Broke the role editing permissions out into a specific role (to avoid site-admin being given them)
This commit is contained in:
48
src/Database/Seeds/CreateRoleAdmin.php
Normal file
48
src/Database/Seeds/CreateRoleAdmin.php
Normal file
@@ -0,0 +1,48 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* AVSDev UF Tweaks (https://avsdev.uk)
|
||||||
|
*
|
||||||
|
* @link https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
|
||||||
|
* @license https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace UserFrosting\Sprinkle\UFTweaks\Database\Seeds;
|
||||||
|
|
||||||
|
use UserFrosting\Sprinkle\Account\Database\Models\Role;
|
||||||
|
use UserFrosting\Sprinkle\Core\Database\Seeder\BaseSeed;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Seeder to create the role admin
|
||||||
|
*/
|
||||||
|
class CreateRoleAdmin extends BaseSeed
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* {@inheritdoc}
|
||||||
|
*/
|
||||||
|
public function run()
|
||||||
|
{
|
||||||
|
$roles = $this->getRoles();
|
||||||
|
|
||||||
|
foreach ($roles as $role) {
|
||||||
|
// Don't save if already exist
|
||||||
|
if (Role::where('slug', $role->slug)->first() == null) {
|
||||||
|
$role->save();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return array Roles to seed
|
||||||
|
*/
|
||||||
|
protected function getRoles()
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
new Role([
|
||||||
|
'slug' => 'role-admin',
|
||||||
|
'name' => 'Role Administrator',
|
||||||
|
'description' => 'This role is meant for "role administrators", who can basically do anything related to roles and their permissions.',
|
||||||
|
]),
|
||||||
|
];
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -26,6 +26,7 @@ class DefaultPermissions extends UFDefaultPermissions
|
|||||||
{
|
{
|
||||||
// We require the default roles
|
// We require the default roles
|
||||||
Seeder::execute('DefaultRoles');
|
Seeder::execute('DefaultRoles');
|
||||||
|
Seeder::execute('RoleAdminRole');
|
||||||
|
|
||||||
// Get and save permissions
|
// Get and save permissions
|
||||||
$permissions = $this->getPermissions();
|
$permissions = $this->getPermissions();
|
||||||
@@ -46,6 +47,7 @@ class DefaultPermissions extends UFDefaultPermissions
|
|||||||
'user' => Role::where('slug', 'user')->first()->id,
|
'user' => Role::where('slug', 'user')->first()->id,
|
||||||
'group-admin' => Role::where('slug', 'group-admin')->first()->id,
|
'group-admin' => Role::where('slug', 'group-admin')->first()->id,
|
||||||
'site-admin' => Role::where('slug', 'site-admin')->first()->id,
|
'site-admin' => Role::where('slug', 'site-admin')->first()->id,
|
||||||
|
'role-admin' => Role::where('slug', 'role-admin')->first()->id,
|
||||||
];
|
];
|
||||||
|
|
||||||
return array_merge(
|
return array_merge(
|
||||||
@@ -88,36 +90,24 @@ class DefaultPermissions extends UFDefaultPermissions
|
|||||||
'conditions' => "in(property,['slug','name','description','permissions','users'])",
|
'conditions' => "in(property,['slug','name','description','permissions','users'])",
|
||||||
'description' => 'View certain properties of any role.',
|
'description' => 'View certain properties of any role.',
|
||||||
]),
|
]),
|
||||||
|
'update_role_field' => new Permission([
|
||||||
|
'slug' => 'update_role_field',
|
||||||
|
'name' => 'Edit role',
|
||||||
|
'conditions' => "is_master(self.id) || subset(fields,['slug','name','description'])",
|
||||||
|
'description' => 'Edit basic properties of any role.',
|
||||||
|
]),
|
||||||
'update_role_permissions' => new Permission([
|
'update_role_permissions' => new Permission([
|
||||||
'slug' => 'update_role_permissions',
|
'slug' => 'update_role_permissions',
|
||||||
'name' => 'Edit role permissions',
|
'name' => 'Edit role permissions',
|
||||||
'conditions' => "is_master(self.id) || subset(fields,['permissions'])",
|
'conditions' => "is_master(self.id) || subset(fields,['permissions'])",
|
||||||
'description' => 'Edit permissions of any role.',
|
'description' => 'Edit permissions of any role.',
|
||||||
]),
|
]),
|
||||||
'update_role_permissions_limited' => new Permission([
|
'delete_role' => new Permission([
|
||||||
'slug' => 'update_role_permissions',
|
|
||||||
'name' => 'Edit role permissions',
|
|
||||||
'conditions' => "is_master(self.id) || (!has_role(self.id,role.id) && role.id != {$defaultRoleIds['site-admin']} && subset(fields,['permissions']))",
|
|
||||||
'description' => 'Edit basic properties of any role, except the Site Administrators role (unless you are the root user).',
|
|
||||||
]),
|
|
||||||
'update_role_field' => new Permission([
|
|
||||||
'slug' => 'update_role_field',
|
|
||||||
'name' => 'Edit role',
|
|
||||||
'conditions' => "is_master(self.id) || (!has_role(self.id,role.id) && role.id != {$defaultRoleIds['site-admin']} && subset(fields,['slug','name','description']))",
|
|
||||||
'description' => 'Edit basic properties of any role, except the Site Administrators role (unless you are the root user).',
|
|
||||||
]),
|
|
||||||
'delete_role_any' => new Permission([
|
|
||||||
'slug' => 'delete_role',
|
'slug' => 'delete_role',
|
||||||
'name' => 'Delete role',
|
'name' => 'Delete role',
|
||||||
'conditions' => 'always()',
|
'conditions' => 'always()',
|
||||||
'description' => 'Delete a role.',
|
'description' => 'Delete a role.',
|
||||||
]),
|
]),
|
||||||
'delete_role' => new Permission([
|
|
||||||
'slug' => 'delete_role',
|
|
||||||
'name' => 'Delete role',
|
|
||||||
'conditions' => "is_master(self.id) || (!has_role(self.id,role.id) && role.id != {$defaultRoleIds['site-admin']})",
|
|
||||||
'description' => 'Delete a role, except the Site Administrators role (unless you are the root user).',
|
|
||||||
]),
|
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@@ -152,6 +142,23 @@ class DefaultPermissions extends UFDefaultPermissions
|
|||||||
{
|
{
|
||||||
parent::syncPermissionsRole($permissions);
|
parent::syncPermissionsRole($permissions);
|
||||||
|
|
||||||
|
$roleRoleAdmin = Role::where('slug', 'role-admin')->first();
|
||||||
|
if ($roleRoleAdmin) {
|
||||||
|
$roleRoleAdmin->permissions()->syncWithoutDetaching([
|
||||||
|
$permissions['uri_dashboard']->id,
|
||||||
|
$permissions['uri_role']->id,
|
||||||
|
$permissions['uri_roles']->id,
|
||||||
|
$permissions['uri_permission']->id,
|
||||||
|
$permissions['uri_permissions']->id,
|
||||||
|
|
||||||
|
$permissions['create_role']->id,
|
||||||
|
$permissions['view_role_field']->id,
|
||||||
|
$permissions['update_role_field']->id,
|
||||||
|
$permissions['update_role_permissions']->id,
|
||||||
|
$permissions['delete_role']->id,
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
$roleSiteAdmin = Role::where('slug', 'site-admin')->first();
|
$roleSiteAdmin = Role::where('slug', 'site-admin')->first();
|
||||||
if ($roleSiteAdmin) {
|
if ($roleSiteAdmin) {
|
||||||
$roleSiteAdmin->permissions()->syncWithoutDetaching([
|
$roleSiteAdmin->permissions()->syncWithoutDetaching([
|
||||||
@@ -160,13 +167,8 @@ class DefaultPermissions extends UFDefaultPermissions
|
|||||||
$permissions['uri_roles']->id,
|
$permissions['uri_roles']->id,
|
||||||
$permissions['uri_permission']->id,
|
$permissions['uri_permission']->id,
|
||||||
$permissions['uri_permissions']->id,
|
$permissions['uri_permissions']->id,
|
||||||
// Too much power: $permissions['create_role']->id,
|
|
||||||
$permissions['view_role_field']->id,
|
$permissions['view_role_field']->id,
|
||||||
$permissions['update_role_field']->id,
|
|
||||||
// Too much power: $permissions['update_role_permissions']->id,
|
|
||||||
// Too much power: $permissions['update_role_permissions_limited']->id,
|
|
||||||
// Too much power: $permissions['delete_role']->id,
|
|
||||||
// Too much power: $permissions['delete_role_any']->id,
|
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user