From 275de8c6febde2cf0afb18d8409f0e963abc3d08 Mon Sep 17 00:00:00 2001
From: Craig Williams <craig@avsdev.uk>
Date: Fri, 6 Oct 2023 09:54:45 +0100
Subject: [PATCH] Added user admin role

---
 routes/roles.php                       | 17 ++++++
 src/Controller/RoleController.php      | 73 ++++++++++++++++++++++++++
 src/Database/Seeds/CreateUserAdmin.php | 56 +++++++++++++++++++-
 3 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100644 routes/roles.php
 create mode 100644 src/Controller/RoleController.php

diff --git a/routes/roles.php b/routes/roles.php
new file mode 100644
index 0000000..74398ca
--- /dev/null
+++ b/routes/roles.php
@@ -0,0 +1,17 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
+/*
+ * Routes for administrative role management.
+ */
+$app->group('/api/roles', function () {
+    $this->get('/', 'UserFrosting\Sprinkle\UFTweaks\Controller\RoleController:getList');
+})->add('authGuard')->add(new NoCache());
\ No newline at end of file
diff --git a/src/Controller/RoleController.php b/src/Controller/RoleController.php
new file mode 100644
index 0000000..767a45e
--- /dev/null
+++ b/src/Controller/RoleController.php
@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+namespace UserFrosting\Sprinkle\UFTweaks\Controller;
+
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use UserFrosting\Sprinkle\Account\Database\Models\Role;
+use UserFrosting\Sprinkle\Core\Controller\SimpleController;
+use UserFrosting\Support\Exception\ForbiddenException;
+
+/**
+ * Override role controller class to tweak the list of available user roles
+ *
+ * @author Craig Williams (craig@avsdev.uk)
+ */
+class RoleController extends SimpleController
+{
+    /**
+     * Returns a list of Roles.
+     *
+     * Generates a list of roles, optionally paginated, sorted and/or filtered.
+     * This page requires authentication.
+     *
+     * Request type: GET
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws ForbiddenException If user is not authorized to access page
+     */
+    public function getList(Request $request, Response $response, $args)
+    {
+        // GET parameters
+        $params = $request->getQueryParams();
+
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+        $classMapper = $this->ci->classMapper;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+        // Access-controlled page
+        $adminRole = $authorizer->checkAccess($currentUser, 'uri_roles');
+        $userRole = $authorizer->checkAccess($currentUser, 'role_list');
+
+        if (!$adminRole && !$userRole) {
+            throw new ForbiddenException();
+        }
+
+        $sprunje = $classMapper->createInstance('role_sprunje', $classMapper, $params);
+        if ($userRole) {
+            $siteAdminId = Role::where('slug', 'site-admin')->first()->id;
+            $sprunje->extendQuery(function($query) {
+                $query->where('role_id', '!=', $siteAdminId);
+            });
+        }
+
+        // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+        // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+        return $sprunje->toResponse($response);
+    }
+}
diff --git a/src/Database/Seeds/CreateUserAdmin.php b/src/Database/Seeds/CreateUserAdmin.php
index fc852b5..c84221e 100644
--- a/src/Database/Seeds/CreateUserAdmin.php
+++ b/src/Database/Seeds/CreateUserAdmin.php
@@ -30,9 +30,11 @@ class CreateUserAdmin extends BaseSeed
         $roles = $this->getRoles();
         $this->saveRoles($roles);
 
+        $newPermissions = $this->getNewPermissions();
+        $this->savePermissions($newPermissions);
 
         $permissions = $this->getPermissions();
-        $this->syncPermissionsRole($roles, $permissions);
+        $this->syncPermissionsRole($roles, array_merge($newPermissions, $permissions));
     }
 
     /**
@@ -70,6 +72,55 @@ class CreateUserAdmin extends BaseSeed
         }
     }
 
+    /**
+     * Save permissions.
+     *
+     * @param array $permissions
+     */
+    protected function savePermissions(array &$permissions)
+    {
+        foreach ($permissions as $slug => $permission) {
+            // Trying to find if the permission already exist
+            $existingPermission = Permission::where(['slug' => $permission->slug, 'conditions' => $permission->conditions])->first();
+
+            // Don't save if already exist, use existing permission reference
+            // otherwise to re-sync permissions and roles
+            if ($existingPermission == null) {
+                $permission->save();
+            } else {
+                $permissions[$slug] = $existingPermission;
+            }
+        }
+    }
+
+    /**
+     * @return array Permissions to seed
+     */
+    protected function getNewPermissions()
+    {
+        $defaultRoleIds = [
+            'user'        => Role::where('slug', 'user')->first()->id,
+            'group-admin' => Role::where('slug', 'group-admin')->first()->id,
+            'site-admin'  => Role::where('slug', 'site-admin')->first()->id,
+            'user-admin'  => Role::where('slug', 'user-admin')->first()->id,
+        ];
+
+        return [
+            'update_user_roles' => new Permission([
+                'slug'        => 'update_user_field',
+                'name'        => 'Edit user',
+                'conditions'  => "!has_role(user.id,{$defaultRoleIds['site-admin']}) && subset(fields,['roles'])",
+                'description' => 'Edit role for users who are not Site Administrators.',
+            ]),
+            'role_list' => new Permission([
+                'slug'        => 'role_list',
+                'name'        => 'List of roles',
+                'conditions'  => "has_role(self.id,{$defaultRoleIds['user-admin']})",
+                'description' => 'Retrieve the list of roles.',
+            ]),
+        ];
+    }
+
     /**
      * @return array Permissions to seed
      */
@@ -125,6 +176,9 @@ class CreateUserAdmin extends BaseSeed
             $permissions['uri_user']->id,
             $permissions['uri_users']->id,
 
+            $permissions['role_list']->id,
+            $permissions['update_user_roles']->id,
+
             $permissions['create_user']->id,
             $permissions['view_user_field']->id,
             $permissions['update_user_field']->id,