Added a new authorizer method for checking a user has a permission (for use in sprinkle level access checks)

(cherry picked from commit 97ded0eb08)

asset-bundles.json

@@ -2,7 +2,8 @@
     "bundle": {
         "js/admin": {
             "scripts": [
-                "uf-tweaks/js/handlebars-helpers.js"
+                "uf-tweaks/js/handlebars-helpers.js",
+                "uf-tweaks/js/modal-error-handler.js"
             ],
             "options": {
                 "sprinkle": {

assets/uf-tweaks/js/modal-error-handler.js

@@ -0,0 +1,16 @@
+
+/**
+ * Default handling of UF modal error
+ *
+ * This script depends on uf-modal.js
+ *
+ * Target page: *
+ */
+
+$(document).ready(function() {
+    const handleModalError = function() {
+        $(this).ufModal('destroy');
+        $('body').on('renderError.ufModal', handleModalError);
+    }
+    $('body').on('renderError.ufModal', handleModalError);
+});

routes/roles.php

@@ -0,0 +1,17 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
+/*
+ * Routes for administrative role management.
+ */
+$app->group('/api/roles', function () {
+    $this->get('/', 'UserFrosting\Sprinkle\UFTweaks\Controller\RoleController:getList');
+})->add('authGuard')->add(new NoCache());

src/Controller/RoleController.php

@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+namespace UserFrosting\Sprinkle\UFTweaks\Controller;
+
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use UserFrosting\Sprinkle\Account\Database\Models\Role;
+use UserFrosting\Sprinkle\Core\Controller\SimpleController;
+use UserFrosting\Support\Exception\ForbiddenException;
+
+/**
+ * Override role controller class to tweak the list of available user roles
+ *
+ * @author Craig Williams (craig@avsdev.uk)
+ */
+class RoleController extends SimpleController
+{
+    /**
+     * Returns a list of Roles.
+     *
+     * Generates a list of roles, optionally paginated, sorted and/or filtered.
+     * This page requires authentication.
+     *
+     * Request type: GET
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws ForbiddenException If user is not authorized to access page
+     */
+    public function getList(Request $request, Response $response, $args)
+    {
+        // GET parameters
+        $params = $request->getQueryParams();
+
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+        $classMapper = $this->ci->classMapper;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+        // Access-controlled page
+        $adminRole = $authorizer->checkAccess($currentUser, 'uri_roles');
+        $userRole = $authorizer->checkAccess($currentUser, 'role_list');
+
+        if (!$adminRole && !$userRole) {
+            throw new ForbiddenException();
+        }
+
+        $sprunje = $classMapper->createInstance('role_sprunje', $classMapper, $params);
+        if ($userRole) {
+            $siteAdminId = Role::where('slug', 'site-admin')->first()->id;
+            $sprunje->extendQuery(function($query) {
+                $query->where('role_id', '!=', $siteAdminId);
+            });
+        }
+
+        // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+        // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+        return $sprunje->toResponse($response);
+    }
+}

src/Database/Seeds/CreateUserAdmin.php

@@ -0,0 +1,195 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+namespace UserFrosting\Sprinkle\UFTweaks\Database\Seeds;
+
+use UserFrosting\Sprinkle\Account\Database\Seeds\DefaultPermissions as UFDefaultPermissions;
+use UserFrosting\Sprinkle\Account\Database\Models\Permission;
+use UserFrosting\Sprinkle\Account\Database\Models\Role;
+use UserFrosting\Sprinkle\Core\Database\Seeder\BaseSeed;
+use UserFrosting\Sprinkle\Core\Facades\Seeder;
+
+/**
+ * Seeder to create the user admin
+ */
+class CreateUserAdmin extends BaseSeed
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function run()
+    {
+        Seeder::execute('DefaultPermissions');
+
+        $roles = $this->getRoles();
+        $this->saveRoles($roles);
+
+        $newPermissions = $this->getNewPermissions();
+        $this->savePermissions($newPermissions);
+
+        $permissions = $this->getPermissions();
+        $this->syncPermissionsRole($roles, array_merge($newPermissions, $permissions));
+    }
+
+    /**
+     * @return array Roles to seed
+     */
+    protected function getRoles()
+    {
+        return [
+            'user-admin' => new Role([
+                'slug'        => 'user-admin',
+                'name'        => 'User Administrator',
+                'description' => 'This role is meant for "user administrators", who can basically do anything related to users.',
+            ]),
+        ];
+    }
+
+    /**
+     * Save roles.
+     *
+     * @param array $roles
+     */
+    protected function saveRoles(array &$roles)
+    {
+        foreach ($roles as $slug => $role) {
+            // Trying to find if the role already exist
+            $existingRole = Role::where(['slug' => $role->slug])->first();
+
+            // Don't save if already exist, use existing role reference
+            // otherwise to re-sync permissions and roles
+            if ($existingRole == null) {
+                $role->save();
+            } else {
+                $roles[$slug] = $existingRole;
+            }
+        }
+    }
+
+    /**
+     * Save permissions.
+     *
+     * @param array $permissions
+     */
+    protected function savePermissions(array &$permissions)
+    {
+        foreach ($permissions as $slug => $permission) {
+            // Trying to find if the permission already exist
+            $existingPermission = Permission::where(['slug' => $permission->slug, 'conditions' => $permission->conditions])->first();
+
+            // Don't save if already exist, use existing permission reference
+            // otherwise to re-sync permissions and roles
+            if ($existingPermission == null) {
+                $permission->save();
+            } else {
+                $permissions[$slug] = $existingPermission;
+            }
+        }
+    }
+
+    /**
+     * @return array Permissions to seed
+     */
+    protected function getNewPermissions()
+    {
+        $defaultRoleIds = [
+            'user'        => Role::where('slug', 'user')->first()->id,
+            'group-admin' => Role::where('slug', 'group-admin')->first()->id,
+            'site-admin'  => Role::where('slug', 'site-admin')->first()->id,
+            'user-admin'  => Role::where('slug', 'user-admin')->first()->id,
+        ];
+
+        return [
+            'update_user_roles' => new Permission([
+                'slug'        => 'update_user_field',
+                'name'        => 'Edit user',
+                'conditions'  => "!has_role(user.id,{$defaultRoleIds['site-admin']}) && subset(fields,['roles'])",
+                'description' => 'Edit role for users who are not Site Administrators.',
+            ]),
+            'view_user_roles' => new Permission([
+                'slug'        => 'view_user_field',
+                'name'        => 'View user',
+                'conditions'  => "in(property,['roles'])",
+                'description' => 'View roles of any user.',
+            ]),
+            'role_list' => new Permission([
+                'slug'        => 'role_list',
+                'name'        => 'List of roles',
+                'conditions'  => "has_role(self.id,{$defaultRoleIds['user-admin']})",
+                'description' => 'Retrieve the list of roles.',
+            ]),
+        ];
+    }
+
+    /**
+     * @return array Permissions to seed
+     */
+    protected function getPermissions()
+    {
+        $defaultRoleIds = [
+            'user'        => Role::where('slug', 'user')->first()->id,
+            'group-admin' => Role::where('slug', 'group-admin')->first()->id,
+            'site-admin'  => Role::where('slug', 'site-admin')->first()->id,
+        ];
+
+        return [
+            'uri_dashboard' => Permission::where([
+                ['slug', 'uri_dashboard'],
+                ['conditions', 'always()']
+            ])->first(),
+
+            'uri_user' => Permission::where([
+                ['slug', 'uri_user'],
+                ['conditions', 'always()']
+            ])->first(),
+            'uri_users' => Permission::where([
+                ['slug', 'uri_users'],
+                ['conditions', 'always()']
+            ])->first(),
+
+            'create_user' => Permission::where([
+                ['slug', 'create_user']
+            ])->first(),
+            'view_user_field' => Permission::where([
+                ['slug', 'view_user_field']
+            ])->first(),
+            'update_user_field' => Permission::where([
+                ['slug', 'update_user_field']
+            ])->first(),
+            'delete_user' => Permission::where([
+                ['slug', 'delete_user']
+            ])->first(),
+        ];
+    }
+
+
+    /**
+     * Sync permissions with default roles.
+     *
+     * @param array $permissions
+     */
+    protected function syncPermissionsRole(array $roles, array $permissions)
+    {
+        $roles['user-admin']->permissions()->syncWithoutDetaching([
+            $permissions['uri_dashboard']->id,
+
+            $permissions['uri_user']->id,
+            $permissions['uri_users']->id,
+
+            $permissions['role_list']->id,
+            $permissions['view_user_roles']->id,
+            $permissions['update_user_roles']->id,
+
+            $permissions['create_user']->id,
+            $permissions['view_user_field']->id,
+            $permissions['update_user_field']->id,
+            $permissions['delete_user']->id,
+        ]);
+    }
+}

src/ServicesProvider/ServicesProvider.php

@@ -9,6 +9,7 @@
 
 namespace UserFrosting\Sprinkle\UFTweaks\ServicesProvider;
 
+use Illuminate\Database\Capsule\Manager as Capsule;
 use Monolog\Formatter\LineFormatter;
 use Monolog\Handler\StreamHandler;
 use Monolog\Logger;
@@ -43,10 +44,40 @@ class ServicesProvider
         $container->extend('classMapper', function ($classMapper, $c) {
             $classMapper->setClassMapping('activity_sprunje', 'UserFrosting\Sprinkle\UFTweaks\Sprunje\ActivitySprunje');
             $classMapper->setClassMapping('user', 'UserFrosting\Sprinkle\UFTweaks\Database\Models\User');
+            $classMapper->setClassMapping('user_sprunje', 'UserFrosting\Sprinkle\Organisations\Sprunje\UserSprunje');
 
             return $classMapper;
         });
 
+        /*
+         * Returns a callback that forwards to dashboard if user is already logged in.
+         *
+         * @return callable
+         */
+        $container['redirect.onAlreadyLoggedIn'] = function ($c) {
+            /*
+             * This method is invoked when a user attempts to perform certain public actions when they are already logged in.
+             *
+             * @todo Forward to user's landing page or last visited page
+             * @param  \Psr\Http\Message\ServerRequestInterface $request
+             * @param  \Psr\Http\Message\ResponseInterface      $response
+             * @param  array                                    $args
+             * @return \Psr\Http\Message\ResponseInterface
+             */
+            return function (Request $request, Response $response, array $args) use ($c) {
+                /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager */
+                $authorizer = $c->authorizer;
+
+                $currentUser = $c->authenticator->user();
+                
+                if ($authorizer->checkAccess($currentUser, 'uri_dashboard')) {
+                    return $response->withRedirect($c->router->pathFor('dashboard'));
+                } else {
+                    return $response->withRedirect($c->router->pathFor('index'));
+                }
+            };
+        };
+
         /*
          * Returns a callback that handles setting the `UF-Redirect` header after a successful login.
          *
@@ -120,6 +151,25 @@ class ServicesProvider
                 }
             );
 
+            /*
+             * Check if the specified user (by user_id) has a particular permission.
+             *
+             * @param  int  $user_id the id of the user.
+             * @param  int  $permission_slug slug of the permission to check.
+             * @return bool true if the user has the permission, false otherwise.
+             */
+            $authorizer->addCallback(
+                'has_permission',
+                function ($user_id, $permission_slug) {
+                    return Capsule::table('role_users')
+                        ->join('permission_roles', 'role_users.role_id', '=', 'permission_roles.role_id')
+                        ->join('permissions', 'permission_roles.permission_id', '=', 'permissions.id')
+                        ->where('user_id', $user_id)
+                        ->where('slug', $permission_slug)
+                        ->count() > 0;
+                }
+            );
+
             return $authorizer;
         });
 

src/Sprunje/UserSprunje.php

@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+namespace UserFrosting\Sprinkle\UFTweaks\Sprunje;
+
+use Illuminate\Database\Schema\Builder;
+use UserFrosting\Sprinkle\Admin\Sprunje\UserSprunje as UFUserSprunje;
+
+/**
+ * UserSprunje.
+ *
+ * Extends User sprunje to make name filtering case-insensitive and include username
+ *
+ * @author Craig Williams (https://avsdev.uk)
+ */
+class UserSprunje extends UFUserSprunje
+{
+    /**
+     * Filter LIKE the first name, last name, or email.
+     *
+     * @param Builder $query
+     * @param mixed   $value
+     *
+     * @return self
+     */
+    protected function filterName($query, $value)
+    {
+        // Split value on separator for OR queries
+        $values = explode($this->orSeparator, $value);
+        $query->where(function ($query) use ($values) {
+            foreach ($values as $value) {
+                $likeValue = '%' . mb_strtolower($value) . '%';
+                $query->orWhereRaw('LOWER(first_name) LIKE ?', $likeValue)
+                ->orWhereRaw('LOWER(last_name) LIKE ?', $likeValue)
+                ->orWhereRaw('LOWER(email) LIKE ?', $likeValue)
+                ->orWhereRaw('LOWER(user_name) LIKE ?', $likeValue);
+            }
+        });
+
+        return $this;
+    }
+}