comanage-dev - [comanage-dev] r397 - in registry/trunk/app: Controller Model View/CoPeople

Subject: COmanage Developers List

List archive

[comanage-dev] r397 - in registry/trunk/app: Controller Model View/CoPeople

From:
To:
Subject: [comanage-dev] r397 - in registry/trunk/app: Controller Model View/CoPeople
Date: Tue, 13 Nov 2012 19:42:46 -0500

Author: benno
Date: 2012-11-13 19:42:46 -0500 (Tue, 13 Nov 2012)
New Revision: 397

Modified:
registry/trunk/app/Controller/AddressesController.php
registry/trunk/app/Controller/AppController.php
registry/trunk/app/Controller/CoInvitesController.php
registry/trunk/app/Controller/CoPeopleController.php
registry/trunk/app/Controller/CoPersonRolesController.php
registry/trunk/app/Controller/CoPetitionsController.php
registry/trunk/app/Controller/OrgIdentitiesController.php
registry/trunk/app/Controller/TelephoneNumbersController.php
registry/trunk/app/Model/CoPerson.php
registry/trunk/app/Model/CoRole.php
registry/trunk/app/Model/Cou.php
registry/trunk/app/View/CoPeople/index.ctp
Log:
Refactor CMRoles and fix permissions error rendering co_people/index (CO-504)

Modified: registry/trunk/app/Controller/AddressesController.php
===================================================================
--- registry/trunk/app/Controller/AddressesController.php 2012-11-05
23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/AddressesController.php 2012-11-14
00:42:46 UTC (rev 397)
@@ -114,7 +114,7 @@

if(isset($cou['Cou']['name']))
{
- foreach($cmr['couadmin'] as $c)
+ foreach(array_values($cmr['admincous']) as $c)
{
if($c == $cou['Cou']['name'])
{

Modified: registry/trunk/app/Controller/AppController.php
===================================================================
--- registry/trunk/app/Controller/AppController.php 2012-11-05 23:25:57
UTC (rev 396)
+++ registry/trunk/app/Controller/AppController.php 2012-11-14 00:42:46
UTC (rev 397)
@@ -194,7 +194,8 @@
* @return Array An array with values of 'true' if the user has the
specified role or 'false' otherwise, with possible keys of
* - cmadmin: COmanage platform administrator
* - coadmin: Administrator of the current CO
- * - couadmin: Administrator of one or more COUs within the current CO
(rather than set to true, the COUs are enumerated in an array)
+ * - couadmin: Administrator of one or more COUs within the current CO
+ * - admincous: COUs for which user is an Administrator (list of COU IDs
and Names)
* - comember: Member of the current CO
* - admin: Valid admin in any CO
* - subadmin: Valid admin for any COU
@@ -202,16 +203,19 @@
* - apiuser: Valid API (REST) user (for now, API users are equivalent to
cmadmins)
* - orgidentityid: Org Identity ID of current user (or false)
* - copersonid: CO Person ID of current user in current CO (or false)
- * @todo XXX Rewrite to use Model/CoRole authz calls
*/

public function calculateCMRoles() {
+ // We basically translate from the currently logged in info as
determined by
+ // UsersController to role information as determined by CoRole.
+
global $group_sep;

$ret = array(
'cmadmin' => false,
'coadmin' => false,
'couadmin' => false,
+ 'admincous' => null,
'comember' => false,
'admin' => false,
'subadmin' => false,
@@ -221,93 +225,65 @@
'copersonid' => false
);

- // Retrieve session info
+ $coId = $this->cur_co['Co']['id'];
+ $coPersonId = null;
+ $username = null;

- if($this->Session->check('Auth.User.cos')) {
- $cos = $this->Session->read('Auth.User.cos');
+ if($this->Session->check('Auth.User.username')) {
+ $username = $this->Session->read('Auth.User.username');
+ }
+
+ // Use CoRole to perform various calculations
+
+ $this->loadModel('CoRole');
+
+ // Is this user a CMP admin?
+
+ if($this->Session->check('Auth.User.username')) {
+ $ret['cmadmin'] = $this->CoRole->identifierIsCmpAdmin($username);
+ }
+
+ // Figure out the revelant CO Person ID for the current user and the
current CO
+
+ $this->loadModel('CoPerson');
+
+ // XXX We should pass an identifier type that was somehow configured
(see also CoRole->identifierIs*Admin)
+ $coPersonId = $this->CoPerson->idForIdentifier($coId, $username, null,
true);
+
+ // Is this user a member of the current CO?
+ // We only want to populate $ret['copersonid'] if this CO Person ID is
in the current CO
+
+ if($this->CoRole->isCoPerson($coPersonId, $coId)) {
+ $ret['copersonid'] = $coPersonId;
+ $ret['comember'] = true;

- // Platform admin?
- if(isset($cos['COmanage']['groups']['admin']['member']))
- $ret['cmadmin'] = $cos['COmanage']['groups']['admin']['member'];
-
- if(isset($this->cur_co))
- {
- // Admin of current CO?
- if(isset($cos[ $this->cur_co['Co']['name']
]['groups']['admin']['member']))
- $ret['coadmin'] = $cos[ $this->cur_co['Co']['name']
]['groups']['admin']['member'];
-
- // Admin of COU within current CO?
- if(isset($cos[ $this->cur_co['Co']['name'] ]['groups']))
- {
- // COU admins are members of groups named admin{sep}{COU} within
the CO
-
- foreach(array_keys($cos[ $this->cur_co['Co']['name'] ]['groups'])
as $g)
- {
- $ga = explode($group_sep, $g, 2);
-
- if($ga[0] == "admin" && !empty($ga[1])
- && isset($cos[ $this->cur_co['Co']['name']
]['groups'][$g]['member'])
- && $cos[ $this->cur_co['Co']['name']
]['groups'][$g]['member'])
- {
- $ret['couadmin'][] = $ga[1];
- }
- }
-
- if(!empty($ret['couadmin']))
- {
- // Include children
- $this->loadModel('Cou');
-
- $ret['couadmin'] = $this->Cou->childCous($ret['couadmin'],
$this->cur_co['Co']['id']);
- if($ret['couadmin'] != NULL)
- sort($ret['couadmin']);
- }
- }
-
- // Member of current CO?
- if(isset($cos[ $this->cur_co['Co']['name'] ]['co_person_id']))
- {
- $ret['copersonid'] = $cos[ $this->cur_co['Co']['name']
]['co_person_id'];
- $ret['comember'] = true;
- // Also store the co_person_id directly in the session to make it
easier to find
- $this->Session->write('Auth.User.co_person_id',
$ret['copersonid']);
- }
- }
-
- // Admin of any CO?
- foreach($cos as $c)
- {
- if(isset($c['groups']['admin']['member'])
- && $c['groups']['admin']['member'])
- {
- $ret['admin'] = true;
- break;
- }
- }
+ // Also store the co_person_id directly in the session to make it
easier to find
+ $this->Session->write('Auth.User.co_person_id', $ret['copersonid']);
+ }
+
+ if(isset($coPersonId) && isset($coId)) {
+ // Is this user an admin of the current CO?

- // Admin of any COU?
- foreach($cos as $c)
- {
- if(isset($c['groups']))
- {
- foreach(array_keys($c['groups']) as $g)
- {
- $ga = explode($group_sep, $g, 2);
-
- if($ga[0] == "admin" && !empty($ga[1])
- && isset($c['groups'][$g]['member']) &&
$c['groups'][$g]['member'])
- {
- $ret['subadmin'] = true;
- break;
- }
- }
- }
- }
+ $ret['coadmin'] = $this->CoRole->isCoAdmin($coPersonId, $coId);
+
+ // Is this user an admin of a COU within the current CO?
+
+ $ret['admincous'] = $this->CoRole->couAdminFor($coPersonId, $coId);
+ $ret['couadmin'] = !empty($ret['admincous']);
}
+
+ // Is the user an admin of any CO?
+
+ $ret['admin'] = ($ret['coadmin'] ||
$this->CoRole->identifierIsCoAdmin($username));
+
+ // Is the user a COU admin for any CO?
+
+ $ret['subadmin'] = ($ret['couadmin'] ||
$this->CoRole->identifierIsCouAdmin($username));

// Platform user?
- if($this->Session->check('Auth.User.name'))
+ if($this->Session->check('Auth.User.name')) {
$ret['user'] = true;
+ }

// API user or Org Person?
if($this->Session->check('Auth.User.api_user_id')) {
@@ -316,7 +292,7 @@
} elseif($this->Session->check('Auth.User.org_identities')) {
$ret['orgidentities'] =
$this->Session->read('Auth.User.org_identities');
}
-
+
return($ret);
}

Modified: registry/trunk/app/Controller/CoInvitesController.php
===================================================================
--- registry/trunk/app/Controller/CoInvitesController.php 2012-11-05
23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/CoInvitesController.php 2012-11-14
00:42:46 UTC (rev 397)
@@ -205,7 +205,7 @@
$p['reply'] = true;

// Send an invite? (HTML only)
- $p['send'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['send'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

$this->set('permissions', $p);
return($p[$this->action]);

Modified: registry/trunk/app/Controller/CoPeopleController.php
===================================================================
--- registry/trunk/app/Controller/CoPeopleController.php 2012-11-05
23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/CoPeopleController.php 2012-11-14
00:42:46 UTC (rev 397)
@@ -437,10 +437,10 @@
// Determine what operations this user can perform

// Add a new CO Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
$p['enroll'] = $p['add'];
// Via invite?
- $p['invite'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['invite'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Compare CO attributes and Org attributes?
$p['compare'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
@@ -449,17 +449,17 @@
// A COU admin should be able to delete a CO Person, but not if they
have any roles
// associated with a COU the admin isn't responsible for. We'll catch
that in
// checkDeleteDependencies.
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Edit an existing CO Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']) || $self);
+ $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin'] ||
$self);

// Are we allowed to edit our own record?
// If we're an admin, we act as an admin, not self.
- $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
empty($cmr['couadmin']);
+ $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
!$cmr['couadmin'];

// View all existing CO People (or a COU's worth)?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Match against existing CO People?
// Note this same permission exists in CO Petitions
@@ -483,24 +483,23 @@
}

// View an existing CO Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']) || $self);
+ $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin'] ||
$self);

// Determine which COUs a person can manage.

if($cmr['cmadmin'] || $cmr['coadmin'])
- $p['cous'] =
$this->CoPerson->CoPersonRole->Cou->allCous($this->cur_co['Co']['id'],
'names');
- elseif(!empty($cmr['couadmin']))
- $p['cous'] = $cmr['couadmin'];
+ $p['cous'] =
$this->CoPerson->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
+ elseif(!empty($cmr['admincous']))
+ $p['cous'] = $cmr['admincous'];
else
$p['cous'] = array();

// COUs are handled a bit differently. We need to authorize operations
that
// operate on a per-person basis accordingly.

- if(!empty($cmr['couadmin']) && !empty($p['cous']))
- {
- if(!empty($this->request->params['pass'][0]))
- {
+ if($cmr['couadmin'] && !empty($p['cous'])) {
+// XXX recheck this functionality
+ if(!empty($this->request->params['pass'][0])) {
// If the target person is in a COU managed by the COU admin, grant
permission

$tcous = $this->CoPerson->CoPersonRole->Cou->find("list",
@@ -512,10 +511,9 @@
"conditions"
=>

array('CoPersonRole.co_person_id' => $this->request->params['pass'][0])));

- $a = array_intersect($tcous, $p['cous']);
-
- if(!empty($a))
- {
+ $a = array_intersect($tcous, array_values($p['cous']));
+
+ if(!empty($a)) {
// CO Person is a member of at least one COU that the COU admin
manages

$p['compare'] = true;
@@ -523,11 +521,17 @@
$p['edit'] = true;
$p['view'] = true;
}
- }
- else
- {
- if($p['index'])
- {
+ } else {
+ if($p['index']) {
+ // For rendering index, we currently assume that COU Admins can
manage
+ // CO Person level data for any person in the CO (but see CO-505),
but
+ // a COU Admin can't edit role data for which they are not the
admin.
+ // It might be nice to pull all the people in the COU and pass a
list
+ // of CO Role IDs, but that would require pulling all the person
role
+ // records twice (again later in StandardController::index()).
Since
+ // $p['admincous'] has the appropriate COUs listed, will let the
view
+ // do a bit of work when rendering.
+
// These permissions are person-level, and are probably not
exactly right.
// Specifically, delete could be problematic since a COU admin
can't
// delete a person with a COU role that the admin doesn't manage.

Modified: registry/trunk/app/Controller/CoPersonRolesController.php
===================================================================
--- registry/trunk/app/Controller/CoPersonRolesController.php 2012-11-05
23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/CoPersonRolesController.php 2012-11-14
00:42:46 UTC (rev 397)
@@ -293,7 +293,7 @@
// Determine what operations this user can perform

// Add a new CO Person Role?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Delete an existing CO Person Role?
$p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
@@ -303,10 +303,10 @@

// Are we trying to edit our own record?
// If we're an admin, we act as an admin, not self.
- $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
empty($cmr['couadmin']);
+ $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
!$cmr['couadmin'];

// View all existing CO Person Roles (or a COU's worth)?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// View an existing CO Person Role?
$p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
@@ -317,15 +317,15 @@
// get a list of names. This is to generate the pop-up on the edit
form.
$p['cous'] =
$this->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
}
- elseif(!empty($cmr['couadmin']))
- $p['cous'] = $cmr['couadmin'];
+ elseif(!empty($cmr['admincous']))
+ $p['cous'] = array_values($cmr['admincous']);
else
$p['cous'] = array();

// COUs are handled a bit differently. We need to authorize operations
that
// operate on a per-person basis accordingly.

- if(!empty($cmr['couadmin']) && !empty($p['cous']))
+ if($cmr['couadmin'] && !empty($p['cous']))
{
if(!empty($this->request->params['pass'][0]))
{

Modified: registry/trunk/app/Controller/CoPetitionsController.php
===================================================================
--- registry/trunk/app/Controller/CoPetitionsController.php 2012-11-05
23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/CoPetitionsController.php 2012-11-14
00:42:46 UTC (rev 397)
@@ -318,10 +318,10 @@
// Add a new CO Petition?
$p['add'] = $flowAuthorized
// Or we have an index view
- || ($this->enrollmentFlowID() == -1 && ($cmr['cmadmin'] ||
$cmr['coadmin'] || !empty($cmr['couadmin'])));
+ || ($this->enrollmentFlowID() == -1 && ($cmr['cmadmin'] ||
$cmr['coadmin'] || $cmr['couadmin']));

// Approve a CO Petition?
- $p['approve'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['approve'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
$p['deny'] = $p['approve'];

// Delete an existing CO Petition?
@@ -329,7 +329,7 @@
$p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);

// Edit an existing CO Petition?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Match against existing CO People? If the match policy is Advisory or
Automatic, we
// allow matching to take place as long as $flowAuthorized is also true.
@@ -342,14 +342,14 @@
|| $p['match_policy'] ==
EnrollmentMatchPolicyEnum::Automatic));

// View all existing CO Petitions?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Resend invitations?
- $p['resend'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['resend'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// View an existing CO Petition? We allow the usual suspects to view a
Petition, even
// if they don't have permission to edit it.
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

$this->set('permissions', $p);
return($p[$this->action]);

Modified: registry/trunk/app/Controller/OrgIdentitiesController.php
===================================================================
--- registry/trunk/app/Controller/OrgIdentitiesController.php 2012-11-05
23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/OrgIdentitiesController.php 2012-11-14
00:42:46 UTC (rev 397)
@@ -318,26 +318,26 @@
$p['view'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin'] ||
$self);
} else {
// Add a new Org Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Via LDAP query?
- $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
- $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
$cmr['couadmin']);
+ $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
$cmr['couadmin']);

// Delete an existing Org Person?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
$cmr['couadmin']);

// Edit an existing Org Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// Find an Org Person to add to a CO?
- $p['find'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['find'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// View all existing Org People?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);

// View an existing Org Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']) || $self);
+ $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']
|| $self);
}

$this->set('permissions', $p);

Modified: registry/trunk/app/Controller/TelephoneNumbersController.php
===================================================================
--- registry/trunk/app/Controller/TelephoneNumbersController.php
2012-11-05 23:25:57 UTC (rev 396)
+++ registry/trunk/app/Controller/TelephoneNumbersController.php
2012-11-14 00:42:46 UTC (rev 397)
@@ -115,7 +115,7 @@

if(isset($cou['Cou']['name']))
{
- foreach($cmr['couadmin'] as $c)
+ foreach(array_values($cmr['admincous']) as $c)
{
if($c == $cou['Cou']['name'])
{

Modified: registry/trunk/app/Model/CoPerson.php
===================================================================
--- registry/trunk/app/Model/CoPerson.php 2012-11-05 23:25:57 UTC (rev
396)
+++ registry/trunk/app/Model/CoPerson.php 2012-11-14 00:42:46 UTC (rev
397)
@@ -155,20 +155,48 @@
}

/**
- * Obtain all CO Person IDs for an identifier.
+ * Obtain the CO Person ID for an identifier (which must be Active).
*
* @since COmanage Registry v0.6
* @param String Identifier
* @param String Identifier type (null for any type; not recommended)
+ * @param Boolean Login identifiers only
* @return Array CO Person IDs
* @throws InvalidArgumentException
*/

- function idsForIdentifier($identifier, $identifierType=null) {
+ public function idForIdentifier($coId, $identifier, $identifierType=null,
$login=false) {
+ // Notice confusing change in order of arguments due to which ones
default to null/false
+
+ try {
+ $coPersonIds = $this->idsForIdentifier($identifier, $identifierType,
$login, $coId);
+ }
+ catch(Exception $e) {
+ throw new InvalidArgumentException($e->getMessage());
+ }
+
+ return $coPersonIds[0];
+ }
+
+ /**
+ * Obtain all CO Person IDs for an identifier (which must be Active).
+ *
+ * @since COmanage Registry v0.6
+ * @param String Identifier
+ * @param String Identifier type (null for any type; not recommended)
+ * @param Boolean Login identifiers only
+ * @param Integer CO ID (null for all matching COs)
+ * @return Array CO Person IDs
+ * @throws InvalidArgumentException
+ */
+
+ function idsForIdentifier($identifier, $identifierType=null, $login=false,
$coId=null) {
// First pull the identifier record

$args = array();
$args['conditions']['Identifier.identifier'] = $identifier;
+ $args['conditions']['Identifier.login'] = $login;
+ $args['conditions']['Identifier.status'] = StatusEnum::Active;
$args['contain'] = false;

if($identifierType) {

Modified: registry/trunk/app/Model/CoRole.php
===================================================================
--- registry/trunk/app/Model/CoRole.php 2012-11-05 23:25:57 UTC (rev 396)
+++ registry/trunk/app/Model/CoRole.php 2012-11-14 00:42:46 UTC (rev 397)
@@ -45,6 +45,26 @@
*/

protected function cachedGroupCheck($coPersonId, $coId, $groupName="",
$searchParam="", $groupId=null) {
+ // Since cachedGroupGet is also cached, we don't need to do another
cache here
+
+ $groups = $this->cachedGroupGet($coPersonId, $coId, $groupName,
$searchParam, $groupId);
+
+ return (boolean)count($groups);
+ }
+
+ /**
+ * Internal function to handle a cached group membership get.
+ *
+ * @since COmanage Registry v0.8
+ * @param Integer CO Person ID
+ * @param Integer CO ID
+ * @param String Group name or SQL pattern to check
+ * @param String SQL parameter (eg: "LIKE") to use in search conditions
+ * @param Integer CO Group ID
+ * @return Array Array of CO Groups as returned by find()
+ */
+
+ protected function cachedGroupGet($coPersonId, $coId, $groupName="",
$searchParam="", $groupId=null) {
// First check the cache (note: $condKey is something like "CoGroup.name
LIKE")

$condKey = null;
@@ -53,7 +73,7 @@
if($groupName != "") {
$condKey = 'CoGroup.name' . ($searchParam != "" ? (" " . $searchParam)
: "");
$condValue = $groupName;
- } else {
+ } elseif($groupId != null) {
$condKey = 'CoGroup.id';
$condValue = $groupId;
}
@@ -73,21 +93,24 @@
$args['joins'][0]['alias'] = 'CoGroupMember';
$args['joins'][0]['type'] = 'INNER';
$args['joins'][0]['conditions'][0] =
'CoGroup.id=CoGroupMember.co_group_id';
- $args['conditions'][$condKey] = $condValue;
+ if($condValue != null) {
+ $args['conditions'][$condKey] = $condValue;
+ }
$args['conditions']['CoGroup.status'] = StatusEnum::Active;
+ $args['conditions']['CoGroup.co_id'] = $coId;
$args['conditions']['CoGroupMember.co_person_id'] = $coPersonId;
$args['conditions']['CoGroupMember.member'] = 1;
$args['contain'] = false;

- $member = $this->CoGroup->find('count', $args);
+ $groups = $this->CoGroup->find('all', $args);

$this->unbindModel(array('belongsTo' => array('CoGroup')));

// Add this result to the cache

- $this->cache['coperson'][$coPersonId][$coId][$condKey][$condValue] =
(boolean)$member;
+ $this->cache['coperson'][$coPersonId][$coId][$condKey][$condValue] =
$groups;

- return (boolean)$member;
+ return $groups;
}

/**
@@ -147,8 +170,215 @@

return (boolean)$member;
}
+
+ /**
+ * Determine what COUs a CO Person is a COU Admin for. Note this function
will return
+ * no COUs if the CO Person is a CO Admin but not a COU Admin.
+ *
+ * @since COmanage Registry v0.8
+ * @param Integer CO Person ID
+ * @param Integer CO ID
+ * @return Array List COU IDs and Names
+ * @throws InvalidArgumentException
+ */
+
+ public function couAdminFor($coPersonId, $coId) {
+ global $group_sep;
+
+ $couNames = array();
+ $childCous = array();
+
+ // First pull the COUs $coPersonId is explicitly an admin for
+
+ $couGroups = $this->cachedGroupGet($coPersonId, $coId, "admin" .
$group_sep . "%", "LIKE");
+
+ // What we actually have are the groups associated with each COU for
which
+ // coPersonId is an admin.
+
+ $this->bindModel(array('belongsTo' => array('Cou')));
+
+ foreach($couGroups as $couGroup) {
+ $couName = substr($couGroup['CoGroup']['name'],
+ strpos($couGroup['CoGroup']['name'], $group_sep) +
1);
+
+ // Pull the COU and its children (if any)
+
+ try {
+ $childCous = $this->Cou->childCous($couName, $coId, true);
+ }
+ catch(InvalidArgumentException $e) {
+ throw new InvalidArgumentException($e->getMessage());
+ }
+ }
+
+ $this->unbindModel(array('belongsTo' => array('Cou')));
+
+ return $childCous;
+ }
+
+ /**
+ * Determine if an identifier is associated with a CMP Administrator.
+ *
+ * @since COmanage Registry v0.8
+ * @param String Identifier
+ * @return Boolean True if the identifier is associated with a CMP
administrator, false otherwise
+ * @todo Honor identifier type
+ * @throws InvalidArgumentException
+ */
+
+ public function identifierIsCmpAdmin($identifier) {
+ // First check the cache
+
+ if(isset($this->cache['identifier'][$identifier]['cmpadmin'])) {
+ return $this->cache['identifier'][$identifier]['cmpadmin'];
+ }
+
+ // Find the CO Person IDs for this identifier
+
+ $this->bindModel(array('belongsTo' => array('CoPerson')));
+
+ $coPersonIds = null;
+ $coPerson = null;
+
+ try {
+ // XXX We should accept a configuration to specify which identifier
type to be querying
+ // (see also AppController::CalculateCMRoles)
+ $coPersonIds = $this->CoPerson->idsForIdentifier($identifier, null,
true);
+ }
+ catch(Exception $e) {
+ // At the moment, an exception will just result in us returning false
+ throw new InvalidArgumentException($e->getMessage());
+ }
+
+ // We now have a list of CO Person IDs, and need to figure out which one
correlates to the
+ // COmanage CO.
+
+ if(!empty($coPersonIds)) {
+ $args = array();
+ $args['joins'][0]['table'] = 'cos';
+ $args['joins'][0]['alias'] = 'Co';
+ $args['joins'][0]['type'] = 'INNER';
+ $args['joins'][0]['conditions'][0] = 'CoPerson.co_id=Co.id';
+ $args['conditions']['Co.name'] = 'COmanage';
+ $args['conditions']['Co.status'] = StatusEnum::Active;
+ $args['conditions']['CoPerson.id'] = $coPersonIds;
+ $args['contain'] = false;
+
+ $coPerson = $this->CoPerson->find('first', $args);
+ }
+
+ $this->unbindModel(array('belongsTo' => array('CoPerson')));
+
+ // Now that we have the right data, we can hand off to cachedGroupCheck.
+
+ if(isset($coPerson['CoPerson'])) {
+ $isAdmin = $this->cachedGroupCheck($coPerson['CoPerson']['id'],
+ $coPerson['CoPerson']['co_id'],
+ "admin");
+
+ // Cache the result
+ $this->cache['identifier'][$identifier]['cmpadmin'] = $isAdmin;
+
+ return $isAdmin;
+ }
+
+ return false;
+ }

/**
+ * Determine if an identifier is associated with an Administrator for any
CO or COU.
+ *
+ * @since COmanage Registry v0.8
+ * @param String Identifier
+ * @param String Type of check to perform ('coadmin' or 'couadmin')
+ * @return Boolean True if the identifier is associated with a CO
administrator, false otherwise
+ * @todo Honor identifier type
+ * @throws InvalidArgumentException
+ */
+
+ protected function identifierIsAdmin($identifier, $adminType) {
+ global $group_sep;
+
+ // First check the cache
+
+ if(isset($this->cache['identifier'][$identifier][$adminType])) {
+ return $this->cache['identifier'][$identifier][$adminType];
+ }
+
+ // Find the CO Person IDs for this identifier
+
+ $this->bindModel(array('belongsTo' => array('CoPerson')));
+
+ $coPersonIds = null;
+ $isAdmin = false;
+
+ try {
+ // XXX We should accept a configuration to specify which identifier
type to be querying
+ // (see also AppController::CalculateCMRoles)
+ $coPersonIds = $this->CoPerson->idsForIdentifier($identifier, null,
true);
+ }
+ catch(Exception $e) {
+ // At the moment, an exception will just result in us returning false
+ throw new InvalidArgumentException($e->getMessage());
+ }
+
+ // We now have a list of CO Person IDs, and need to see if any of them
are an admin
+
+ if(!empty($coPersonIds)) {
+ $args = array();
+ $args['joins'][0]['table'] = 'co_group_members';
+ $args['joins'][0]['alias'] = 'CoGroupMember';
+ $args['joins'][0]['type'] = 'INNER';
+ $args['joins'][0]['conditions'][0] =
'CoGroup.id=CoGroupMember.co_group_id';
+ $args['conditions']['CoGroupMember.co_person_id'] = $coPersonIds;
+ if($adminType == 'coadmin') {
+ $args['conditions']['CoGroup.name'] = 'admin';
+ } else {
+ $args['conditions']['CoGroup.name LIKE'] = 'admin' . $group_sep .
'%';
+ }
+ $args['conditions']['CoGroup.status'] = StatusEnum::Active;
+ $args['contain'] = false;
+
+ $isAdmin = (boolean)$this->CoPerson->Co->CoGroup->find('count', $args);
+ }
+
+ $this->unbindModel(array('belongsTo' => array('CoPerson')));
+
+ // Cache the result
+ $this->cache['identifier'][$identifier][$adminType] = $isAdmin;
+
+ return $isAdmin;
+ }
+
+ /**
+ * Determine if an identifier is associated with an Administrator for any
CO.
+ *
+ * @since COmanage Registry v0.8
+ * @param String Identifier
+ * @return Boolean True if the identifier is associated with a CO
administrator, false otherwise
+ * @todo Honor identifier type
+ * @throws InvalidArgumentException
+ */
+
+ public function identifierIsCoAdmin($identifier) {
+ return $this->identifierIsAdmin($identifier, 'coadmin');
+ }
+
+ /**
+ * Determine if an identifier is associated with an Administrator for any
COU.
+ *
+ * @since COmanage Registry v0.8
+ * @param String Identifier
+ * @return Boolean True if the identifier is associated with a CO
administrator, false otherwise
+ * @todo Honor identifier type
+ * @throws InvalidArgumentException
+ */
+
+ public function identifierIsCouAdmin($identifier) {
+ return $this->identifierIsAdmin($identifier, 'couadmin');
+ }
+
+ /**
* Determine if a CO Person is a CO Administrator.
*
* @since COmanage Registry v0.7
@@ -160,7 +390,7 @@
public function isCoAdmin($coPersonId, $coId) {
// A person is a CO Admin if they are a member of the "admin" group for
the specified CO.

- // XXX define "admin" somewhere? CO-457
+ // XXX define "admin" somewhere? CO-457 (also used in other places in
this file)
return $this->cachedGroupCheck($coPersonId, $coId, "admin");
}

@@ -190,6 +420,8 @@
// A person is a CO Admin if they are a member of the "admin" group for
the specified CO.
// A person is a COU Admin if they are a member of an "admin:*" group
within the specified CO.

+ global $group_sep;
+
// For code readability, we do this as separate checks rather than
passing an OR
// condition to cachedGroupCheck(). This may result in two DB calls, but
it may not
// since chances are we've already cached the results to isCoAdmin() (if
we're being
@@ -200,7 +432,7 @@
return true;
}

- return $this->cachedGroupCheck($coPersonId, $coId, "admin:%", "LIKE");
+ return $this->cachedGroupCheck($coPersonId, $coId, "admin" . $group_sep
. "%", "LIKE");
}

/**
@@ -218,17 +450,21 @@
}

/**
- * Determine if a CO Person is a CO or COU Administrator.
+ * Determine if a CO Person is a COU Administrator for a specified COU.
Note this function
+ * will return false if CO Person is a CO Administrator, but not a COU
Administrator.
*
* @since COmanage Registry v0.7
* @param Integer CO Person ID
* @param Integer CO ID
- * @return Boolean True if the CO Person is a CO or COU Administrator,
false otherwise
+ * @param Integer COU ID
+ * @return Boolean True if the CO Person is a COU Administrator for the
specified COU, false otherwise
*/

public function isCouAdmin($coPersonId, $coId, $couId) {
// A person is a COU Admin if they are a member of the "admin:COU Name"
group within the specified CO.

+ global $group_sep;
+
// We need to find the name of the COU first.

$couName = "";
@@ -260,7 +496,7 @@
}
}

- return $this->cachedGroupCheck($coPersonId, $coId, "admin:" . $couName);
+ return $this->cachedGroupCheck($coPersonId, $coId, "admin" . $group_sep
. $couName);
}

/**

Modified: registry/trunk/app/Model/Cou.php
===================================================================
--- registry/trunk/app/Model/Cou.php 2012-11-05 23:25:57 UTC (rev 396)
+++ registry/trunk/app/Model/Cou.php 2012-11-14 00:42:46 UTC (rev 397)
@@ -163,37 +163,47 @@
}

/**
- * Takes an array of names and returns array of them and their descendant
COUs.
+ * Obtain the child COUs of a COU.
*
* @since COmanage Registry v0.3
- * @param Array COU(s) that need children listed
- * @return Array Names
+ * @param String Name of Parent COU
+ * @param Integer CO ID for Parent COU
+ * @param Boolean Whether or not to return $parentCou in the results
+ * @return Array List of COU IDs and Names
+ * @throws InvalidArgumentException
*/

- public function childCous($parentCou, $co_id) {
- // Convert names to id numbers
- $conditions = array("Cou.name" => $parentCou,
- "Cou.co_id" => $co_id);
- $parentData = $this->find('all', array('conditions' => $conditions));
- $parentData = Set::extract($parentData, '{n}.Cou.id');
-
- // Get children
- $allChildren = array();
- if($parentData != NULL)
- {
- foreach($parentData as $parent)
- {
- $thisChildren = $this->children($parent, false, 'name');
- if($thisChildren != NULL)
- $allChildren = array_merge($allChildren, $thisChildren);
+ public function childCous($parentCou, $co_id, $includeParent=false) {
+ // Find $parentCou
+
+ $args = array();
+ $args['conditions']['Cou.name'] = $parentCou;
+ $args['conditions']['Cou.co_id'] = $co_id;
+ $args['contain'] = false;
+
+ $parent = $this->find('first', $args);
+
+ // Find children
+
+ if(isset($parent['Cou']['id'])) {
+ $children = $this->children($parent['Cou']['id'],
+ false,
+ array('id', 'name'));
+
+ $ret = array();
+
+ if($includeParent) {
+ $ret[ $parent['Cou']['id'] ] = $parent['Cou']['name'];
}
+
+ foreach($children as $child) {
+ $ret[ $child['Cou']['id'] ] = $child['Cou']['name'];
+ }
+
+ return $ret;
+ } else {
+ throw new InvalidArgumentException(_txt('er.unknown'),
array($parentCou));
}
- $allChildren = Set::extract($allChildren, '{n}.Cou.name');
-
- if($allChildren != NULL)
- return(array_merge($parentCou, $allChildren));
- else
- return($parentCou);
}

/**

Modified: registry/trunk/app/View/CoPeople/index.ctp
===================================================================
--- registry/trunk/app/View/CoPeople/index.ctp 2012-11-05 23:25:57 UTC (rev
396)
+++ registry/trunk/app/View/CoPeople/index.ctp 2012-11-14 00:42:46 UTC (rev
397)
@@ -59,17 +59,6 @@
<tr class="line<?php print ($i % 2)+1; ?>">
<td>
<?php
- // Is this a person in a COU of the currently logged in person?
- $myPerson = false;
-
- // We look at COU here if set for the role
- // XXX this should really be calculated in the controller
- if($permissions['edit']
- && (!isset($pr['cou_id'])
- || $pr['cou_id'] == ''
- || in_array($pr['Cou']['name'], $permissions['cous'])))
- $myPerson = true;
-
print $this->Html->link(generateCn($p['Name']),
array(
'controller' => 'co_people',
@@ -90,7 +79,19 @@
<td>
<?php
foreach ($p['CoPersonRole'] as $pr) {
- if($myPerson) {
+ // The current user can edit this role if they have general edit
+ // permission and (1) there is no COU defined or (2) there is a
COU
+ // defined and the user can manage that COU.
+
+ $myPersonRole = false;
+
+ if($permissions['edit']) {
+ if(empty($pr['cou_id']) || isset($permissions['cous'][
$pr['cou_id'] ])) {
+ $myPersonRole = true;
+ }
+ }
+
+ if($myPersonRole) {
if($permissions['enroll']
&& $pr['status'] == StatusEnum::PendingApproval
&& !empty($pr['CoPetition'])) {
@@ -122,9 +123,9 @@
$pr['id'],
'co' => $cur_co['Co']['id']));
}
+ } else{
+ print $pr['title'];
}
- else
- print $pr['title'];

if(isset($pr['Cou']['name']))
print " (" . $pr['Cou']['name'] . ")";
@@ -140,7 +141,8 @@
array('controller' => 'co_people',
'action' => 'compare', $p['CoPerson']['id'], 'co' => $cur_co['Co']['id']),
array('class' => 'comparebutton')) .
"\n";

- if($myPerson) {
+ if(true || $myPerson) {
+ // XXX for now, cou admins get all the actions, but see CO-505
// Edit actions are unavailable if not

if($permissions['edit'])

[comanage-dev] r397 - in registry/trunk/app: Controller Model View/CoPeople, svnlog, 11/13/2012

List archive

[comanage-dev] r397 - in registry/trunk/app: Controller Model View/CoPeople