getPermissions(); $this->savePermissions($permissions); // Add default mappings to permissions $this->syncPermissionsRole($permissions); } /** * @return array Permissions to seed */ protected function getPermissions() { $roleIds = [ 'user' => Role::where('slug', 'user')->first()->id, 'group-admin' => Role::where('slug', 'group-admin')->first()->id, 'site-admin' => Role::where('slug', 'site-admin')->first()->id, 'organisations-admin' => Role::where('slug', 'organisations-admin')->first()->id, ]; return [ 'create_organisation' => new Permission([ 'slug' => 'create_organisation', 'name' => 'Create organisation', 'conditions' => 'always()', 'description' => 'Create a new organisation.', ]), 'view_organisation_field' => new Permission([ 'slug' => 'view_organisation_field', 'name' => 'View organisation', 'conditions' => "in(property,['name','slug','description'])", 'description' => 'View certain properties of any organisation.', ]), 'update_organisation_field' => new Permission([ 'slug' => 'update_organisation_field', 'name' => 'Edit organisation', 'conditions' => 'always()', 'description' => 'Edit basic properties of any organisation.', ]), 'delete_organisation' => new Permission([ 'slug' => 'delete_organisation', 'name' => 'Delete organisation', 'conditions' => 'always()', 'description' => 'Delete an organisation.', ]), 'approve_organisation' => new Permission([ 'slug' => 'approve_organisation', 'name' => 'Approve/Deny organisation registration', 'conditions' => 'always()', 'description' => 'Approve/Deny organisation registation request.', ]), 'merge_organisations' => new Permission([ 'slug' => 'merge_organisations', 'name' => 'Merge two organisations', 'conditions' => 'always()', 'description' => 'Merge two organisations together, including all the members.', ]), 'restore_organisation' => new Permission([ 'slug' => 'restore_organisation', 'name' => 'Restore organisation', 'conditions' => 'always()', 'description' => 'Restore a deleted organisation.', ]), 'permenent_delete_organisation' => new Permission([ 'slug' => 'permenent_delete_organisation', 'name' => 'Permenently delete organisation', 'conditions' => 'always()', 'description' => 'Permenently delete an organisation.', ]), 'accept_organisation_join_request' => new Permission([ 'slug' => 'accept_organisation_join_request', 'name' => 'Accept/Reject join request', 'conditions' => "always()", 'description' => 'Accept/Reject organisation join requests.', ]), 'uri_organisation' => new Permission([ 'slug' => 'uri_organisation', 'name' => 'View organisation', 'conditions' => 'always()', 'description' => 'View the organisation page of any organisation.', ]), 'uri_organisations' => new Permission([ 'slug' => 'uri_organisations', 'name' => 'Organisation management page', 'conditions' => 'always()', 'description' => 'View a page containing a list of organisations.', ]), 'uri_deleted_organisations' => new Permission([ 'slug' => 'uri_deleted_organisations', 'name' => 'Deleted organisation management page', 'conditions' => 'always()', 'description' => 'View a page containing a list of deleted organisations.', ]), // 'view_organisation_members_field' => new Permission([ // 'slug' => 'view_organisation_field', // 'name' => 'View organisation members field', // 'conditions' => "in(property,['members'])", // 'description' => 'View members field of any organisation.', // ]), 'view_organisation_members' => new Permission([ 'slug' => 'view_organisation_field', 'name' => 'View organisation members', 'conditions' => "in(property,['members'])", 'description' => 'View members of any organisation.', ]), 'promote_organisation_member' => new Permission([ 'slug' => 'promote_organisation_member', 'name' => 'Promote organisation member/Demote organisation administrator', 'conditions' => "is_organisation_member(user.id,organisation.id)", 'description' => 'Promote an organisation member to administrator status or demote an administrator to member status.', ]), 'register_organisation' => new Permission([ 'slug' => 'register_organisation', 'name' => 'Register organisation', 'conditions' => 'always()', 'description' => 'Register a new organisation. May optionally require approval.', ]), 'join_organisation' => new Permission([ 'slug' => 'join_organisation', 'name' => 'Join organisation', 'conditions' => 'always()', 'description' => 'Allows members to join organisations.', ]), 'leave_organisation' => new Permission([ 'slug' => 'leave_organisation', 'name' => 'Leave organisation', 'conditions' => 'always()', 'description' => 'Allows members to leave organisations.', ]), 'uri_organisation_own' => new Permission([ 'slug' => 'uri_organisation', 'name' => 'View own organisation', 'conditions' => 'is_organisation_member(self.id,organisation.id)', 'description' => 'View the organisation page of an organisation you are a member of.', ]), 'view_organisation_field_own' => new Permission([ 'slug' => 'view_organisation_field', 'name' => 'View own organisation', 'conditions' => "is_organisation_member(self.id,organisation.id) && in(property,['name','slug','description','members'])", 'description' => 'View certain properties of own organisation.', ]), 'update_organisation_field_own' => new Permission([ 'slug' => 'update_organisation_field', 'name' => 'Update own organisation', 'conditions' => "is_organisation_admin(self.id,organisation.id) && subset(fields,['name','slug','description','members'])", 'description' => 'Edit basic properties of own organisation.', ]), 'accept_organisation_join_request_own' => new Permission([ 'slug' => 'accept_organisation_join_request', 'name' => 'Accept/Reject join request', 'conditions' => "is_organisation_admin(self.id,organisation.id)", 'description' => 'Accept/Reject organisation join requests.', ]), 'promote_organisation_member_own' => new Permission([ 'slug' => 'promote_organisation_member', 'name' => 'Promote organisation member/Demote organisation administrator', 'conditions' => "is_organisation_admin(self.id,organisation.id) && is_organisation_member(user.id,organisation.id)", 'description' => 'Promote an organisation member from your own organisation to administrator status or demote and administrator to member status.', ]), // 'uri_user_in_organisation' => new Permission([ // 'slug' => 'uri_user', // 'name' => 'View user', // 'conditions' => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id))", // 'description' => 'View the user page of any user in your group, except the master user and Site and (global) Organisation Administrators (except yourself).', // ]), 'view_user_field' => new Permission([ 'slug' => 'view_user_field', 'name' => 'View user', 'conditions' => "in(property,['organisations'])", 'description' => 'View the organisations property of any user.', ]), 'update_user_field' => new Permission([ 'slug' => 'update_user_field', 'name' => 'Edit user', 'conditions' => "!has_role(user.id,{$roleIds['site-admin']}) && subset(fields,['organisations'])", 'description' => 'Edit organisations for users who are not Site Administrators.', ]), 'view_user_field_group' => new Permission([ 'slug' => 'view_user_field', 'name' => 'View user', 'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])", 'description' => 'View organisations of any user in your own group, except the master user and Site and Group Administrators (except yourself).', ]), 'update_user_field_group' => new Permission([ 'slug' => 'update_user_field', 'name' => 'Edit group user', 'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])", 'description' => 'Edit organisations for users in your own group who are not Site or Group Administrators, except yourself.', ]), 'view_user_field_organisation' => new Permission([ 'slug' => 'view_user_field', 'name' => 'View user', 'conditions' => "has_matching_organisation(self.id,user.id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['user_name','name','email','locale','roles','group','activities','organisations'])", 'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).', ]), 'update_user_field_organisation' => new Permission([ 'slug' => 'update_user_field', 'name' => 'Edit organisation user', 'conditions' => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])", 'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.', ]), ]; } /** * Save permissions. * * @param array $permissions */ protected function savePermissions(array &$permissions) { foreach ($permissions as $slug => $permission) { // Trying to find if the permission already exist $existingPermission = Permission::where(['slug' => $permission->slug, 'conditions' => $permission->conditions])->first(); // Don't save if already exist, use existing permission reference // otherwise to re-sync permissions and roles if ($existingPermission == null) { $permission->save(); } else { $permissions[$slug] = $existingPermission; } } } /** * Sync permissions with default roles. * * @param array $permissions */ protected function syncPermissionsRole(array $permissions) { $roleSiteAdmin = Role::where('slug', 'site-admin')->first(); if ($roleSiteAdmin) { $roleSiteAdmin->permissions()->syncWithoutDetaching([ $permissions['view_user_field']->id, $permissions['update_user_field']->id, $permissions['create_organisation']->id, $permissions['view_organisation_field']->id, $permissions['update_organisation_field']->id, $permissions['delete_organisation']->id, $permissions['approve_organisation']->id, $permissions['merge_organisations']->id, $permissions['restore_organisation']->id, $permissions['permenent_delete_organisation']->id, $permissions['accept_organisation_join_request']->id, $permissions['uri_organisation']->id, $permissions['uri_organisations']->id, $permissions['uri_deleted_organisations']->id, $permissions['view_organisation_members']->id, $permissions['promote_organisation_member']->id, ]); } $roleGroupAdmin = Role::where('slug', 'group-admin')->first(); if ($roleGroupAdmin) { $roleGroupAdmin->permissions()->sync([ $permissions['view_user_field_group']->id, $permissions['update_user_field_group']->id, ]); } $roleOrgAdmin = Role::where('slug', 'organisations-admin')->first(); if ($roleOrgAdmin) { $roleOrgAdmin->permissions()->syncWithoutDetaching([ $permissions['create_organisation']->id, $permissions['view_organisation_field']->id, $permissions['update_organisation_field']->id, $permissions['delete_organisation']->id, $permissions['approve_organisation']->id, $permissions['merge_organisations']->id, $permissions['restore_organisation']->id, $permissions['permenent_delete_organisation']->id, $permissions['accept_organisation_join_request']->id, $permissions['uri_organisation']->id, $permissions['uri_organisations']->id, $permissions['uri_deleted_organisations']->id, $permissions['view_organisation_members']->id, $permissions['promote_organisation_member']->id, #$permissions['view_user_field']->id, #$permissions['update_user_field']->id, ]); } $roleUser = Role::where('slug', 'user')->first(); if ($roleUser) { $roleUser->permissions()->syncWithoutDetaching([ $permissions['register_organisation']->id, $permissions['join_organisation']->id, $permissions['leave_organisation']->id, $permissions['view_organisation_field_own']->id, $permissions['update_organisation_field_own']->id, $permissions['accept_organisation_join_request_own']->id, $permissions['promote_organisation_member_own']->id, $permissions['uri_organisation_own']->id, $permissions['uri_organisations']->id, $permissions['view_user_field_organisation']->id, $permissions['update_user_field_organisation']->id, ]); } } }