Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Created UnityPerms Class #92

Merged
merged 5 commits into from
Jul 17, 2023
Merged

Created UnityPerms Class #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d414d91
created unityperms.php
sheldor1510 Jul 13, 2023
3318a10
cs fix (1)
sheldor1510 Jul 13, 2023
63b84c8
cs fix (2)
sheldor1510 Jul 13, 2023
8696b97
Merge branch 'main' into unity-perms
sheldor1510 Jul 15, 2023
5e587f3
changes
sheldor1510 Jul 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 131 additions & 0 deletions resources/lib/UnityPerms.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
<?php

namespace UnityWebPortal\lib;

class UnityPerms
{
private $SQL;
private $USER;

public function __construct($SQL, $USER)
{
$this->SQL = $SQL;
$this->USER = $USER;
}

public function checkApproveUser($uid, $operated_on, $group)
{
if (!$this->USER->isInGroup($uid, $group)) {
return false;
}

$role = $this->SQL->getRole($uid, $group);

if ($this->SQL->hasPerm($role, 'unity.admin') || $this->SQL->hasPerm($role, 'unity.admin_no_grant')) {
return true;
}

if (!$this->SQL->hasPerm($role, 'unity.approve_user')) {
return false;
}

$operated_on_role = $this->SQL->getRole($operated_on, $group);

if ($this->SQL->getPriority($operated_on_role) >= $this->SQL->getPriority($role)) {
return false;
}

return true;
}

public function checkDenyUser($uid, $operated_on, $group)
{
if (!$this->USER->isInGroup($uid, $group)) {
return false;
}

$role = $this->SQL->getRole($uid, $group);

if ($this->SQL->hasPerm($role, 'unity.admin') || $this->SQL->hasPerm($role, 'unity.admin_no_grant')) {
return true;
}

if (!$this->SQL->hasPerm($role, 'unity.deny_user')) {
return false;
}

$operated_on_role = $this->SQL->getRole($operated_on, $group);

if ($this->SQL->getPriority($operated_on_role) >= $this->SQL->getPriority($role)) {
return false;
}

return true;
}

public function checkGrantRole($uid, $group, $role)
{
if (!$this->USER->isInGroup($uid, $group)) {
return false;
}

if (!$this->SQL->roleAvailableInGroup($uid, $group, $role)) {
return false;
}

$user_role = $this->SQL->getRole($uid, $group);

if ($this->SQL->hasPerm($user_role, 'unity.admin_no_grant') && $role == 'unity.admin') {
return false;
}

if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unity.admin_no_grant should not be able to grant the admin role, so you need a check here that doesn't return true if admin is the role trying to be granted.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added check

return true;
}

if (!$this->SQL->hasPerm($user_role, 'unity.grant_role')) {
return false;
}

$role_to_grant = $this->SQL->getRole($role, $group);

if ($this->SQL->getPriority($role_to_grant) >= $this->SQL->getPriority($user_role)) {
return false;
}

return true;
}

public function checkRevokeRole($uid, $group, $role)
{
if (!$this->USER->isInGroup($uid, $group)) {
return false;
}

if (!$this->SQL->roleAvailableInGroup($uid, $group, $role)) {
return false;
}

$user_role = $this->SQL->getRole($uid, $group);

if ($this->SQL->hasPerm($user_role, 'unity.admin_no_grant') && $role == 'unity.admin') {
return false;
}

if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, admin_no_grant should not be able to revoke admin roles.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

return true;
}

if (!$this->SQL->hasPerm($user_role, 'unity.revoke_role')) {
return false;
}

$role_to_revoke = $this->SQL->getRole($role, $group);

if ($this->SQL->getPriority($role_to_revoke) >= $this->SQL->getPriority($user_role)) {
return false;
}

return true;
}
}
72 changes: 72 additions & 0 deletions resources/lib/UnitySQL.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ class UnitySQL
private const TABLE_AUDIT_LOG = "audit_log";
private const TABLE_ACCOUNT_DELETION_REQUESTS = "account_deletion_requests";
private const TABLE_SITEVARS = "sitevars";
private const TABLE_GROUP_ROLES = "groupRoles";
private const TABLE_GROUP_TYPES = "groupTypes";
private const TABLE_GROUP_ROLE_ASSIGNMENTS = "groupRoleAssignments";
private const TABLE_GROUP_REQUESTS = "groupRequests";
private const TABLE_GROUP_JOIN_REQUESTS = "groupJoinRequests";


private const REQUEST_ADMIN = "admin";

Expand Down Expand Up @@ -299,4 +305,70 @@ public function updateSiteVar($name, $value)

$stmt->execute();
}

public function getRole($uid, $group)
{
$stmt = $this->conn->prepare(
"SELECT * FROM " . self::TABLE_GROUP_ROLE_ASSIGNMENTS . " WHERE user=:uid AND `group`=:group"
);
$stmt->bindParam(":uid", $uid);
$stmt->bindParam(":group", $group);

$stmt->execute();

return $stmt->fetchAll()[0]['role'];
}

public function hasPerm($role, $perm)
{
$stmt = $this->conn->prepare(
"SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role"
);
$stmt->bindParam(":role", $role);

$stmt->execute();

$row = $stmt->fetchAll()[0];
$perms = explode(",", $row['perms']);
return in_array($perm, $perms);
}

public function getPriority($role)
{
$stmt = $this->conn->prepare(
"SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role"
);
$stmt->bindParam(":role", $role);

$stmt->execute();

$row = $stmt->fetchAll()[0];
return $row['priority'];
}

public function roleAvailableInGroup($uid, $group, $role)
{
$stmt = $this->conn->prepare(
"SELECT * FROM " . self::TABLE_GROUP_ROLE_ASSIGNMENTS . " WHERE user=:uid AND `group`=:group"
);
$stmt->bindParam(":uid", $uid);
$stmt->bindParam(":group", $group);

$stmt->execute();
$row = $stmt->fetchAll()[0];

$group_slug = $row['group'];

$stmt = $this->conn->prepare(
"SELECT * FROM " . self::TABLE_GROUP_TYPES . " WHERE slug=:slug"
);

$stmt->bindParam(":slug", $group_slug);
$stmt->execute();

$row = $stmt->fetchAll()[0];
$roles = explode(",", $row['roles']);

return in_array($role, $roles);
}
}
25 changes: 25 additions & 0 deletions resources/lib/UnityUser.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -671,4 +671,29 @@ public function hasRequestedAccountDeletion()
{
return $this->SQL->accDeletionRequestExists($this->getUID());
}

/**
* Checks whether a user is in a group or not
* @param string $uid uid of the user
* @param string or object $group group to check
* @return boolean true if user is in group, false if not
*/

public function isInGroup($uid, $group)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer if this method accepted both a string for $group, and the object itself. You can check the type of the variable and act accordingly using gettype() in php.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

{
if (gettype($group) == "string") {
$group_checked = new UnityGroup(
$group,
$this->LDAP,
$this->SQL,
$this->MAILER,
$this->REDIS,
$this->WEBHOOK
);
} else {
$group_checked = $group;
}

return in_array($uid, $group_checked->getGroupMemberUIDs());
}
}
Loading