362 lines
18 KiB
PHP
362 lines
18 KiB
PHP
<?php
|
|
|
|
/*
|
|
* AVSDev UF Organisations (https://avsdev.uk)
|
|
*
|
|
* @link https://git.avsdev.uk/avsdev/sprinkle-organisations
|
|
* @license https://git.avsdev.uk/avsdev/sprinkle-organisations/blob/master/LICENSE.md (LGPL-3.0 License)
|
|
*/
|
|
|
|
namespace UserFrosting\Sprinkle\Organisations\Database\Seeds;
|
|
|
|
use UserFrosting\Sprinkle\Account\Database\Models\Permission;
|
|
use UserFrosting\Sprinkle\Account\Database\Models\Role;
|
|
use UserFrosting\Sprinkle\Core\Database\Seeder\BaseSeed;
|
|
use UserFrosting\Sprinkle\Core\Facades\Seeder;
|
|
|
|
/**
|
|
* Seeder for the permissions related to organisations.
|
|
*
|
|
* @author Craig Williams (https://avsdev.uk)
|
|
*/
|
|
class OrganisationPermissions extends BaseSeed
|
|
{
|
|
/**
|
|
* {@inheritdoc}
|
|
*/
|
|
public function run()
|
|
{
|
|
// We require the default roles
|
|
Seeder::execute('DefaultRoles');
|
|
Seeder::execute('OrganisationRoles');
|
|
|
|
// Get and save permissions
|
|
$permissions = $this->getPermissions();
|
|
$this->savePermissions($permissions);
|
|
|
|
// Add default mappings to permissions
|
|
$this->syncPermissionsRole($permissions);
|
|
}
|
|
|
|
/**
|
|
* @return array Permissions to seed
|
|
*/
|
|
protected function getPermissions()
|
|
{
|
|
$roleIds = [
|
|
'user' => Role::where('slug', 'user')->first()->id,
|
|
'group-admin' => Role::where('slug', 'group-admin')->first()->id,
|
|
'site-admin' => Role::where('slug', 'site-admin')->first()->id,
|
|
'organisations-admin' => Role::where('slug', 'organisations-admin')->first()->id,
|
|
];
|
|
|
|
return [
|
|
'create_organisation' => new Permission([
|
|
'slug' => 'create_organisation',
|
|
'name' => 'Create organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Create a new organisation.',
|
|
]),
|
|
'view_organisation_field' => new Permission([
|
|
'slug' => 'view_organisation_field',
|
|
'name' => 'View organisation',
|
|
'conditions' => "in(property,['name','slug','description'])",
|
|
'description' => 'View certain properties of any organisation.',
|
|
]),
|
|
'update_organisation_field' => new Permission([
|
|
'slug' => 'update_organisation_field',
|
|
'name' => 'Edit organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Edit basic properties of any organisation.',
|
|
]),
|
|
'delete_organisation' => new Permission([
|
|
'slug' => 'delete_organisation',
|
|
'name' => 'Delete organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Delete an organisation.',
|
|
]),
|
|
|
|
'approve_organisation' => new Permission([
|
|
'slug' => 'approve_organisation',
|
|
'name' => 'Approve/Deny organisation registration',
|
|
'conditions' => 'always()',
|
|
'description' => 'Approve/Deny organisation registation request.',
|
|
]),
|
|
'merge_organisations' => new Permission([
|
|
'slug' => 'merge_organisations',
|
|
'name' => 'Merge two organisations',
|
|
'conditions' => 'always()',
|
|
'description' => 'Merge two organisations together, including all the members.',
|
|
]),
|
|
'restore_organisation' => new Permission([
|
|
'slug' => 'restore_organisation',
|
|
'name' => 'Restore organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Restore a deleted organisation.',
|
|
]),
|
|
'permenent_delete_organisation' => new Permission([
|
|
'slug' => 'permenent_delete_organisation',
|
|
'name' => 'Permenently delete organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Permenently delete an organisation.',
|
|
]),
|
|
'accept_organisation_join_request' => new Permission([
|
|
'slug' => 'accept_organisation_join_request',
|
|
'name' => 'Accept/Reject join request',
|
|
'conditions' => "always()",
|
|
'description' => 'Accept/Reject organisation join requests.',
|
|
]),
|
|
|
|
'uri_organisation' => new Permission([
|
|
'slug' => 'uri_organisation',
|
|
'name' => 'View organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'View the organisation page of any organisation.',
|
|
]),
|
|
'uri_organisations' => new Permission([
|
|
'slug' => 'uri_organisations',
|
|
'name' => 'Organisation management page',
|
|
'conditions' => 'always()',
|
|
'description' => 'View a page containing a list of organisations.',
|
|
]),
|
|
'uri_deleted_organisations' => new Permission([
|
|
'slug' => 'uri_deleted_organisations',
|
|
'name' => 'Deleted organisation management page',
|
|
'conditions' => 'always()',
|
|
'description' => 'View a page containing a list of deleted organisations.',
|
|
]),
|
|
|
|
|
|
// 'view_organisation_members_field' => new Permission([
|
|
// 'slug' => 'view_organisation_field',
|
|
// 'name' => 'View organisation members field',
|
|
// 'conditions' => "in(property,['members'])",
|
|
// 'description' => 'View members field of any organisation.',
|
|
// ]),
|
|
'view_organisation_members' => new Permission([
|
|
'slug' => 'view_organisation_field',
|
|
'name' => 'View organisation members',
|
|
'conditions' => "in(property,['members'])",
|
|
'description' => 'View members of any organisation.',
|
|
]),
|
|
'promote_organisation_member' => new Permission([
|
|
'slug' => 'promote_organisation_member',
|
|
'name' => 'Promote organisation member/Demote organisation administrator',
|
|
'conditions' => "is_organisation_member(user.id,organisation.id)",
|
|
'description' => 'Promote an organisation member to administrator status or demote an administrator to member status.',
|
|
]),
|
|
|
|
|
|
'register_organisation' => new Permission([
|
|
'slug' => 'register_organisation',
|
|
'name' => 'Register organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Register a new organisation. May optionally require approval.',
|
|
]),
|
|
'join_organisation' => new Permission([
|
|
'slug' => 'join_organisation',
|
|
'name' => 'Join organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Allows members to join organisations.',
|
|
]),
|
|
'leave_organisation' => new Permission([
|
|
'slug' => 'leave_organisation',
|
|
'name' => 'Leave organisation',
|
|
'conditions' => 'always()',
|
|
'description' => 'Allows members to leave organisations.',
|
|
]),
|
|
|
|
|
|
'uri_organisation_own' => new Permission([
|
|
'slug' => 'uri_organisation',
|
|
'name' => 'View own organisation',
|
|
'conditions' => 'is_organisation_member(self.id,organisation.id)',
|
|
'description' => 'View the organisation page of an organisation you are a member of.',
|
|
]),
|
|
|
|
'view_organisation_field_own' => new Permission([
|
|
'slug' => 'view_organisation_field',
|
|
'name' => 'View own organisation',
|
|
'conditions' => "is_organisation_member(self.id,organisation.id) && in(property,['name','slug','description','members'])",
|
|
'description' => 'View certain properties of own organisation.',
|
|
]),
|
|
'update_organisation_field_own' => new Permission([
|
|
'slug' => 'update_organisation_field',
|
|
'name' => 'Update own organisation',
|
|
'conditions' => "is_organisation_admin(self.id,organisation.id) && subset(fields,['name','slug','description','members'])",
|
|
'description' => 'Edit basic properties of own organisation.',
|
|
]),
|
|
'accept_organisation_join_request_own' => new Permission([
|
|
'slug' => 'accept_organisation_join_request',
|
|
'name' => 'Accept/Reject join request',
|
|
'conditions' => "is_organisation_admin(self.id,organisation.id)",
|
|
'description' => 'Accept/Reject organisation join requests.',
|
|
]),
|
|
'promote_organisation_member_own' => new Permission([
|
|
'slug' => 'promote_organisation_member',
|
|
'name' => 'Promote organisation member/Demote organisation administrator',
|
|
'conditions' => "is_organisation_admin(self.id,organisation.id) && is_organisation_member(user.id,organisation.id)",
|
|
'description' => 'Promote an organisation member from your own organisation to administrator status or demote and administrator to member status.',
|
|
]),
|
|
|
|
|
|
// 'uri_user_in_organisation' => new Permission([
|
|
// 'slug' => 'uri_user',
|
|
// 'name' => 'View user',
|
|
// 'conditions' => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id))",
|
|
// 'description' => 'View the user page of any user in your group, except the master user and Site and (global) Organisation Administrators (except yourself).',
|
|
// ]),
|
|
'view_user_field' => new Permission([
|
|
'slug' => 'view_user_field',
|
|
'name' => 'View user',
|
|
'conditions' => "in(property,['organisations'])",
|
|
'description' => 'View the organisations property of any user.',
|
|
]),
|
|
'update_user_field' => new Permission([
|
|
'slug' => 'update_user_field',
|
|
'name' => 'Edit user',
|
|
'conditions' => "!has_role(user.id,{$roleIds['site-admin']}) && subset(fields,['organisations'])",
|
|
'description' => 'Edit organisations for users who are not Site Administrators.',
|
|
]),
|
|
|
|
'view_user_field_group' => new Permission([
|
|
'slug' => 'view_user_field',
|
|
'name' => 'View user',
|
|
'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])",
|
|
'description' => 'View organisations of any user in your own group, except the master user and Site and Group Administrators (except yourself).',
|
|
]),
|
|
'update_user_field_group' => new Permission([
|
|
'slug' => 'update_user_field',
|
|
'name' => 'Edit group user',
|
|
'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])",
|
|
'description' => 'Edit organisations for users in your own group who are not Site or Group Administrators, except yourself.',
|
|
]),
|
|
|
|
'view_user_field_organisation' => new Permission([
|
|
'slug' => 'view_user_field',
|
|
'name' => 'View user',
|
|
'conditions' => "has_matching_organisation(self.id,user.id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['user_name','name','email','locale','roles','group','activities','organisations'])",
|
|
'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).',
|
|
]),
|
|
'update_user_field_organisation' => new Permission([
|
|
'slug' => 'update_user_field',
|
|
'name' => 'Edit organisation user',
|
|
'conditions' => "has_matching_organisation(self.id,user.id,1) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])",
|
|
'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.',
|
|
]),
|
|
];
|
|
}
|
|
|
|
|
|
/**
|
|
* Save permissions.
|
|
*
|
|
* @param array $permissions
|
|
*/
|
|
protected function savePermissions(array &$permissions)
|
|
{
|
|
foreach ($permissions as $slug => $permission) {
|
|
|
|
// Trying to find if the permission already exist
|
|
$existingPermission = Permission::where(['slug' => $permission->slug, 'conditions' => $permission->conditions])->first();
|
|
|
|
// Don't save if already exist, use existing permission reference
|
|
// otherwise to re-sync permissions and roles
|
|
if ($existingPermission == null) {
|
|
$permission->save();
|
|
} else {
|
|
$permissions[$slug] = $existingPermission;
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Sync permissions with default roles.
|
|
*
|
|
* @param array $permissions
|
|
*/
|
|
protected function syncPermissionsRole(array $permissions)
|
|
{
|
|
$roleSiteAdmin = Role::where('slug', 'site-admin')->first();
|
|
if ($roleSiteAdmin) {
|
|
$roleSiteAdmin->permissions()->syncWithoutDetaching([
|
|
$permissions['view_user_field']->id,
|
|
$permissions['update_user_field']->id,
|
|
|
|
|
|
$permissions['create_organisation']->id,
|
|
$permissions['view_organisation_field']->id,
|
|
$permissions['update_organisation_field']->id,
|
|
$permissions['delete_organisation']->id,
|
|
|
|
$permissions['approve_organisation']->id,
|
|
$permissions['merge_organisations']->id,
|
|
$permissions['restore_organisation']->id,
|
|
$permissions['permenent_delete_organisation']->id,
|
|
$permissions['accept_organisation_join_request']->id,
|
|
|
|
$permissions['uri_organisation']->id,
|
|
$permissions['uri_organisations']->id,
|
|
$permissions['uri_deleted_organisations']->id,
|
|
|
|
$permissions['view_organisation_members']->id,
|
|
$permissions['promote_organisation_member']->id,
|
|
]);
|
|
}
|
|
|
|
$roleGroupAdmin = Role::where('slug', 'group-admin')->first();
|
|
if ($roleGroupAdmin) {
|
|
$roleGroupAdmin->permissions()->sync([
|
|
$permissions['view_user_field_group']->id,
|
|
$permissions['update_user_field_group']->id,
|
|
]);
|
|
}
|
|
|
|
$roleOrgAdmin = Role::where('slug', 'organisations-admin')->first();
|
|
if ($roleOrgAdmin) {
|
|
$roleOrgAdmin->permissions()->syncWithoutDetaching([
|
|
$permissions['create_organisation']->id,
|
|
$permissions['view_organisation_field']->id,
|
|
$permissions['update_organisation_field']->id,
|
|
$permissions['delete_organisation']->id,
|
|
|
|
$permissions['approve_organisation']->id,
|
|
$permissions['merge_organisations']->id,
|
|
$permissions['restore_organisation']->id,
|
|
$permissions['permenent_delete_organisation']->id,
|
|
$permissions['accept_organisation_join_request']->id,
|
|
|
|
$permissions['uri_organisation']->id,
|
|
$permissions['uri_organisations']->id,
|
|
$permissions['uri_deleted_organisations']->id,
|
|
|
|
$permissions['view_organisation_members']->id,
|
|
$permissions['promote_organisation_member']->id,
|
|
|
|
#$permissions['view_user_field']->id,
|
|
#$permissions['update_user_field']->id,
|
|
]);
|
|
}
|
|
|
|
$roleUser = Role::where('slug', 'user')->first();
|
|
if ($roleUser) {
|
|
$roleUser->permissions()->syncWithoutDetaching([
|
|
$permissions['register_organisation']->id,
|
|
$permissions['join_organisation']->id,
|
|
$permissions['leave_organisation']->id,
|
|
|
|
$permissions['view_organisation_field_own']->id,
|
|
$permissions['update_organisation_field_own']->id,
|
|
$permissions['accept_organisation_join_request_own']->id,
|
|
$permissions['promote_organisation_member_own']->id,
|
|
|
|
$permissions['uri_organisation_own']->id,
|
|
$permissions['uri_organisations']->id,
|
|
|
|
$permissions['view_user_field_organisation']->id,
|
|
$permissions['update_user_field_organisation']->id,
|
|
]);
|
|
}
|
|
}
|
|
}
|