Added view user roles permission

routes/roles.php

@@ -0,0 +1,17 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
+/*
+ * Routes for administrative role management.
+ */
+$app->group('/api/roles', function () {
+    $this->get('/', 'UserFrosting\Sprinkle\UFTweaks\Controller\RoleController:getList');
+})->add('authGuard')->add(new NoCache());

src/Controller/RoleController.php

@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+namespace UserFrosting\Sprinkle\UFTweaks\Controller;
+
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use UserFrosting\Sprinkle\Account\Database\Models\Role;
+use UserFrosting\Sprinkle\Core\Controller\SimpleController;
+use UserFrosting\Support\Exception\ForbiddenException;
+
+/**
+ * Override role controller class to tweak the list of available user roles
+ *
+ * @author Craig Williams (craig@avsdev.uk)
+ */
+class RoleController extends SimpleController
+{
+    /**
+     * Returns a list of Roles.
+     *
+     * Generates a list of roles, optionally paginated, sorted and/or filtered.
+     * This page requires authentication.
+     *
+     * Request type: GET
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @throws ForbiddenException If user is not authorized to access page
+     */
+    public function getList(Request $request, Response $response, $args)
+    {
+        // GET parameters
+        $params = $request->getQueryParams();
+
+        /** @var \UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+        $authorizer = $this->ci->authorizer;
+
+        /** @var \UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+        $classMapper = $this->ci->classMapper;
+
+        /** @var \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $currentUser */
+        $currentUser = $this->ci->currentUser;
+
+        // Access-controlled page
+        $adminRole = $authorizer->checkAccess($currentUser, 'uri_roles');
+        $userRole = $authorizer->checkAccess($currentUser, 'role_list');
+
+        if (!$adminRole && !$userRole) {
+            throw new ForbiddenException();
+        }
+
+        $sprunje = $classMapper->createInstance('role_sprunje', $classMapper, $params);
+        if ($userRole) {
+            $siteAdminId = Role::where('slug', 'site-admin')->first()->id;
+            $sprunje->extendQuery(function($query) {
+                $query->where('role_id', '!=', $siteAdminId);
+            });
+        }
+
+        // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+        // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+        return $sprunje->toResponse($response);
+    }
+}

src/Database/Seeds/CreateUserAdmin.php

@@ -0,0 +1,195 @@
+<?php
+
+/*
+ * AVSDev UF Tweaks (https://avsdev.uk)
+ *
+ * @link      https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
+ * @license   https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
+ */
+
+namespace UserFrosting\Sprinkle\UFTweaks\Database\Seeds;
+
+use UserFrosting\Sprinkle\Account\Database\Seeds\DefaultPermissions as UFDefaultPermissions;
+use UserFrosting\Sprinkle\Account\Database\Models\Permission;
+use UserFrosting\Sprinkle\Account\Database\Models\Role;
+use UserFrosting\Sprinkle\Core\Database\Seeder\BaseSeed;
+use UserFrosting\Sprinkle\Core\Facades\Seeder;
+
+/**
+ * Seeder to create the user admin
+ */
+class CreateUserAdmin extends BaseSeed
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function run()
+    {
+        Seeder::execute('DefaultPermissions');
+
+        $roles = $this->getRoles();
+        $this->saveRoles($roles);
+
+        $newPermissions = $this->getNewPermissions();
+        $this->savePermissions($newPermissions);
+
+        $permissions = $this->getPermissions();
+        $this->syncPermissionsRole($roles, array_merge($newPermissions, $permissions));
+    }
+
+    /**
+     * @return array Roles to seed
+     */
+    protected function getRoles()
+    {
+        return [
+            'user-admin' => new Role([
+                'slug'        => 'user-admin',
+                'name'        => 'User Administrator',
+                'description' => 'This role is meant for "user administrators", who can basically do anything related to users.',
+            ]),
+        ];
+    }
+
+    /**
+     * Save roles.
+     *
+     * @param array $roles
+     */
+    protected function saveRoles(array &$roles)
+    {
+        foreach ($roles as $slug => $role) {
+            // Trying to find if the role already exist
+            $existingRole = Role::where(['slug' => $role->slug])->first();
+
+            // Don't save if already exist, use existing role reference
+            // otherwise to re-sync permissions and roles
+            if ($existingRole == null) {
+                $role->save();
+            } else {
+                $roles[$slug] = $existingRole;
+            }
+        }
+    }
+
+    /**
+     * Save permissions.
+     *
+     * @param array $permissions
+     */
+    protected function savePermissions(array &$permissions)
+    {
+        foreach ($permissions as $slug => $permission) {
+            // Trying to find if the permission already exist
+            $existingPermission = Permission::where(['slug' => $permission->slug, 'conditions' => $permission->conditions])->first();
+
+            // Don't save if already exist, use existing permission reference
+            // otherwise to re-sync permissions and roles
+            if ($existingPermission == null) {
+                $permission->save();
+            } else {
+                $permissions[$slug] = $existingPermission;
+            }
+        }
+    }
+
+    /**
+     * @return array Permissions to seed
+     */
+    protected function getNewPermissions()
+    {
+        $defaultRoleIds = [
+            'user'        => Role::where('slug', 'user')->first()->id,
+            'group-admin' => Role::where('slug', 'group-admin')->first()->id,
+            'site-admin'  => Role::where('slug', 'site-admin')->first()->id,
+            'user-admin'  => Role::where('slug', 'user-admin')->first()->id,
+        ];
+
+        return [
+            'update_user_roles' => new Permission([
+                'slug'        => 'update_user_field',
+                'name'        => 'Edit user',
+                'conditions'  => "!has_role(user.id,{$defaultRoleIds['site-admin']}) && subset(fields,['roles'])",
+                'description' => 'Edit role for users who are not Site Administrators.',
+            ]),
+            'view_user_roles' => new Permission([
+                'slug'        => 'view_user_field',
+                'name'        => 'View user',
+                'conditions'  => "in(property,['roles'])",
+                'description' => 'View roles of any user.',
+            ]),
+            'role_list' => new Permission([
+                'slug'        => 'role_list',
+                'name'        => 'List of roles',
+                'conditions'  => "has_role(self.id,{$defaultRoleIds['user-admin']})",
+                'description' => 'Retrieve the list of roles.',
+            ]),
+        ];
+    }
+
+    /**
+     * @return array Permissions to seed
+     */
+    protected function getPermissions()
+    {
+        $defaultRoleIds = [
+            'user'        => Role::where('slug', 'user')->first()->id,
+            'group-admin' => Role::where('slug', 'group-admin')->first()->id,
+            'site-admin'  => Role::where('slug', 'site-admin')->first()->id,
+        ];
+
+        return [
+            'uri_dashboard' => Permission::where([
+                ['slug', 'uri_dashboard'],
+                ['conditions', 'always()']
+            ])->first(),
+
+            'uri_user' => Permission::where([
+                ['slug', 'uri_user'],
+                ['conditions', 'always()']
+            ])->first(),
+            'uri_users' => Permission::where([
+                ['slug', 'uri_users'],
+                ['conditions', 'always()']
+            ])->first(),
+
+            'create_user' => Permission::where([
+                ['slug', 'create_user']
+            ])->first(),
+            'view_user_field' => Permission::where([
+                ['slug', 'view_user_field']
+            ])->first(),
+            'update_user_field' => Permission::where([
+                ['slug', 'update_user_field']
+            ])->first(),
+            'delete_user' => Permission::where([
+                ['slug', 'delete_user']
+            ])->first(),
+        ];
+    }
+
+
+    /**
+     * Sync permissions with default roles.
+     *
+     * @param array $permissions
+     */
+    protected function syncPermissionsRole(array $roles, array $permissions)
+    {
+        $roles['user-admin']->permissions()->syncWithoutDetaching([
+            $permissions['uri_dashboard']->id,
+
+            $permissions['uri_user']->id,
+            $permissions['uri_users']->id,
+
+            $permissions['role_list']->id,
+            $permissions['view_user_roles']->id,
+            $permissions['update_user_roles']->id,
+
+            $permissions['create_user']->id,
+            $permissions['view_user_field']->id,
+            $permissions['update_user_field']->id,
+            $permissions['delete_user']->id,
+        ]);
+    }
+}