> </li>
<li> <li>