comanage-dev - [comanage-dev] r406 - in registry/trunk/app: Controller Controller/Component Lib Model View/CoEnrollmentFlows View/CoNsfDemographics View/CoPeople
Subject: COmanage Developers List
List archive
[comanage-dev] r406 - in registry/trunk/app: Controller Controller/Component Lib Model View/CoEnrollmentFlows View/CoNsfDemographics View/CoPeople
Chronological Thread
- From:
- To:
- Subject: [comanage-dev] r406 - in registry/trunk/app: Controller Controller/Component Lib Model View/CoEnrollmentFlows View/CoNsfDemographics View/CoPeople
- Date: Fri, 18 Jan 2013 18:58:32 -0500
Author: benno
Date: 2013-01-18 18:58:32 -0500 (Fri, 18 Jan 2013)
New Revision: 406
Added:
registry/trunk/app/Controller/Component/RoleComponent.php
Removed:
registry/trunk/app/Model/CoRole.php
Modified:
registry/trunk/app/Controller/AddressesController.php
registry/trunk/app/Controller/AppController.php
registry/trunk/app/Controller/CmpEnrollmentConfigurationsController.php
registry/trunk/app/Controller/CoEnrollmentAttributesController.php
registry/trunk/app/Controller/CoEnrollmentFlowsController.php
registry/trunk/app/Controller/CoExtendedAttributesController.php
registry/trunk/app/Controller/CoExtendedTypesController.php
registry/trunk/app/Controller/CoGroupMembersController.php
registry/trunk/app/Controller/CoGroupsController.php
registry/trunk/app/Controller/CoIdentifierAssignmentsController.php
registry/trunk/app/Controller/CoInvitesController.php
registry/trunk/app/Controller/CoNsfDemographicsController.php
registry/trunk/app/Controller/CoOrgIdentityLinksController.php
registry/trunk/app/Controller/CoPeopleController.php
registry/trunk/app/Controller/CoPersonRolesController.php
registry/trunk/app/Controller/CoPetitionsController.php
registry/trunk/app/Controller/CoProvisioningTargetsController.php
registry/trunk/app/Controller/CosController.php
registry/trunk/app/Controller/CousController.php
registry/trunk/app/Controller/EmailAddressesController.php
registry/trunk/app/Controller/HistoryRecordsController.php
registry/trunk/app/Controller/IdentifiersController.php
registry/trunk/app/Controller/OrgIdentitiesController.php
registry/trunk/app/Controller/OrganizationsController.php
registry/trunk/app/Controller/PagesController.php
registry/trunk/app/Controller/TelephoneNumbersController.php
registry/trunk/app/Controller/UsersController.php
registry/trunk/app/Controller/VootController.php
registry/trunk/app/Lib/lang.php
registry/trunk/app/Model/AppModel.php
registry/trunk/app/Model/Co.php
registry/trunk/app/Model/CoEnrollmentFlow.php
registry/trunk/app/Model/CoPerson.php
registry/trunk/app/Model/CoPersonRole.php
registry/trunk/app/View/CoEnrollmentFlows/select.ctp
registry/trunk/app/View/CoNsfDemographics/fields.inc
registry/trunk/app/View/CoPeople/fields.inc
Log:
Fix authorization for CO-518
Modified: registry/trunk/app/Controller/AddressesController.php
===================================================================
--- registry/trunk/app/Controller/AddressesController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/AddressesController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Addresses Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -35,6 +35,7 @@
'line1' => 'asc'
)
);
+
/**
* Add an Address Object.
* - precondition: Model specific attributes in $this->request->data
(optional)
@@ -59,7 +60,8 @@
*
* @since COmanage Registry v0.7
* @param integer Object identifier (eg: cm_co_groups:id) representing
object to be deleted
- */
+ */
+
function delete($id) {
$this->redirectTab = 'address';
@@ -76,77 +78,86 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
$pids = $this->parsePersonID($this->request->data);
-
- // Is this our own record? ($cmr is what was authenticated, $pids what
was requested)
- // We needs to see if the requested person role ID belongs to the
authenticated person.
- $self = false;
- $copid = $this->Address->CoPersonRole->field('co_person_id', array('id'
=> $pids['copersonroleid']));
-
- if($copid && $copid == $cmr['copersonid'])
- $self = true;
-
- // If we're manipulating an Org Person, any CO admin or COU admin can
edit,
- // but if we're manipulating a CO Person, only the CO admin or
appropriate
- // COU admin (an admin of the COU associated with the current record)
can edit
+ // In order to manipulate an address, the authenticated user must have
permission
+ // over the associated Org Identity or CO Person Role. For add action,
we accept
+ // the identifier passed in the URL, otherwise we lookup based on the
record ID.
- $admin = false;
+ $managed = false;
- if(($pids['copersonid'] && $cmr['coadmin'])
- || ($pids['orgidentityid'] && ($cmr['admin'] || $cmr['coadmin'] ||
$cmr['subadmin'])))
- $admin = true;
-
- if(!$admin && $cmr['couadmin'])
- {
- // Current person is a COU admin, see if it's for this person role.
There should
- // be only one match, so we use 'first'.
-
- $cou = $this->Address->CoPersonRole->Cou->find("first",
- array("joins" =>
-
array(array('table' => 'co_person_roles',
-
'alias' => 'CoPersonRole',
-
'type' => 'INNER',
-
'conditions' => array('Cou.id=CoPersonRole.cou_id'))),
- "conditions" =>
-
array('CoPersonRole.id' => $pids['copersonroleid'])));
-
- if(isset($cou['Cou']['name']))
- {
- foreach(array_values($cmr['admincous']) as $c)
- {
- if($c == $cou['Cou']['name'])
- {
- $admin = true;
- break;
+ if(!empty($roles['copersonid'])) {
+ switch($this->action) {
+ case 'add':
+ if(!empty($pids['copersonroleid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPersonRole($roles['copersonid'],
+
$pids['copersonroleid']);
+ } elseif(!empty($pids['orgidentityid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgIdentity($roles['copersonid'],
+
$pids['orgidentityid']);
+ }
+ break;
+ case 'delete':
+ case 'edit':
+ case 'view':
+ if(!empty($this->request->params['pass'][0])) {
+ // look up $this->request->params['pass'][0] and find the
appropriate co person role id or org identity id
+ // then pass that to $this->Role->isXXX
+ $args = array();
+ $args['conditions']['Address.id'] =
$this->request->params['pass'][0];
+ $args['contain'] = false;
+
+ $address = $this->Address->find('first', $args);
+
+ if(!empty($address['Address']['co_person_role_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPersonRole($roles['copersonid'],
+
$address['Address']['co_person_role_id']);
+ } elseif(!empty($address['Address']['org_identity_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
+
$address['Address']['org_identity_id']);
}
}
+ break;
}
}
+ // It's not really clear that people should always be able to edit their
own addresses.
+ // For now, we won't enable self-service, pending requirements review.
(See CO-92.)
+
+ // Self is true if this is an add operation & the current user's own
person role/org id is in the url
+ // OR for other operations the record is attached to the current user's
person role/org id.
+ $self = false;
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Add a new Address?
- $p['add'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['add'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
// Delete an existing Address?
- $p['delete'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin']))
+ || $self);
// Edit an existing Address?
- $p['edit'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
// View all existing Addresses?
- $p['index'] = ($cmr['cmadmin'] || $admin);
+ // Currently only supported via REST since there's no use case for
viewing all
+ $p['index'] = $this->restful && ($roles['cmadmin'] || $roles['coadmin']);
// View an existing Address?
- $p['view'] = ($cmr['cmadmin'] || $admin || $self);
-
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
@@ -157,7 +168,6 @@
*/
function performRedirect() {
-
$this->redirectTab = 'address';
parent::performRedirect();
Modified: registry/trunk/app/Controller/AppController.php
===================================================================
--- registry/trunk/app/Controller/AppController.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Controller/AppController.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -2,22 +2,24 @@
/**
* Application level Controller
*
- * This file is application-wide controller file. You can put all
- * application-wide controller-related methods here.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the specific
language governing
+ * permissions and limitations under the License.
*
- * PHP 5
- *
- * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
- * Copyright 2005-2012, Cake Software Foundation, Inc.
(http://cakefoundation.org)
- *
- * Licensed under The MIT License
- * Redistributions of files must retain the above copyright notice.
- *
- * @copyright Copyright 2005-2012, Cake Software Foundation, Inc.
(http://cakefoundation.org)
- * @link http://cakephp.org CakePHP(tm) Project
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
+ * @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1, CakePHP(tm) v 0.2.9
- * @license MIT License
(http://www.opensource.org/licenses/mit-license.php)
+ * @license Apache License, Version 2.0
(http://www.apache.org/licenses/LICENSE-2.0)
+ * @version $Id$
*/
App::uses('Controller', 'Controller');
@@ -37,6 +39,7 @@
// All controllers use these components
public $components = array('Auth',
'RequestHandler', // For REST
+ 'Role',
'Security',
'Session');
@@ -185,6 +188,15 @@
if(isset($this->CoInvite->CoPetition->EnrolleeCoPerson->Identifier)) {
$this->CoInvite->CoPetition->EnrolleeCoPerson->Identifier->coId
= $coid;
}
+
+ // Perform a bit of a sanity check before we get any further
+ try {
+ $this->verifyRequestedId();
+ }
+ catch(InvalidArgumentException $e) {
+ $this->Session->setFlash($e->getMessage(), '', array(), 'error');
+ $this->redirect("/");
+ }
} else {
$this->Session->setFlash(_txt('er.co.unk-a', array($coid)), '',
array(), 'error');
$this->redirect("/");
@@ -242,117 +254,6 @@
}
/**
- * Determine which COmanage platform roles the current user has.
- * - precondition: UsersController::login has run
- * - postcondition: $this->cur_cous set or updated if current user is a
subadmin but not an admin
- *
- * @since COmanage Registry v0.1
- * @return Array An array with values of 'true' if the user has the
specified role or 'false' otherwise, with possible keys of
- * - cmadmin: COmanage platform administrator
- * - coadmin: Administrator of the current CO
- * - couadmin: Administrator of one or more COUs within the current CO
- * - admincous: COUs for which user is an Administrator (list of COU IDs
and Names)
- * - comember: Member of the current CO
- * - admin: Valid admin in any CO
- * - subadmin: Valid admin for any COU
- * - user: Valid user in any CO (ie: to the platform)
- * - apiuser: Valid API (REST) user (for now, API users are equivalent to
cmadmins)
- * - orgidentityid: Org Identity ID of current user (or false)
- * - copersonid: CO Person ID of current user in current CO (or false)
- */
-
- public function calculateCMRoles() {
- // We basically translate from the currently logged in info as
determined by
- // UsersController to role information as determined by CoRole.
-
- global $group_sep;
-
- $ret = array(
- 'cmadmin' => false,
- 'coadmin' => false,
- 'couadmin' => false,
- 'admincous' => null,
- 'comember' => false,
- 'admin' => false,
- 'subadmin' => false,
- 'user' => false,
- 'apiuser' => false,
- 'orgidentityid' => false,
- 'copersonid' => false
- );
-
- $coId = $this->cur_co['Co']['id'];
- $coPersonId = null;
- $username = null;
-
- if($this->Session->check('Auth.User.username')) {
- $username = $this->Session->read('Auth.User.username');
- }
-
- // Use CoRole to perform various calculations
-
- $this->loadModel('CoRole');
-
- // Is this user a CMP admin?
-
- if($this->Session->check('Auth.User.username')) {
- $ret['cmadmin'] = $this->CoRole->identifierIsCmpAdmin($username);
- }
-
- // Figure out the revelant CO Person ID for the current user and the
current CO
-
- $this->loadModel('CoPerson');
-
- // XXX We should pass an identifier type that was somehow configured
(see also CoRole->identifierIs*Admin)
- $coPersonId = $this->CoPerson->idForIdentifier($coId, $username, null,
true);
-
- // Is this user a member of the current CO?
- // We only want to populate $ret['copersonid'] if this CO Person ID is
in the current CO
-
- if($this->CoRole->isCoPerson($coPersonId, $coId)) {
- $ret['copersonid'] = $coPersonId;
- $ret['comember'] = true;
-
- // Also store the co_person_id directly in the session to make it
easier to find
- $this->Session->write('Auth.User.co_person_id', $ret['copersonid']);
- }
-
- if(isset($coPersonId) && isset($coId)) {
- // Is this user an admin of the current CO?
-
- $ret['coadmin'] = $this->CoRole->isCoAdmin($coPersonId, $coId);
-
- // Is this user an admin of a COU within the current CO?
-
- $ret['admincous'] = $this->CoRole->couAdminFor($coPersonId, $coId);
- $ret['couadmin'] = !empty($ret['admincous']);
- }
-
- // Is the user an admin of any CO?
-
- $ret['admin'] = ($ret['coadmin'] ||
$this->CoRole->identifierIsCoAdmin($username));
-
- // Is the user a COU admin for any CO?
-
- $ret['subadmin'] = ($ret['couadmin'] ||
$this->CoRole->identifierIsCouAdmin($username));
-
- // Platform user?
- if($this->Session->check('Auth.User.name')) {
- $ret['user'] = true;
- }
-
- // API user or Org Person?
- if($this->Session->check('Auth.User.api_user_id')) {
- $ret['apiuser'] = true;
- $ret['cmadmin'] = true; // API users are currently platform admins
- } elseif($this->Session->check('Auth.User.org_identities')) {
- $ret['orgidentities'] =
$this->Session->read('Auth.User.org_identities');
- }
-
- return($ret);
- }
-
- /**
* Compare two arrays and generate a string describing what changed,
suitable for
* including in a history record.
*
@@ -1076,6 +977,130 @@
}
/**
+ * Called from beforeRender to set permissions for display in menus
+ * - precondition: Session.Auth holds data used for authz decisions
+ * - postcondition: permissions for menu are set
+ *
+ * @since COmanage Registry v0.5
+ */
+
+ function menuAuth() {
+ $roles = $this->Role->calculateCMRoles();
+
+ // Construct the permission set for this user, which will also be passed
to the view.
+ $p = array();
+
+ // If permissions already exist, don't overwrite them
+ if(isset($this->viewVars['permissions']))
+ $p = $this->viewVars['permissions'];
+
+ // Determine what menu options this user can see
+
+ // View own (Org) profile?
+ $p['menu']['orgprofile'] = $roles['user'];
+
+ // View/Edit own (CO) profile?
+ $p['menu']['coprofile'] = $roles['user'];
+
+ // View/Edit CO groups?
+ $p['menu']['cogroups'] = $roles['user'];
+
+ // Manage org identity data?
+ $p['menu']['orgidentities'] = $roles['admin'] || $roles['subadmin'];
+
+ // Manage any CO (or COU) population?
+ // XXX This permission is somewhat confusingly named (implies cmp admin
managing COs)
+ // as is 'admin' below (which really implies cmadmin)
+ $p['menu']['cos'] = $roles['admin'] || $roles['subadmin'];
+
+ // Select from available enrollment flows?
+ $p['menu']['createpetition'] = $roles['user'];
+
+ // Manage any CO (or COU) population?
+ $p['menu']['petitions'] = $roles['admin'] || $roles['subadmin'];
+
+ // Manage CO extended attributes?
+ $p['menu']['extattrs'] = $roles['admin'];
+
+ // Manage CO extended typees?
+ $p['menu']['exttypes'] = $roles['admin'];
+
+ // Manage CO ID Assignment?
+ $p['menu']['idassign'] = $roles['admin'];
+
+ // Manage COU definitions?
+ $p['menu']['cous'] = $roles['admin'];
+
+ // Manage CO enrollment flow definitions?
+ $p['menu']['coef'] = $roles['admin'];
+
+ // Manage CO provisioning targets?
+ $p['menu']['coprovtargets'] = $roles['admin'];
+
+ // Admin COmanage?
+ $p['menu']['admin'] = $roles['cmadmin'];
+
+ // Manage NSF Demographics?
+ $p['menu']['co_nsf_demographics'] = $roles['cmadmin'];
+
+ // View/Edit own Demographics profile?
+ $p['menu']['nsfdemoprofile'] = $roles['user'];
+
+ $this->set('permissions', $p);
+ }
+
+ /**
+ * Called from beforeRender to set content for display in menus
+ * - precondition: Session.Auth holds data used for authz decisions
+ * - postcondition: content for menu are set
+ *
+ * @since COmanage Registry v0.5
+ */
+
+ function menuContent() {
+ // Get org identity ID
+ $orgIDs = $this->Session->read('Auth.User.org_identities');
+
+ if(!empty($orgIDs)) {
+ // Find name associated with that ID
+ $this->loadModel('OrgIdentity');
+ $orgName = $this->OrgIdentity->read('o',$orgIDs[0]['org_id']);
+
+ // Set for home ID name in menu
+ $menu['orgName'] = $orgName['OrgIdentity']['o'];
+ }
+
+ // Set the COs for display
+ if($this->viewVars['permissions']['menu']['admin']) {
+ // Show all active COs for admins
+ $this->loadModel('Co');
+ $params = array('conditions' => array('Co.status' => 'A'),
+ 'fields' => array('Co.id', 'Co.name'),
+ 'recursive' => false
+ );
+ $codata = $this->Co->find('all', $params);
+
+ foreach($codata as $data)
+ $menu['cos'][ $data['Co']['id'] ] = $data['Co']['name'];
+ } elseif($this->Session->check('Auth.User.cos')) {
+ // Show only COs that a user is a member of
+ foreach($this->Session->read('Auth.User.cos') as $name => $data)
+ $menu['cos'][ $data['co_id'] ] = $data['co_name'];
+ }
+
+ // Determine what menu contents plugins want available
+ $plugins = $this->loadAvailablePlugins('all', 'simple');
+
+ foreach($plugins as $plugin) {
+ if(isset($this->$plugin->cmPluginMenus)) {
+ $menu['plugins'][$plugin] = $this->$plugin->cmPluginMenus;
+ }
+ }
+
+ $this->set('menuContent', $menu);
+ }
+
+ /**
* For Models that accept a CO ID, find the provided CO ID.
* - precondition: A coid must be provided in $this->request (params or
data)
*
@@ -1252,128 +1277,46 @@
$this->response->statusCode($status);
}
-
+
/**
- * Called from beforeRender to set permissions for display in menus
- * - precondition: Session.Auth holds data used for authz decisions
- * - postcondition: permissions for menu are set
+ * Perform a sanity check on on a standard item identifier to verify it is
part
+ * of the current CO.
+ * - precondition: cur_co is set
*
- * @since COmanage Registry v0.5
+ * @since COmanage Registry v0.8
+ * @return Boolean True if sanity check is successful
+ * @throws InvalidArgumentException
*/
- function menuAuth() {
- $cmr = $this->calculateCMRoles();
-
- // Construct the permission set for this user, which will also be passed
to the view.
- $p = array();
-
- // If permissions already exist, don't overwrite them
- if(isset($this->viewVars['permissions']))
- $p = $this->viewVars['permissions'];
-
- // Determine what menu options this user can see
-
- // View own (Org) profile?
- $p['menu']['orgprofile'] = $cmr['user'];
-
- // View/Edit own (CO) profile?
- $p['menu']['coprofile'] = $cmr['user'];
-
- // View/Edit CO groups?
- $p['menu']['cogroups'] = $cmr['user'];
-
- // Manage org identity data?
- $p['menu']['orgidentities'] = $cmr['admin'] || $cmr['subadmin'];
-
- // Manage any CO (or COU) population?
- // XXX This permission is somewhat confusingly named (implies cmp admin
managing COs)
- // as is 'admin' below (which really implies cmadmin)
- $p['menu']['cos'] = $cmr['admin'] || $cmr['subadmin'];
-
- // Select from available enrollment flows?
- $p['menu']['createpetition'] = $cmr['user'];
-
- // Manage any CO (or COU) population?
- $p['menu']['petitions'] = $cmr['admin'] || $cmr['subadmin'];
-
- // Manage CO extended attributes?
- $p['menu']['extattrs'] = $cmr['admin'];
-
- // Manage CO extended typees?
- $p['menu']['exttypes'] = $cmr['admin'];
-
- // Manage CO ID Assignment?
- $p['menu']['idassign'] = $cmr['admin'];
-
- // Manage COU definitions?
- $p['menu']['cous'] = $cmr['admin'];
-
- // Manage CO enrollment flow definitions?
- $p['menu']['coef'] = $cmr['admin'];
-
- // Manage CO provisioning targets?
- $p['menu']['coprovtargets'] = $cmr['admin'];
-
- // Admin COmanage?
- $p['menu']['admin'] = $cmr['cmadmin'];
-
- // Manage NSF Demographics?
- $p['menu']['co_nsf_demographics'] = $cmr['cmadmin'];
-
- // View/Edit own Demographics profile?
- $p['menu']['nsfdemoprofile'] = $cmr['user'];
-
- $this->set('permissions', $p);
- }
-
- /**
- * Called from beforeRender to set content for display in menus
- * - precondition: Session.Auth holds data used for authz decisions
- * - postcondition: content for menu are set
- *
- * @since COmanage Registry v0.5
- */
-
- function menuContent() {
- // Get org identity ID
- $orgIDs = $this->Session->read('Auth.User.org_identities');
-
- if(!empty($orgIDs)) {
- // Find name associated with that ID
- $this->loadModel('OrgIdentity');
- $orgName = $this->OrgIdentity->read('o',$orgIDs[0]['org_id']);
-
- // Set for home ID name in menu
- $menu['orgName'] = $orgName['OrgIdentity']['o'];
+ public function verifyRequestedId() {
+ if(empty($this->cur_co)) {
+ // We shouldn't get here without a CO defined
+ throw new LogicException(_txt('er.co.specify'));
}
-
- // Set the COs for display
- if($this->viewVars['permissions']['menu']['admin']) {
- // Show all active COs for admins
- $this->loadModel('Co');
- $params = array('conditions' => array('Co.status' => 'A'),
- 'fields' => array('Co.id', 'Co.name'),
- 'recursive' => false
- );
- $codata = $this->Co->find('all', $params);
-
- foreach($codata as $data)
- $menu['cos'][ $data['Co']['id'] ] = $data['Co']['name'];
- } elseif($this->Session->check('Auth.User.cos')) {
- // Show only COs that a user is a member of
- foreach($this->Session->read('Auth.User.cos') as $name => $data)
- $menu['cos'][ $data['co_id'] ] = $data['co_name'];
- }
- // Determine what menu contents plugins want available
- $plugins = $this->loadAvailablePlugins('all', 'simple');
-
- foreach($plugins as $plugin) {
- if(isset($this->$plugin->cmPluginMenus)) {
- $menu['plugins'][$plugin] = $this->$plugin->cmPluginMenus;
+ // Specifically whitelist the actions we ignore
+ if(!$this->action != 'index' && $this->action != 'add') {
+ // Only act if a record ID parameter was passed
+ if(!empty($this->request->params['pass'][0])) {
+ $modelName = $this->modelClass;
+ // Make sure the model has been loaded
+ $this->loadModel($modelName);
+
+ try {
+ $recordCoId =
$this->$modelName->findCoForRecord($this->request->params['pass'][0]);
+ }
+ catch(InvalidArgumentException $e) {
+ throw new InvalidArgumentException($e->getMessage());
+ }
+
+ if($recordCoId != $this->cur_co['Co']['id']) {
+ throw new InvalidArgumentException(_txt('er.co.mismatch',
+ array($modelName,
+
$this->request->params['pass'][0])));
+ }
}
}
- $this->set('menuContent', $menu);
+ return true;
}
}
Modified:
registry/trunk/app/Controller/CmpEnrollmentConfigurationsController.php
===================================================================
--- registry/trunk/app/Controller/CmpEnrollmentConfigurationsController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CmpEnrollmentConfigurationsController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CMP Enrollment Configuration Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -113,7 +113,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -131,19 +131,19 @@
$p['delete'] = false;
// Edit an existing CMP Enrollment Configuration?
- $p['edit'] = $cmr['cmadmin'];
+ $p['edit'] = $roles['cmadmin'];
// View all existing CMP Enrollment Configurations?
$p['index'] = false;
// Select a CMP Enrollment Configuration?
- $p['select'] = $cmr['admin'];
+ $p['select'] = $roles['admin'];
// View an existing CMP Enrollment Configuration?
$p['view'] = false;
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoEnrollmentAttributesController.php
===================================================================
--- registry/trunk/app/Controller/CoEnrollmentAttributesController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoEnrollmentAttributesController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Enrollment Attributes Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.3
@@ -112,7 +112,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -120,22 +120,22 @@
// Determine what operations this user can perform
// Add a new CO Enrollment Attribute?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing CO Enrollment Attribute?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
// Edit an existing CO Enrollment Attribute?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
// View all existing CO Enrollment Attributes?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
// View an existing CO Enrollment Attributes?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoEnrollmentFlowsController.php
===================================================================
--- registry/trunk/app/Controller/CoEnrollmentFlowsController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoEnrollmentFlowsController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Enrollment Flows Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.3
@@ -40,47 +40,6 @@
public $requires_co = true;
/**
- * Authorization for this Controller, called by Auth component
- * - precondition: Session.Auth holds data used for authz decisions
- * - postcondition: $permissions set with calculated permissions
- *
- * @since COmanage Registry v0.3
- * @return Array Permissions
- */
-
- function isAuthorized() {
- $cmr = $this->calculateCMRoles();
-
- // Construct the permission set for this user, which will also be passed
to the view.
- $p = array();
-
- // Determine what operations this user can perform
-
- // Add a new CO Enrollment Flow?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
- // Delete an existing CO Enrollment Flow?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
- // Edit an existing CO Enrollment Flow?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
- // View all existing CO Enrollment Flows?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
- // Select a CO Enrollment Flow to create a petition from?
- // Any logged in person can get to this page, however which enrollment
flows they
- // see will be determined dynamically.
- $p['select'] = $cmr['user'];
-
- // View an existing CO Enrollment Flow?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
- $this->set('permissions', $p);
- return($p[$this->action]);
- }
-
- /**
* Callback after controller methods are invoked but before views are
rendered.
* - precondition: Request Handler component has set $this->request->params
* - postcondition: $cous may be set.
@@ -142,6 +101,47 @@
}
/**
+ * Authorization for this Controller, called by Auth component
+ * - precondition: Session.Auth holds data used for authz decisions
+ * - postcondition: $permissions set with calculated permissions
+ *
+ * @since COmanage Registry v0.3
+ * @return Array Permissions
+ */
+
+ function isAuthorized() {
+ $roles = $this->Role->calculateCMRoles();
+
+ // Construct the permission set for this user, which will also be passed
to the view.
+ $p = array();
+
+ // Determine what operations this user can perform
+
+ // Add a new CO Enrollment Flow?
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
+
+ // Delete an existing CO Enrollment Flow?
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
+
+ // Edit an existing CO Enrollment Flow?
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
+
+ // View all existing CO Enrollment Flows?
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
+
+ // Select a CO Enrollment Flow to create a petition from?
+ // Any logged in person can get to this page, however which enrollment
flows they
+ // see will be determined dynamically.
+ $p['select'] = $roles['user'];
+
+ // View an existing CO Enrollment Flow?
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
+
+ $this->set('permissions', $p);
+ return $p[$this->action];
+ }
+
+ /**
* Perform a redirect back to the controller's default view.
* - postcondition: Redirect generated
*
@@ -168,22 +168,29 @@
*/
function select() {
- // Determine the Enrollment Flows for this CO and pass them to the view.
- // Currently, we don't check for COU-specific flows.
-
// Set page title
$this->set('title_for_layout', _txt('ct.co_enrollment_flows.pl'));
- // Determine which enrollment flows the current user can see
+ // Start with a list of enrollment flows
- // XXX As of Cake 2.3 (which we're not currently using), the paginate
accepts the 'findtype' parameter
- // instead of setting the 0'th index in the array.
- $this->paginate[0] = 'authorized';
- $this->paginate['conditions']['CoEnrollmentFlow.co_id'] =
$this->cur_co['Co']['id'];
- // This parameter is for the custom find
- $this->paginate['authorizeCoPersonId'] =
$this->Session->read('Auth.User.co_person_id');
- $this->paginate['contain'] = false;
+ $args = array();
+ $args['conditions']['CoEnrollmentFlow.co_id'] =
$this->cur_co['Co']['id'];
+ $args['contain'][] = false;
- $this->set('co_enrollment_flows', $this->paginate('CoEnrollmentFlow'));
+ $flows = $this->CoEnrollmentFlow->find('all', $args);
+
+ // Walk through the list of flows and see which ones this user is
authorized to run
+
+ $authedFlows = array();
+
+ foreach($flows as $f) {
+ // pass $role to model->authorize
+
+ if($this->CoEnrollmentFlow->authorize($f,
$this->Session->read('Auth.User.co_person_id'), $this->Role)) {
+ $authedFlows[] = $f;
+ }
+ }
+
+ $this->set('co_enrollment_flows', $authedFlows);
}
}
Modified: registry/trunk/app/Controller/CoExtendedAttributesController.php
===================================================================
--- registry/trunk/app/Controller/CoExtendedAttributesController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoExtendedAttributesController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Extended Attributes Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.2
@@ -397,7 +397,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -405,21 +405,21 @@
// Determine what operations this user can perform
// Add a new Extended Attribute?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing Extended Attribute?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
// Edit an existing Extended Attribute?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
// View all existing Extended Attributes?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
// View an existing Extended Attribute?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
}
Modified: registry/trunk/app/Controller/CoExtendedTypesController.php
===================================================================
--- registry/trunk/app/Controller/CoExtendedTypesController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoExtendedTypesController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Extended Types Controller
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2013 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2013 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.6
@@ -222,7 +222,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -230,22 +230,22 @@
// Determine what operations this user can perform
// Add a new Extended Type?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing Extended Type?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
// Edit an existing Extended Type?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
// View all existing Extended Type?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
// View an existing Extended Type?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoGroupMembersController.php
===================================================================
--- registry/trunk/app/Controller/CoGroupMembersController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoGroupMembersController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Group Member Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -225,14 +225,15 @@
}
/**
- * Delete a Co Group Members Object
+ * Delete a CO Group Members Object
* - precondition: <id> must exist
* - postcondition: Session flash message updated (HTML) or HTTP status
returned (REST)
* - postcondition: On success, all related data (any table with an
<object>_id column) is deleted
*
* @since COmanage Registry v0.7
* @param integer Object identifier (eg: cm_co_groups:id) representing
object to be deleted
- */
+ */
+
function delete($id) {
$this->redirectTab = 'group';
@@ -249,16 +250,8 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles(); // What was authenticated
-
- // Construct the permission set for this user, which will also be passed
to the view.
- $p = array();
+ $roles = $this->Role->calculateCMRoles(); // What was
authenticated
- // Determine if the authenticated person is an owner or member of the
associated group
-
- $owner = false;
- $member = false;
-
// Store the group ID in the controller object since performRedirect may
need it
if($this->action == 'add' &&
isset($this->request->data['CoGroupMember']['co_group_id']))
@@ -268,12 +261,17 @@
$this->gid = $this->CoGroupMember->field('co_group_id',
array('CoGroupMember.id' => $this->request->params['pass'][0]));
elseif($this->action == 'select' &&
isset($this->request->params['named']['cogroup']))
$this->gid = $this->request->params['named']['cogroup'];
-
- if(isset($this->gid) && !empty($cmr['copersonid']))
- {
+
+ $managed = false;
+ $owner = false;
+ $member = false;
+
+ if(!empty($roles['copersonid']) && isset($this->gid)) {
+ $managed = $this->Role->isGroupManager($roles['copersonid'],
$this->gid);
+
$gm = $this->CoGroupMember->find('all', array('conditions' =>
array('CoGroupMember.co_group_id' => $this->gid,
-
'CoGroupMember.co_person_id' => $cmr['copersonid'])));
+
'CoGroupMember.co_person_id' => $roles['copersonid'])));
if(isset($gm[0]['CoGroupMember']['owner']) &&
$gm[0]['CoGroupMember']['owner'])
$owner = true;
@@ -282,30 +280,31 @@
$member = true;
}
- // Determine what operations this user can perform
-
+ // Construct the permission set for this user, which will also be passed
to the view.
+ $p = array();
+
// Add a new member to a group?
// XXX probably need to check if group is open here and in delete
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $owner);
+ $p['add'] = ($roles['cmadmin'] || $managed);
// Delete a member from a group?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $owner);
+ $p['delete'] = ($roles['cmadmin'] || $managed);
// Edit members of a group?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $owner);
+ $p['edit'] = ($roles['cmadmin'] || $managed);
// View a list of members of a group?
// This is for REST
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
+ $p['index'] = ($this->restful && ($roles['cmadmin'] ||
$roles['coadmin']));
+
// Select from a list of potential members to add?
- $p['select'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $owner);
+ $p['select'] = ($roles['cmadmin'] || $managed);
// View members of a group?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $owner || $member);
-
+ $p['view'] = ($roles['cmadmin'] || $managed || $member);
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoGroupsController.php
===================================================================
--- registry/trunk/app/Controller/CoGroupsController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoGroupsController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Group Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -256,17 +256,34 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles(); // What was
authenticated
- $pids = $this->parsePersonID($this->request->data); // What was
requested
-
- if(!empty($cmr['copersonid']))
- {
+ $roles = $this->Role->calculateCMRoles();
+
+ $own = array();
+ $member = array();
+ $managed = false;
+ $managedp = false;
+ $self = false;
+
+ if(!empty($roles['copersonid'])) {
$own = $this->CoGroup->CoGroupMember->find('all', array('conditions' =>
-
array('CoGroupMember.co_person_id' => $cmr['copersonid'],
+
array('CoGroupMember.co_person_id' => $roles['copersonid'],
'CoGroupMember.owner' => true)));
$member = $this->CoGroup->CoGroupMember->find('all',
array('conditions' =>
-
array('CoGroupMember.co_person_id' => $cmr['copersonid'],
+
array('CoGroupMember.co_person_id' => $roles['copersonid'],
'CoGroupMember.member' => true)));
+
+ if(!empty($this->request->params['pass'][0])) {
+ $managed = $this->Role->isGroupManager($roles['copersonid'],
$this->request->params['pass'][0]);
+ }
+
+ if(!empty($this->request->params['named']['copersonid'])) {
+ $managedp = $this->Role->isCoAdminForCoPerson($roles['copersonid'],
+
$this->request->params['named']['copersonid']);
+
+ if($roles['copersonid'] ==
$this->request->params['named']['copersonid']) {
+ $self = true;
+ }
+ }
}
// Construct the permission set for this user, which will also be passed
to the view.
@@ -275,27 +292,56 @@
// Determine what operations this user can perform
// Add a new Group?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['comember']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['comember']);
// Create an admin Group?
- $p['admin'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['admin'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing Group?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $managed);
// Edit an existing Group?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $managed);
- // View all existing Group?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['comember']);
+ // View all existing Groups?
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['comember']);
+ if($this->action == 'index' && $p['index']
+ && ($roles['cmadmin'] || $roles['coadmin'])) {
+ // Set all permissions for admins so index view links render.
+
+ $p['delete'] = true;
+ $p['edit'] = true;
+ $p['view'] = true;
+ }
+
// Select from a list of potential Groups to join?
- // XXX review this
- $p['select'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['user']);
+ $p['select'] = ($roles['cmadmin']
+ || ($managedp && $roles['coadmin'])
+ || $self);
// View an existing Group?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $managed);
+ if($this->action == 'view'
+ && isset($this->request->params['pass'][0])) {
+ // Adjust permissions for members and open groups
+
+ if(isset($member) && in_array($this->request->params['pass'][0],
$p['member']))
+ $p['view'] = true;
+
+ $params = array(
+ 'conditions' => array(
+ 'CoGroup.id' => $this->request->params['pass'][0]
+ )
+ );
+ $g = $this->CoGroup->find('first', $params);
+
+ if($g && isset($g['CoGroup']['open']) && $g['CoGroup']['open']) {
+ $p['view'] = true;
+ }
+ }
+
if(isset($own))
{
// Set array of groups where person is owner
@@ -315,37 +361,8 @@
$p['member'][] = $g['CoGroupMember']['co_group_id'];
}
- if(($this->action == 'delete' || $this->action == 'edit' ||
$this->action == 'view')
- && isset($this->request->params['pass'][0]))
- {
- // Adjust permissions for owners, members, and open groups
-
- if(isset($own) && in_array($this->request->params['pass'][0],
$p['owner']))
- {
- $p['delete'] = true;
- $p['edit'] = true;
- $p['view'] = true;
- }
-
- if(isset($member) && in_array($this->request->params['pass'][0],
$p['member']))
- $p['view'] = true;
-
- $params = array(
- 'conditions' => array(
- 'CoGroup.id' => $this->request->params['pass'][0]
- )
- );
- $g = $this->CoGroup->find('first', $params);
-
- if($g)
- {
- if(isset($g['CoGroup']['open']) && $g['CoGroup']['open'])
- $p['view'] = true;
- }
- }
-
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoIdentifierAssignmentsController.php
===================================================================
--- registry/trunk/app/Controller/CoIdentifierAssignmentsController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoIdentifierAssignmentsController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Identifier Assignments Controller
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2012-3 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2012-3 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.6
@@ -68,7 +68,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -76,21 +76,21 @@
// Determine what operations this user can perform
// Add a new CO Identifier Assignment?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing CO Identifier Assignment?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
// Edit an existing CO Identifier Assignment?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
// View all existing CO Identifier Assignments?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
// View an existing CO Identifier Assignment?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
}
Modified: registry/trunk/app/Controller/CoInvitesController.php
===================================================================
--- registry/trunk/app/Controller/CoInvitesController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoInvitesController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Invite Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -179,15 +179,24 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
+ $managed = false;
+
+ if(!empty($roles['copersonid'])
+ && $this->action == 'send'
+ && !empty($this->request->params['named']['copersonid'])) {
+ $managed = $this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$this->request->params['named']['copersonid']);
+ }
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
// Determine what operations this user can perform
// Send an invite? (REST only)
- $p['add'] = $cmr['apiuser'];
+ $p['add'] = $roles['apiuser'];
// Confirm an invite? (HTML, auth reequired)
$p['authconfirm'] = true;
@@ -199,16 +208,18 @@
$p['decline'] = true;
// Confirm or decline an invite? (REST only)
- $p['index'] = $cmr['apiuser'];
+ $p['index'] = $roles['apiuser'];
// Reply to an invite? (HTML only)
$p['reply'] = true;
// Send an invite? (HTML only)
- $p['send'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
-
+
+ $p['send'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoNsfDemographicsController.php
===================================================================
--- registry/trunk/app/Controller/CoNsfDemographicsController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoNsfDemographicsController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO NSF Demographics Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.3
@@ -40,6 +40,20 @@
public $requires_co = true;
/**
+ * Override add of StandardController to convert data before calling it
+ * - precondition: $this->request->data['CoNsfDemographic'] holds data to
be saved
+ * - postcondition: $this->request->data['CoNsfDemographic'] is modified
+ *
+ * @since COmanage Registry v0.4
+ */
+
+ function add() {
+ $this->convertData();
+
+ parent::add();
+ }
+
+ /**
* Callback after controller methods are invoked but before views are
rendered.
* - postcondition: Set $race_options, $disability_options
*
@@ -101,10 +115,9 @@
function checkWriteDependencies($reqdata, $curdata = null) {
// Look up id to check validity
if($this->restful) {
- $personid =
$this->request['data']['CoNsfDemographics'][0]['CoPersonId'];
+ $personid = $reqdata['CoNsfDemographic'][0]['co_person_id'];
} else {
- $cmr = $this->calculateCMRoles();
- $personid = $cmr['copersonid'];
+ $personid = $reqdata['CoNsfDemographic']['co_person_id'];
}
$args = array(
@@ -123,7 +136,7 @@
else
$this->Session->setFlash(_txt('er.cop.unk'), '', array(), 'error');
- return(false);
+ return false;
}
// Does a row exist in the database for this id?
@@ -146,6 +159,7 @@
return false;
}
+
return true;
}
@@ -174,19 +188,6 @@
}
/**
- * Override add of StandardController to convert data before calling it
- * - precondition: $this->request->data['CoNsfDemographic'] holds data to
be saved
- * - postcondition: $this->request->data['CoNsfDemographic'] is modified
- *
- * @since COmanage Registry v0.4
- */
-
- function add() {
- $this->convertData();
- parent::add();
- }
-
- /**
* Override edit of StandardController to convert data before calling it
* - precondition: $this->request->data['CoNsfDemographic'] holds data to
be saved
* - postcondition: $this->request->data['CoNsfDemographic'] is modified
@@ -197,53 +198,11 @@
function edit($id) {
$this->convertData();
+
parent::edit($id);
}
/**
- * Redirect to add if no record found.
- * - postcondition: Redirect issued
- *
- * @since COmanage Registry v0.3
- */
-
- function editSelf() {
- // Look up id
- $cmr = $this->calculateCMRoles();
-
- // Does a row exist in the database for this id?
- $args = array(
- 'conditions' => array(
- 'CoNsfDemographic.co_person_id' => $cmr['copersonid'],
- 'CoPerson.co_id' => $this->cur_co['Co']['id']
- )
- );
- $row = $this->CoNsfDemographic->find('first', $args);
- $rowId = $row['CoNsfDemographic']['id'];
-
- if(empty($rowId))
- {
- // No row exists, so add one
- $args = array(
- 'action' => 'add',
- 'co' => $this->cur_co['Co']['id'],
- 'co_person_id' => $cmr['copersonid']
- );
- }
- else
- {
- // Row found so edit it
- $args = array(
- 'action' => 'edit',
- $rowId,
- 'co' => $this->cur_co['Co']['id']
- );
- }
-
- $this->redirect($args);
- }
-
- /**
* Authorization for this Controller, called by Auth component
* - precondition: Session.Auth holds data used for authz decisions
* - postcondition: $permissions set with calculated permissions
@@ -253,55 +212,71 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
- $pids = $this->parsePersonID($this->request->data);
-
- // Is this our own record?
+ $roles = $this->Role->calculateCMRoles();
+
+ $managed = false;
$self = false;
-
- // If a row is passed in, get copersonid associated with this row
- if(!empty($this->request->params['pass'][0]))
- {
- $args = array('conditions' => array('CoNsfDemographic.id' =>
$this->request->params['pass'][0]));
- $row = $this->CoNsfDemographic->find('first', $args);
+
+ if(!empty($roles['copersonid'])) {
+ if($this->action == 'add') {
+ // Find the CO Person ID
+
+ $pid = null;
+
+ if(!empty($this->request->params['named']['copersonid'])) {
+ $pid = $this->request->params['named']['copersonid'];
+ }
elseif(!empty($this->request->data['CoNsfDemographic']['co_person_id'])) {
+ $pid = $this->request->data['CoNsfDemographic']['co_person_id'];
+ }
+
+ if($pid) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'], $pid);
+
+ if($roles['copersonid'] == $pid) {
+ $self = true;
+ }
+ }
+ } elseif(!empty($this->request->params['pass'][0])) {
+ // Determine the CO Person associated with this entry
+
+ $copid = $this->CoNsfDemographic->field('co_person_id',
array('CoNsfDemographic.id' => $this->request->params['pass'][0]));
+
+ if($copid) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'], $copid);
+
+ if($roles['copersonid'] == $copid) {
+ $self = true;
+ }
+ }
+ }
}
-
- // Can edit self if a member of the co and is not trying to edit someone
else's record
- if($cmr['comember']
- && $cmr['copersonid']
- && (!isset($this->request->params['pass'][0])
- || ($cmr['copersonid'] ==
$row['CoNsfDemographic']['co_person_id'])))
- {
- $self = true;
- }
-
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
-
- // Determine what operations this user can perform
-
- // Add a new Demographic? Can be done if none exist yet
- $args = array('conditions' => array('CoNsfDemographic.id' =>
$cmr['copersonid']));
- $row = $this->CoNsfDemographic->find('first', $args);
-
- // Can only add a new one if admin or row doesn't already exist
- $p['add'] = ($cmr['cmadmin'] || $cmr['admin'] || ($self && empty($row)));
-
- // Delete an existing Demographic?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['admin'] || $self);
-
- // Edit an existing Demographic?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['admin'] || $self);
-
- // Edit own Demographic?
- $p['editself'] = ($cmr['cmadmin'] || $cmr['admin'] || $self);
-
- // View all existing Demographic?
- $p['index'] = ($cmr['cmadmin'] || $cmr['admin']);
-
- // View an existing Demographic?
- $p['view'] = ($cmr['cmadmin'] || $cmr['admin'] || $self);
-
+
+ // Add a new NSF Demographic Record?
+ $p['add'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
+ // Delete an existing NSF Demographic Record?
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin']))
+ || $self);
+
+ // Edit an existing NSF Demographic Record?
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
+ // View all existing NSF Demographic Records?
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
+
+ // View an existing NSF Demographic Record?
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
$this->set('permissions', $p);
return $p[$this->action];
}
Modified: registry/trunk/app/Controller/CoOrgIdentityLinksController.php
===================================================================
--- registry/trunk/app/Controller/CoOrgIdentityLinksController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoOrgIdentityLinksController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Org Identity Link Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.2
@@ -147,7 +147,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -155,22 +155,22 @@
// Determine what operations this user can perform
// Add a new Person Source?
- $p['add'] = $cmr['cmadmin'];
+ $p['add'] = $roles['cmadmin'];
// Delete an existing Person Source?
- $p['delete'] = $cmr['cmadmin'];
+ $p['delete'] = $roles['cmadmin'];
// Edit an existing Person Source?
- $p['edit'] = $cmr['cmadmin'];
+ $p['edit'] = $roles['cmadmin'];
// View all existing Person Sources?
- $p['index'] = $cmr['cmadmin'];
+ $p['index'] = $roles['cmadmin'];
// View an existing Person Source?
- $p['view'] = $cmr['cmadmin'];
+ $p['view'] = $roles['cmadmin'];
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoPeopleController.php
===================================================================
--- registry/trunk/app/Controller/CoPeopleController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoPeopleController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO People Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -420,47 +420,89 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Is this our own record?
$self = false;
- if($cmr['comember'] && $cmr['copersonid'] &&
- ((isset($this->params['pass'][0]) && ($cmr['copersonid'] ==
$this->params['pass'][0]))
+ if($roles['comember'] && $roles['copersonid'] &&
+ ((isset($this->request->params['pass'][0]) && ($roles['copersonid']
== $this->request->params['pass'][0]))
||
- ($this->action == 'editself' && isset($cmr['copersonid']))))
+ ($this->action == 'editself' && isset($roles['copersonid'])))) {
$self = true;
-
+ }
+
+ // Is this a record we can manage?
+ $managed = false;
+
+ if(isset($roles['copersonid'])
+ && $roles['copersonid']
+ && isset($this->request->params['pass'][0])
+ && ($this->action == 'compare'
+ || $this->action == 'delete'
+ || $this->action == 'edit'
+ || $this->action == 'view')) {
+ $managed = $this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$this->request->params['pass'][0]);
+ }
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Add a new CO Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
$p['enroll'] = $p['add'];
// Via invite?
- $p['invite'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['invite'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
// Compare CO attributes and Org attributes?
- $p['compare'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
+ $p['compare'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin']))
+ || $self);
// Delete an existing CO Person?
// A COU admin should be able to delete a CO Person, but not if they
have any roles
// associated with a COU the admin isn't responsible for. We'll catch
that in
// checkDeleteDependencies.
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
// Edit an existing CO Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin'] ||
$self);
-
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
// Are we allowed to edit our own record?
// If we're an admin, we act as an admin, not self.
- $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
!$cmr['couadmin'];
+ $p['editself'] = $self && !$roles['cmadmin'] && !$roles['coadmin'] &&
!$roles['couadmin'];
// View all existing CO People (or a COU's worth)?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
+ if($this->action == 'index' && $p['index']) {
+ // For rendering index, we currently assume that anyone who can view
the
+ // index can manipulate all records. This is fine for CMP and CO
admins,
+ // but a COU Admin can't edit role data for which they are not the
admin.
+ // (See also CO-505.)
+
+ // It might be nice to pull all the people in the COU and pass a list
+ // of CO Role IDs, but that would require pulling all the person role
+ // records twice (again later in StandardController::index()). Since
+ // $p['admincous'] has the appropriate COUs listed, will let the view
+ // do a bit of work when rendering.
+
+ // These permissions are person-level, and are probably not exactly
right.
+ // Specifically, delete could be problematic since a COU admin can't
+ // delete a person with a COU role that the admin doesn't manage.
+ // For now, we'll catch that in checkDeleteDependencies, and let the
view
+ // worry about what to render by checking the list of COUs.
+
+ $p['compare'] = true;
+ $p['delete'] = true;
+ $p['edit'] = true;
+ $p['view'] = true;
+ }
+
// Match against existing CO People?
// Note this same permission exists in CO Petitions
@@ -473,7 +515,7 @@
if(isset($this->request->named['coef'])) {
$flowAuthorized =
$this->CoPerson->Co->CoPetition->CoEnrollmentFlow->authorizeById($this->request->named['coef'],
-
$cmr['copersonid']);
+
$roles['copersonid']);
$p['match_policy'] =
$this->CoPerson->Co->CoPetition->CoEnrollmentFlow->field('match_policy',
array('CoEnrollmentFlow.id' => $this->request->named['coef']));
@@ -483,71 +525,21 @@
}
// View an existing CO Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin'] ||
$self);
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
// Determine which COUs a person can manage.
- if($cmr['cmadmin'] || $cmr['coadmin'])
+ if($roles['cmadmin'] || $roles['coadmin'])
$p['cous'] =
$this->CoPerson->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
- elseif(!empty($cmr['admincous']))
- $p['cous'] = $cmr['admincous'];
+ elseif(!empty($roles['admincous']))
+ $p['cous'] = $roles['admincous'];
else
$p['cous'] = array();
-
- // COUs are handled a bit differently. We need to authorize operations
that
- // operate on a per-person basis accordingly.
- if($cmr['couadmin'] && !empty($p['cous'])) {
-// XXX recheck this functionality
- if(!empty($this->request->params['pass'][0])) {
- // If the target person is in a COU managed by the COU admin, grant
permission
-
- $tcous = $this->CoPerson->CoPersonRole->Cou->find("list",
- array("joins" =>
-
array(array('table' => 'co_person_roles',
-
'alias' => 'CoPersonRole',
-
'type' => 'INNER',
-
'conditions' => array('Cou.id=CoPersonRole.cou_id'))),
- "conditions"
=>
-
array('CoPersonRole.co_person_id' => $this->request->params['pass'][0])));
-
- $a = array_intersect($tcous, array_values($p['cous']));
-
- if(!empty($a)) {
- // CO Person is a member of at least one COU that the COU admin
manages
-
- $p['compare'] = true;
- $p['delete'] = true;
- $p['edit'] = true;
- $p['view'] = true;
- }
- } else {
- if($p['index']) {
- // For rendering index, we currently assume that COU Admins can
manage
- // CO Person level data for any person in the CO (but see CO-505),
but
- // a COU Admin can't edit role data for which they are not the
admin.
- // It might be nice to pull all the people in the COU and pass a
list
- // of CO Role IDs, but that would require pulling all the person
role
- // records twice (again later in StandardController::index()).
Since
- // $p['admincous'] has the appropriate COUs listed, will let the
view
- // do a bit of work when rendering.
-
- // These permissions are person-level, and are probably not
exactly right.
- // Specifically, delete could be problematic since a COU admin
can't
- // delete a person with a COU role that the admin doesn't manage.
- // For now, we'll catch that in checkDeleteDependencies, and let
the view
- // worry about what to render by checking the list of COUs.
-
- $p['compare'] = true;
- $p['delete'] = true;
- $p['edit'] = true;
- $p['view'] = true;
- }
- }
- }
-
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoPersonRolesController.php
===================================================================
--- registry/trunk/app/Controller/CoPersonRolesController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoPersonRolesController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -272,106 +272,95 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Is this our own record?
$self = false;
- if($cmr['comember'] && $cmr['copersonid'] &&
isset($this->request->params['pass'][0]))
- {
+ if($roles['comember'] && $roles['copersonid'] &&
isset($this->request->params['pass'][0])) {
// We need to see if the person role ID passed in maps to the
authenticated CO person
$copid = $this->CoPersonRole->field('co_person_id', array('id' =>
$this->request->params['pass'][0]));
- if($copid && $copid == $cmr['copersonid'])
+ if($copid && ($copid == $roles['copersonid']))
$self = true;
}
-
+
+ // Is this a record we can manage?
+ $managed = false;
+
+ if(!empty($roles['copersonid'])
+ && !empty($this->request->params['pass'][0])
+ && ($this->action == 'delete'
+ || $this->action == 'edit'
+ || $this->action == 'view')) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPersonRole($roles['copersonid'],
+
$this->request->params['pass'][0]);
+ }
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Add a new CO Person Role?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
- // Delete an existing CO Person Role?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
-
- // Edit an existing CO Person Role?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
-
- // Are we trying to edit our own record?
- // If we're an admin, we act as an admin, not self.
- $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
!$cmr['couadmin'];
-
- // View all existing CO Person Roles (or a COU's worth)?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
-
- // View an existing CO Person Role?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
-
// Determine which COUs a person can manage.
- if($cmr['cmadmin'] || $cmr['coadmin']) {
+ if($roles['cmadmin'] || $roles['coadmin']) {
// Note that here we get id => name while in CoPeopleController we just
// get a list of names. This is to generate the pop-up on the edit
form.
$p['cous'] =
$this->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
}
- elseif(!empty($cmr['admincous']))
- $p['cous'] = array_values($cmr['admincous']);
+ elseif(!empty($roles['admincous']))
+ $p['cous'] = array_values($roles['admincous']);
else
$p['cous'] = array();
- // COUs are handled a bit differently. We need to authorize operations
that
- // operate on a per-person basis accordingly.
+ // Delete an existing CO Person Role?
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
- if($cmr['couadmin'] && !empty($p['cous']))
- {
- if(!empty($this->request->params['pass'][0]))
- {
- // If the target person is in a COU managed by the COU admin, grant
permission
-
- $tcous = $this->CoPersonRole->Cou->find("list",
- array("joins" =>
- array(array('table' =>
'co_person_roles',
- 'alias' =>
'CoPersonRole',
- 'type' =>
'INNER',
-
'conditions' => array('Cou.id=CoPersonRole.cou_id'))),
- "conditions" =>
-
array('CoPersonRole.id' => $this->request->params['pass'][0])));
-
- $a = array_intersect($tcous, $p['cous']);
+ // Edit an existing CO Person Role?
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
- if(!empty($a))
- {
- // CO Person is a member of at least one COU that the COU admin
manages
-
- $p['delete'] = true;
- $p['edit'] = true;
- $p['view'] = true;
- }
- }
- else
- {
- if($p['index'])
- {
- // We grant additional permissions so the appropriate buttons
render
- // on the assumption that any row that renders is for an individual
- // that this COU admin can manage, and that anyway we'll check the
- // authz on a per-person basis (the above portion of this if/else)
- // when an individual is selected. This probably isn't ideal -- it
- // might be better to have separate render and action permissions
--
- // but it'll do.
-
- $p['delete'] = true;
- $p['edit'] = true;
- $p['view'] = true;
- }
- }
+ // Are we trying to edit our own record?
+ // If we're an admin, we act as an admin, not self.
+ $p['editself'] = $self && !$roles['cmadmin'] && !$roles['coadmin'] &&
!$roles['couadmin'];
+
+ // View all existing CO Person Roles (or a COU's worth)?
+ $p['index'] = !$roles['cmadmin'] && !$roles['coadmin'] &&
!$roles['couadmin'];
+
+ if($this->action == 'index' && $p['index']) {
+ // For rendering index, we currently assume that anyone who can view
the
+ // index can manipulate all records. This is fine for CMP and CO
admins,
+ // but a COU Admin can't edit role data for which they are not the
admin.
+ // (See also CO-505.)
+
+ // It might be nice to pull all the people in the COU and pass a list
+ // of CO Role IDs, but that would require pulling all the person role
+ // records twice (again later in StandardController::index()). Since
+ // $p['admincous'] has the appropriate COUs listed, will let the view
+ // do a bit of work when rendering.
+
+ // These permissions are person-level, and are probably not exactly
right.
+ // Specifically, delete could be problematic since a COU admin can't
+ // delete a person with a COU role that the admin doesn't manage.
+ // For now, we'll catch that in checkDeleteDependencies, and let the
view
+ // worry about what to render by checking the list of COUs.
+
+ $p['delete'] = true;
+ $p['edit'] = true;
+ $p['view'] = true;
}
+ // View an existing CO Person Role?
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoPetitionsController.php
===================================================================
--- registry/trunk/app/Controller/CoPetitionsController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoPetitionsController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Petition Controller
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2012-3 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2012-3 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.5
@@ -281,12 +281,23 @@
*/
function enrollmentFlowID() {
- if(isset($this->request->params['named']['coef']))
- return($this->request->params['named']['coef']);
-
elseif(isset($this->request->data['CoPetition']['co_enrollment_flow_id']))
- return($this->request->data['CoPetition']['co_enrollment_flow_id']);
+ if(isset($this->request->params['pass'][0])) {
+ // Don't trust the coef parameter, but look up the enrollment flow
+ // associated with this ID
+
+ $coef = $this->CoPetition->field('co_enrollment_flow_id',
+ array('CoPetition.id' =>
$this->request->params['pass'][0]));
+
+ return ($coef ? $coef : -1);
+ } elseif(isset($this->request->params['named']['coef'])) {
+ return $this->request->params['named']['coef'];
+ }
elseif(isset($this->request->data['CoPetition']['co_enrollment_flow_id'])) {
+ // We can trust this element since form tampering checks mean it's the
+ // same value the view emitted.
+ return $this->request->data['CoPetition']['co_enrollment_flow_id'];
+ }
- return(-1);
+ return -1;
}
/**
@@ -299,37 +310,36 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Some operations are authorized according to the flow configuration.
$flowAuthorized = false;
// If an enrollment flow was specified, check the authorization for that
flow
- if($this->enrollmentFlowID() != -1 && $cmr['copersonid']) {
- $flowAuthorized =
$this->CoPetition->CoEnrollmentFlow->authorizeById($this->enrollmentFlowID(),
$cmr['copersonid']);
+ if($this->enrollmentFlowID() != -1 && $roles['copersonid']) {
+ $flowAuthorized =
$this->CoPetition->CoEnrollmentFlow->authorizeById($this->enrollmentFlowID(),
$roles['copersonid']);
}
// Add a new CO Petition?
- $p['add'] = $flowAuthorized
- // Or we have an index view
- || ($this->enrollmentFlowID() == -1 && ($cmr['cmadmin'] ||
$cmr['coadmin'] || $cmr['couadmin']));
+ $p['add'] = ($roles['cmadmin'] || $flowAuthorized);
// Approve a CO Petition?
- $p['approve'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['approve'] = ($roles['cmadmin']
+ || ($flowAuthorized && ($roles['coadmin'] ||
$roles['couadmin'])));
$p['deny'] = $p['approve'];
// Delete an existing CO Petition?
// For now, this is restricted to CMP and CO Admins, until we have a
better policy
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin']
+ || ($flowAuthorized && $roles['coadmin']));
// Edit an existing CO Petition?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['edit'] = ($roles['cmadmin']
+ || ($flowAuthorized && ($roles['coadmin'] ||
$roles['couadmin'])));
// Match against existing CO People? If the match policy is Advisory or
Automatic, we
// allow matching to take place as long as $flowAuthorized is also true.
@@ -342,17 +352,29 @@
|| $p['match_policy'] ==
EnrollmentMatchPolicyEnum::Automatic));
// View all existing CO Petitions?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
// Resend invitations?
- $p['resend'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['resend'] = ($roles['cmadmin']
+ || ($flowAuthorized && ($roles['coadmin'] ||
$roles['couadmin'])));
// View an existing CO Petition? We allow the usual suspects to view a
Petition, even
// if they don't have permission to edit it.
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
-
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
+
+ if($this->action == 'index' && $p['index']) {
+ // Assume the person also has permission to perform various other
actions
+ // for purposes of rendering the view, though these assumptions are
probably too generous.
+
+ $p['add'] = true; // This is really permission to run
co_enrollment_flows/select
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
+ $p['edit'] = true;
+ $p['resend'] = true;
+ $p['view'] = true;
+ }
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CoProvisioningTargetsController.php
===================================================================
--- registry/trunk/app/Controller/CoProvisioningTargetsController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/CoProvisioningTargetsController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Provisioning Target Controller
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2012-3 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2012-3 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.8
@@ -95,32 +95,6 @@
}
/**
- * Perform a redirect back to the controller's default view.
- * - postcondition: Redirect generated
- *
- * @since COmanage Registry v0.8
- */
-
- function performRedirect() {
- if($this->action == 'add' &&
!empty($this->request->data['CoProvisioningTarget']['plugin'])) {
- // Redirect to the appropriate plugin to set up whatever it wants
-
- $plugin =
Inflector::underscore(Sanitize::html($this->request->data['CoProvisioningTarget']['plugin']));
-
- $target = array();
- $target['plugin'] = $plugin;
- $target['controller'] = "co_" . $plugin . "_targets";
- $target['action'] = 'add';
- $target['co'] = $this->cur_co['Co']['id'];
- $target['ptid'] = $this->CoProvisioningTarget->id;
-
- $this->redirect($target);
- } else {
- parent::performRedirect();
- }
- }
-
- /**
* Authorization for this Controller, called by Auth component
* - precondition: Session.Auth holds data used for authz decisions
* - postcondition: $permissions set with calculated permissions
@@ -130,7 +104,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -138,21 +112,47 @@
// Determine what operations this user can perform
// Add a new CO Provisioning Target?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing CO Provisioning Target?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
// Edit an existing CO Provisioning Target?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
// View all existing CO Provisioning Targets?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
// View an existing CO Provisioning Target?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
+
+ /**
+ * Perform a redirect back to the controller's default view.
+ * - postcondition: Redirect generated
+ *
+ * @since COmanage Registry v0.8
+ */
+
+ function performRedirect() {
+ if($this->action == 'add' &&
!empty($this->request->data['CoProvisioningTarget']['plugin'])) {
+ // Redirect to the appropriate plugin to set up whatever it wants
+
+ $plugin =
Inflector::underscore(Sanitize::html($this->request->data['CoProvisioningTarget']['plugin']));
+
+ $target = array();
+ $target['plugin'] = $plugin;
+ $target['controller'] = "co_" . $plugin . "_targets";
+ $target['action'] = 'add';
+ $target['co'] = $this->cur_co['Co']['id'];
+ $target['ptid'] = $this->CoProvisioningTarget->id;
+
+ $this->redirect($target);
+ } else {
+ parent::performRedirect();
+ }
+ }
}
Modified: registry/trunk/app/Controller/CosController.php
===================================================================
--- registry/trunk/app/Controller/CosController.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Controller/CosController.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -161,7 +161,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -169,27 +169,22 @@
// Determine what operations this user can perform
// Add a new CO?
- $p['add'] = $cmr['cmadmin'];
+ $p['add'] = $roles['cmadmin'];
// Delete an existing CO?
- $p['delete'] = $cmr['cmadmin'];
+ $p['delete'] = $roles['cmadmin'];
// Edit an existing CO?
- $p['edit'] = $cmr['cmadmin'];
+ $p['edit'] = $roles['cmadmin'];
// View all existing COs?
- $p['index'] = $cmr['cmadmin'];
+ $p['index'] = $roles['cmadmin'];
- // Select a CO under which to operate?
- $p['select'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['user']);
- // Select from all COs, even if not a member?
- $p['select-all'] = $cmr['cmadmin'];
-
// View an existing CO?
- $p['view'] = $cmr['cmadmin'];
-
+ $p['view'] = $roles['cmadmin'];
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/CousController.php
===================================================================
--- registry/trunk/app/Controller/CousController.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Controller/CousController.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry COU Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.2
@@ -223,7 +223,7 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles(); // What was authenticated
+ $roles = $this->Role->calculateCMRoles(); // What was
authenticated
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -231,21 +231,21 @@
// Determine what operations this user can perform
// Add a new COU?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin']);
// Delete an existing COU?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['coadmin']);
// Edit an existing COU?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['coadmin']);
// View all existing COUs?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin']);
// View an existing COU?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+ $p['view'] = ($roles['cmadmin'] || $roles['coadmin']);
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
}
Modified: registry/trunk/app/Controller/EmailAddressesController.php
===================================================================
--- registry/trunk/app/Controller/EmailAddressesController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/EmailAddressesController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Email Addresses Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -61,49 +61,86 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
$pids = $this->parsePersonID($this->request->data);
-
- // Is this our own record? ($cmr is what was authenticated, $pids what
was requested)
- $self = false;
- if($cmr['comember'] &&
- // As of now, a person can only edit their CO data, not their Org data
- (($pids['copersonid'] && $cmr['copersonid'] && ($pids['copersonid']
== $cmr['copersonid']))))
- $self = true;
+ // In order to manipulate an email address, the authenticated user must
have permission
+ // over the associated Org Identity or CO Person. For add action, we
accept
+ // the identifier passed in the URL, otherwise we lookup based on the
record ID.
- // If we're manipulating an Org Person, any CO admin or COU admin can
edit,
- // but if we're manipulating a CO Person, only the CO admin or
appropriate
- // COU admin (an admin of a COU in the current CO) can edit
+ $managed = false;
- $admin = false;
+ if(!empty($roles['copersonid'])) {
+ switch($this->action) {
+ case 'add':
+ if(!empty($pids['copersonid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$pids['copersonid']);
+ } elseif(!empty($pids['orgidentityid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgIdentity($roles['copersonid'],
+
$pids['orgidentityid']);
+ }
+ break;
+ case 'delete':
+ case 'edit':
+ case 'view':
+ if(!empty($this->request->params['pass'][0])) {
+ // look up $this->request->params['pass'][0] and find the
appropriate co person id or org identity id
+ // then pass that to $this->Role->isXXX
+ $args = array();
+ $args['conditions']['EmailAddress.id'] =
$this->request->params['pass'][0];
+ $args['contain'] = false;
+
+ $emailaddress = $this->EmailAddress->find('first', $args);
+
+ if(!empty($emailaddress['EmailAddress']['co_person_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$emailaddress['EmailAddress']['co_person_id']);
+ } elseif(!empty($emailaddress['EmailAddress']['org_identity_id']))
{
+ $managed =
$this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
+
$emailaddress['EmailAddress']['org_identity_id']);
+ }
+ }
+ break;
+ }
+ }
- if(($pids['copersonid'] && ($cmr['coadmin'] || $cmr['couadmin']))
- || ($pids['orgidentityid'] && ($cmr['admin'] || $cmr['coadmin'] ||
$cmr['subadmin'])))
- $admin = true;
+ // It's not really clear that people should always be able to edit their
own email addresses.
+ // For now, we won't enable self-service, pending requirements review.
(See CO-92.)
+ // Self is true if this is an add operation & the current user's own
person role/org id is in the url
+ // OR for other operations the record is attached to the current user's
person role/org id.
+ $self = false;
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Add a new Email Address?
- $p['add'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['add'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
// Delete an existing Email Address?
- $p['delete'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin']))
+ || $self);
// Edit an existing Email Address?
- $p['edit'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
// View all existing Email Addresses?
- $p['index'] = ($cmr['cmadmin'] || $admin);
+ // Currently only supported via REST since there's no use case for
viewing all
+ $p['index'] = $this->restful && ($roles['cmadmin'] || $roles['coadmin']);
// View an existing Email Address?
- $p['view'] = ($cmr['cmadmin'] || $admin || $self);
-
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
Modified: registry/trunk/app/Controller/HistoryRecordsController.php
===================================================================
--- registry/trunk/app/Controller/HistoryRecordsController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/HistoryRecordsController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage History Record Controller
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2012-3 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2012-3 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.7
@@ -141,8 +141,24 @@
// are generally created by other parts of the application, invoking the
model. To enforce
// this, we simply don't set permission for most actions.
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
+ $pids = $this->parsePersonID($this->request->data);
+ $managed = false;
+
+ // For index views, we need to make sure the viewer has permission to see
+ // records associated with the requested person.
+
+ if(!empty($roles['copersonid'])) {
+ if(!empty($pids['copersonid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$pids['copersonid']);
+ } elseif(!empty($pids['orgidentityid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgIdentity($roles['copersonid'],
+
$pids['orgidentityid']);
+ }
+ }
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -151,22 +167,25 @@
// Add history records?
// For now, this is only permitted via the REST API. Otherwise various
operations trigger
// history records, not user-driven views.
- $p['add'] = ($this->restful && $cmr['cmadmin']);
+ $p['add'] = ($this->restful && $roles['cmadmin']);
// View history records?
// We could allow $self to view own records, but for the moment we don't
(for no specific reason)
- $p['index'] = $cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin'];
+ $p['index'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
- // Determine which COUs a person can manage, needed for index() to
filter records
+ if($this->action == 'index' && $p['index']) {
+ // Determine which COUs a person can manage, needed for index() to
filter records
+
+ if($roles['cmadmin'] || $roles['coadmin'])
+ $p['cous'] =
$this->HistoryRecord->CoPerson->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
+ elseif(!empty($roles['admincous']))
+ $p['cous'] = $roles['admincous'];
+ else
+ $p['cous'] = array();
+ }
- if($cmr['cmadmin'] || $cmr['coadmin'])
- $p['cous'] =
$this->CoPerson->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
- elseif(!empty($cmr['admincous']))
- $p['cous'] = $cmr['admincous'];
- else
- $p['cous'] = array();
-
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
}
Modified: registry/trunk/app/Controller/IdentifiersController.php
===================================================================
--- registry/trunk/app/Controller/IdentifiersController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/IdentifiersController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Identifiers Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -209,7 +209,7 @@
* @return boolean true if dependency checks succeed, false otherwise.
*/
- function checkWriteFollowups($reqdata) {
+ function checkWriteFollowups($reqdata, $curdata = null) {
$dbc = $this->Identifier->getDataSource();
if(isset($this->cur_co)) {
@@ -245,44 +245,79 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
$pids = $this->parsePersonID($this->request->data);
- // If we're manipulating an Org Person, any CO admin or COU admin can
edit,
- // but if we're manipulating a CO Person, only the CO admin or
appropriate
- // COU admin (an admin of a COU in the current CO) can edit
+ // In order to manipulate an identifier, the authenticated user must
have permission
+ // over the associated Org Identity or CO Person. For add action, we
accept
+ // the identifier passed in the URL, otherwise we lookup based on the
record ID.
- $admin = false;
+ $managed = false;
- if(($pids['copersonid'] && ($cmr['coadmin'] || $cmr['couadmin']))
- || ($pids['orgidentityid'] && ($cmr['admin'] || $cmr['coadmin'] ||
$cmr['subadmin'])))
- $admin = true;
+ if(!empty($roles['copersonid'])) {
+ switch($this->action) {
+ case 'add':
+ if(!empty($pids['copersonid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$pids['copersonid']);
+ } elseif(!empty($pids['orgidentityid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgIdentity($roles['copersonid'],
+
$pids['orgidentityid']);
+ }
+ break;
+ case 'delete':
+ case 'edit':
+ case 'view':
+ if(!empty($this->request->params['pass'][0])) {
+ // look up $this->request->params['pass'][0] and find the
appropriate co person id or org identity id
+ // then pass that to $this->Role->isXXX
+ $args = array();
+ $args['conditions']['Identifier.id'] =
$this->request->params['pass'][0];
+ $args['contain'] = false;
+
+ $identifier = $this->Identifier->find('first', $args);
+
+ if(!empty($identifier['Identifier']['co_person_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
+
$identifier['Identifier']['co_person_id']);
+ } elseif(!empty($identifier['Identifier']['org_identity_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
+
$identifier['Identifier']['org_identity_id']);
+ }
+ }
+ break;
+ }
+ }
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Add a new Identifier?
- $p['add'] = ($cmr['cmadmin'] || $admin);
+ $p['add'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin'])));
// Assign (autogenerate) Identifiers?
- $p['assign'] = ($cmr['cmadmin'] || $admin);
+ $p['assign'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
// Delete an existing Identifier?
- $p['delete'] = ($cmr['cmadmin'] || $admin);
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
// Edit an existing Identifier?
- $p['edit'] = ($cmr['cmadmin'] || $admin);
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
// View all existing Identifier?
- $p['index'] = ($cmr['cmadmin'] || $admin);
+ // Currently only supported via REST since there's no use case for
viewing all
+ $p['index'] = $this->restful && ($roles['cmadmin'] || $roles['coadmin']);
// View an existing Identifier?
- $p['view'] = ($cmr['cmadmin'] || $admin);
-
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
@@ -293,10 +328,8 @@
*/
function performRedirect() {
-
$this->redirectTab = 'id';
-
+
parent::performRedirect();
}
-
}
Modified: registry/trunk/app/Controller/OrgIdentitiesController.php
===================================================================
--- registry/trunk/app/Controller/OrgIdentitiesController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/OrgIdentitiesController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry OrgIdentity Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.2
@@ -266,19 +266,29 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
+ // Is this a record we (can) manage?
+ $managed = false;
+
+ if(isset($roles['copersonid'])
+ && $roles['copersonid']
+ && isset($this->request->params['pass'][0])
+ && ($this->action == 'delete'
+ || $this->action == 'edit'
+ || $this->action == 'view')) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgIdentity($roles['copersonid'],
+
$this->request->params['pass'][0]);
+ }
+
// Is this our own record?
$self = false;
-
- if($cmr['user'] && $cmr['orgidentities'] &&
isset($this->request->params['pass'][0]))
- {
+
+ if($roles['user'] && $roles['orgidentities'] &&
isset($this->request->params['pass'][0])) {
// Walk through the list of org identities and see if this one matches
- foreach($cmr['orgidentities'] as $o)
- {
- if($o['org_id'] == $this->request->params['pass'][0])
- {
+ foreach($roles['orgidentities'] as $o) {
+ if($o['org_id'] == $this->request->params['pass'][0]) {
$self = true;
break;
}
@@ -296,52 +306,65 @@
if($this->CmpEnrollmentConfiguration->orgIdentitiesPooled()) {
// Add a new Org Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
// Via LDAP query?
- $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['admin'] ||
$cmr['subadmin']);
- $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['admin'] ||
$cmr['subadmin']);
+ $p['addvialdap'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
+ $p['selectvialdap'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
// Delete an existing Org Person?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+ $p['delete'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
// Edit an existing Org Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+ $p['edit'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
// Find an Org Person to add to a CO?
- $p['find'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+ $p['find'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
// View all existing Org People?
- $p['index'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin']);
// View an existing Org Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin'] ||
$self);
+ $p['view'] = ($roles['cmadmin'] || $roles['admin'] ||
$roles['subadmin'] || $self);
} else {
// Add a new Org Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['add'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
// Via LDAP query?
- $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
$cmr['couadmin']);
- $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
$cmr['couadmin']);
+ $p['addvialdap'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
+ $p['selectvialdap'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
// Delete an existing Org Person?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
$cmr['couadmin']);
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
// Edit an existing Org Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin'])));
// Find an Org Person to add to a CO?
- $p['find'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
-
+ $p['find'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
+
// View all existing Org People?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']);
+ $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['couadmin']);
+ if($this->action == 'index' && $p['index']) {
+ // For rendering index, we currently assume that anyone who can view
the
+ // index can manipulate all records. This is probably right.
+
+ $p['delete'] = true;
+ $p['edit'] = true;
+ $p['view'] = true;
+ }
+
// View an existing Org Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin']
|| $self);
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin']))
+ || $self);
}
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
@@ -370,6 +393,7 @@
// Sanitize::html
// I18N
// Set title_for_layout
+ // or just clean this out (along with add via ldap)
// Query LDAP according to the args received and present possible
matches to add as new organizational people.
Modified: registry/trunk/app/Controller/OrganizationsController.php
===================================================================
--- registry/trunk/app/Controller/OrganizationsController.php 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/OrganizationsController.php 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Organization Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -50,7 +50,7 @@
// Returns:
// - Array of permissions
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
@@ -58,21 +58,21 @@
// Determine what operations this user can perform
// Add a new Organization?
- $p['add'] = $cmr['cmadmin'];
+ $p['add'] = $roles['cmadmin'];
// Delete an existing Organization?
- $p['delete'] = $cmr['cmadmin'];
+ $p['delete'] = $roles['cmadmin'];
// Edit an existing Organization?
- $p['edit'] = $cmr['cmadmin'];
+ $p['edit'] = $roles['cmadmin'];
// View all existing Organizations?
- $p['index'] = $cmr['cmadmin'];
+ $p['index'] = $roles['cmadmin'];
// View an existing Organization?
- $p['view'] = $cmr['cmadmin'];
+ $p['view'] = $roles['cmadmin'];
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
}
Modified: registry/trunk/app/Controller/PagesController.php
===================================================================
--- registry/trunk/app/Controller/PagesController.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Controller/PagesController.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -90,8 +90,6 @@
*/
public function isAuthorized() {
- $cmr = $this->calculateCMRoles();
-
// Construct the permission set for this user, which will
also be passed to the view.
$p = array();
@@ -100,6 +98,6 @@
$p['display'] = true;
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
}
Modified: registry/trunk/app/Controller/TelephoneNumbersController.php
===================================================================
--- registry/trunk/app/Controller/TelephoneNumbersController.php
2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Controller/TelephoneNumbersController.php
2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Telephone Numbers Controller
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -77,80 +77,89 @@
*/
function isAuthorized() {
- $cmr = $this->calculateCMRoles();
+ $roles = $this->Role->calculateCMRoles();
$pids = $this->parsePersonID($this->request->data);
-
- // Is this our own record? ($cmr is what was authenticated, $pids what
was requested)
- // We needs to see if the requested person role ID belongs to the
authenticated person.
- $self = false;
- $copid = $this->TelephoneNumber->CoPersonRole->field('co_person_id',
array('id' => $pids['copersonroleid']));
-
- if($copid && $copid == $cmr['copersonid'])
- $self = true;
+ // In order to manipulate an telephone number, the authenticated user
must have permission
+ // over the associated Org Identity or CO Person Role. For add action,
we accept
+ // the identifier passed in the URL, otherwise we lookup based on the
record ID.
- // If we're manipulating an Org Person, any CO admin or COU admin can
edit,
- // but if we're manipulating a CO Person, only the CO admin or
appropriate
- // COU admin (an admin of the COU associated with the current record)
can edit
+ $managed = false;
- $admin = false;
-
- if(($pids['copersonid'] && $cmr['coadmin'])
- || ($pids['orgidentityid'] && ($cmr['admin'] || $cmr['coadmin'] ||
$cmr['subadmin'])))
- $admin = true;
-
- if(!$admin && $cmr['couadmin'])
- {
- // Current person is a COU admin, see if it's for this person role.
There should
- // be only one match, so we use 'first'.
-
- $cou = $this->TelephoneNumber->CoPersonRole->Cou->find("first",
- array("joins" =>
-
array(array('table' => 'co_person_roles',
-
'alias' => 'CoPersonRole',
-
'type' => 'INNER',
-
'conditions' => array('Cou.id=CoPersonRole.cou_id'))),
-
"conditions" =>
-
array('CoPersonRole.id' => $pids['copersonroleid'])));
-
- if(isset($cou['Cou']['name']))
- {
- foreach(array_values($cmr['admincous']) as $c)
- {
- if($c == $cou['Cou']['name'])
- {
- $admin = true;
- break;
+ if(!empty($roles['copersonid'])) {
+ switch($this->action) {
+ case 'add':
+ if(!empty($pids['copersonroleid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPersonRole($roles['copersonid'],
+
$pids['copersonroleid']);
+ } elseif(!empty($pids['orgidentityid'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgIdentity($roles['copersonid'],
+
$pids['orgidentityid']);
+ }
+ break;
+ case 'delete':
+ case 'edit':
+ case 'view':
+ if(!empty($this->request->params['pass'][0])) {
+ // look up $this->request->params['pass'][0] and find the
appropriate co person role id or org identity id
+ // then pass that to $this->Role->isXXX
+ $args = array();
+ $args['conditions']['TelephoneNumber.id'] =
$this->request->params['pass'][0];
+ $args['contain'] = false;
+
+ $number = $this->TelephoneNumber->find('first', $args);
+
+ if(!empty($number['TelephoneNumber']['co_person_role_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForCoPersonRole($roles['copersonid'],
+
$number['TelephoneNumber']['co_person_role_id']);
+ } elseif(!empty($number['TelephoneNumber']['org_identity_id'])) {
+ $managed =
$this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
+
$number['TelephoneNumber']['org_identity_id']);
}
}
+ break;
}
}
+ // It's not really clear that people should always be able to edit their
own telephone number.
+ // For now, we won't enable self-service, pending requirements review.
(See CO-92.)
+
+ // Self is true if this is an add operation & the current user's own
person role/org id is in the url
+ // OR for other operations the record is attached to the current user's
person role/org id.
+ $self = false;
+
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
-
// Add a new Telephone Number?
- $p['add'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['add'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
// Delete an existing Telephone Number?
- $p['delete'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['delete'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] ||
$roles['couadmin']))
+ || $self);
// Edit an existing Telephone Number?
- $p['edit'] = ($cmr['cmadmin'] || $admin || $self);
+ $p['edit'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
- // View all existing Telephone Number?
- $p['index'] = ($cmr['cmadmin'] || $admin);
+ // View all existing Telephone Numbers?
+ // Currently only supported via REST since there's no use case for
viewing all
+ $p['index'] = $this->restful && ($roles['cmadmin'] || $roles['coadmin']);
- // View an existing Telephone Number?
- $p['view'] = ($cmr['cmadmin'] || $admin || $self);
-
+ // View an existing TelephoneNumber?
+ $p['view'] = ($roles['cmadmin']
+ || ($managed && ($roles['coadmin'] || $roles['couadmin']))
+ || $self);
+
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
- /**
+ /**
* Perform a redirect back to the controller's default view.
* - postcondition: Redirect generated
*
@@ -158,10 +167,8 @@
*/
function performRedirect() {
-
$this->redirectTab = 'phone';
-
+
parent::performRedirect();
}
-
-}
+}
\ No newline at end of file
Modified: registry/trunk/app/Controller/UsersController.php
===================================================================
--- registry/trunk/app/Controller/UsersController.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Controller/UsersController.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Users Controller
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -57,7 +57,7 @@
$p['logout'] = true;
$this->set('permissions', $p);
- return($p[$this->action]);
+ return $p[$this->action];
}
/**
@@ -70,6 +70,7 @@
* @since COmanage Registry v0.1
* @throws RuntimeException
* @return void
+ * @todo A lot of the data pulled here should instead be referenced via
calls to CoRole
*/
public function login() {
@@ -157,6 +158,7 @@
}
}
}
+
$this->Session->write('Auth.User.org_identities', $orgs);
$this->Session->write('Auth.User.cos', $cos);
Modified: registry/trunk/app/Controller/VootController.php
===================================================================
--- registry/trunk/app/Controller/VootController.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Controller/VootController.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO VOOT Controller **EXPERIMENTAL**
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2012-3 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2012-3 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.6
@@ -193,6 +193,26 @@
}
/**
+ * Authorization for this Controller, called by Auth component
+ * - precondition: Session.Auth holds data used for authz decisions
+ * - postcondition: $permissions set with calculated permissions
+ *
+ * @since COmanage Registry v0.6
+ * @return Array Permissions
+ */
+
+ function isAuthorized() {
+ $roles = $this->Roles->calculateCMRoles();
+
+ // Perform various VOOT retrievals?
+ $p['groups'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['comember']);
+ $p['people'] = ($roles['cmadmin'] || $roles['coadmin'] ||
$roles['comember']);
+
+ $this->set('permissions', $p);
+ return $p[$this->action];
+ }
+
+ /**
* Obtain CO People as per a VOOT request.
* - postcondition: $co_people, $co_group_members, $co_group_owners set
(REST)
* - postcondition: HTTP status returned (REST)
@@ -231,24 +251,4 @@
$this->restResultHeader(400, "Bad Request");
}
}
-
- /**
- * Authorization for this Controller, called by Auth component
- * - precondition: Session.Auth holds data used for authz decisions
- * - postcondition: $permissions set with calculated permissions
- *
- * @since COmanage Registry v0.6
- * @return Array Permissions
- */
-
- function isAuthorized() {
- $cmr = $this->calculateCMRoles(); // What was
authenticated
-
- // Perform various VOOT retrievals?
- $p['groups'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['comember']);
- $p['people'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['comember']);
-
- $this->set('permissions', $p);
- return($p[$this->action]);
- }
}
Modified: registry/trunk/app/Lib/lang.php
===================================================================
--- registry/trunk/app/Lib/lang.php 2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Lib/lang.php 2013-01-18 23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry Language File
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -73,8 +73,8 @@
'ct.co_groups.pl' => 'Groups',
'ct.co_invites.1' => 'Invite',
'ct.co_invites.pl' => 'Invites',
- 'ct.co_nsf_demographics.1' => 'NSF Demographic',
- 'ct.co_nsf_demographics.pl' => 'NSF Demographics',
+ 'ct.co_nsf_demographics.1' => 'NSF Demographic Record',
+ 'ct.co_nsf_demographics.pl' => 'NSF Demographic Records',
'ct.co_people.1' => 'CO Person',
'ct.co_people.pl' => 'CO People',
'ct.co_person_roles.1' => 'CO Person Role',
@@ -217,8 +217,8 @@
StatusEnum::Suspended => 'Suspended'),
// Demographics
- 'en.nsf.gender' => array(NSFGenderEnum::Male => 'Male',
- NSFGenderEnum::Female => 'Female'),
+ 'en.nsf.gender' => array(NSFGenderEnum::Female => 'Female',
+ NSFGenderEnum::Male => 'Male'),
'en.nsf.citizen' => array(NSFCitizenshipEnum::USCitizen =>
'U.S. Citizen',
NSFCitizenshipEnum::USPermanentResident =>
'U.S. Permanent Resident',
@@ -253,8 +253,10 @@
'er.co.cm.edit' => 'Cannot edit COmanage CO',
'er.co.cm.rm' => 'Cannot remove COmanage CO',
'er.co.exists' => 'A CO named "%1$s" already exists',
+ 'er.co.fail' => 'Unable to find CO',
'er.co.gr.admin' => 'CO created, but failed to create initial admin group',
'er.co.none' => 'No COs found (did you run setup.php?)',
+ 'er.co.mismatch' => 'Requested CO does not match CO of %1$s %2$s',
'er.co.specify' => 'No CO Specified',
'er.co.unk' => 'Unknown CO',
'er.co.unk-a' => 'Unknown CO "%1$s"',
@@ -293,7 +295,7 @@
'er.fields' => 'Please recheck the highlighted fields',
'er.gr.exists' => 'A group named "%1$s" already exists within the CO',
'er.gr.init' => 'Group created, but failed to set initial
owner/member',
- 'er.gr.nf' => 'Graup %1$s Not Found',
+ 'er.gr.nf' => 'Group %1$s Not Found',
'er.gr.res' => 'Groups named "admin" or prefixed "admin:" are
reserved',
'er.grm.already' => 'CO Person %1$s is already a member of group %2$s',
'er.grm.none' => 'No group memberships to add',
Modified: registry/trunk/app/Model/AppModel.php
===================================================================
--- registry/trunk/app/Model/AppModel.php 2013-01-09 03:11:35 UTC (rev
405)
+++ registry/trunk/app/Model/AppModel.php 2013-01-18 23:58:32 UTC (rev
406)
@@ -1,23 +1,25 @@
<?php
/**
- * Application model for Cake.
+ * Application level Model
*
- * This file is application-wide model file. You can put all
- * application-wide model-related methods here.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the specific
language governing
+ * permissions and limitations under the License.
*
- * PHP 5
- *
- * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
- * Copyright 2005-2011, Cake Software Foundation, Inc.
(http://cakefoundation.org)
- *
- * Licensed under The MIT License
- * Redistributions of files must retain the above copyright notice.
- *
- * @copyright Copyright 2005-2011, Cake Software Foundation, Inc.
(http://cakefoundation.org)
- * @link http://cakephp.org CakePHP(tm) Project
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
+ * @link http://www.internet2.edu/comanage COmanage Project
* @package registry
- * @since CakePHP(tm) v 0.2.9
- * @license MIT License
(http://www.opensource.org/licenses/mit-license.php)
+ * @since COmanage Registry v0.1, CakePHP(tm) v 0.2.9
+ * @license Apache License, Version 2.0
(http://www.apache.org/licenses/LICENSE-2.0)
+ * @version $Id$
*/
App::uses('Model', 'Model');
@@ -107,6 +109,61 @@
}
/**
+ * Obtain the CO ID for a record.
+ *
+ * @since COmanage Registry v0.8
+ * @param integer Record to retrieve for
+ * @return integer Corresponding CO ID
+ * @throws RunTimeException
+ */
+
+ public function findCoForRecord($id) {
+ // We need to find a corresponding CO ID, which may or may not be
directly in the model.
+
+ if(isset($this->validate['co_id'])) {
+ // This model directly references a CO
+
+ return $this->field('co_id', array($this->alias.".id" => $id));
+ } elseif(isset($this->validate['co_person_id'])) {
+ // Find the CO via the CO Person
+
+ $args = array();
+ $args['conditions'][$this->alias.'.id'] = $id;
+ $args['contain'][] = 'CoPerson';
+
+ $cop = $this->find('first', $args);
+
+ if(!empty($cop['CoPerson']['co_id'])) {
+ return $cop['CoPerson']['co_id'];
+ }
+ } elseif(isset($this->validate['co_person_role_id'])) {
+ // Find the CO via the CO Person via the CO Person Role
+
+ $args = array();
+ $args['conditions'][$this->alias.'.id'] = $id;
+ $args['contain'][] = 'CoPersonRole';
+
+ $copr = $this->find('first', $args);
+
+ if(!empty($copr['CoPersonRole']['co_person_id'])) {
+ $args = array();
+ $args['conditions']['CoPersonRole.co_person_id'] =
$copr['CoPersonRole']['co_person_id'];
+ $args['contain'][] = 'CoPerson';
+
+ $cop = $this->CoPersonRole->find('first', $args);
+
+ if(!empty($cop['CoPerson']['co_id'])) {
+ return $cop['CoPerson']['co_id'];
+ }
+ }
+ } else {
+ throw new LogicException(_txt('er.co.fail'));
+ }
+
+ throw new RuntimeException(_txt('er.co.fail'));
+ }
+
+ /**
* Perform a find, but using SELECT ... FOR UPDATE syntax. This function
should
* be called within a transaction.
*
@@ -117,7 +174,7 @@
* @return Array Result set as returned by Cake fetchAll() or read(),
which isn't necessarily the same format as find()
*/
- function findForUpdate($conditions, $fields, $joins = array()) {
+ public function findForUpdate($conditions, $fields, $joins = array()) {
$dbc = $this->getDataSource();
$args['conditions'] = $conditions;
Modified: registry/trunk/app/Model/Co.php
===================================================================
--- registry/trunk/app/Model/Co.php 2013-01-09 03:11:35 UTC (rev 405)
+++ registry/trunk/app/Model/Co.php 2013-01-18 23:58:32 UTC (rev 406)
@@ -29,6 +29,9 @@
// Current schema version for API
public $version = "1.0";
+ // Add behaviors
+ public $actsAs = array('Containable');
+
// Association rules from this model to other models
public $hasMany = array(
// A CO has zero or more enrollment flows
Modified: registry/trunk/app/Model/CoEnrollmentFlow.php
===================================================================
--- registry/trunk/app/Model/CoEnrollmentFlow.php 2013-01-09 03:11:35
UTC (rev 405)
+++ registry/trunk/app/Model/CoEnrollmentFlow.php 2013-01-18 23:58:32
UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Enrollment Attribute Model
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.3
@@ -128,50 +128,16 @@
);
/**
- * Obtain Enrollment Flows a given CO person is authorized to run.
- * This method implements a Custom Find type.
- *
- * @since COmanage Registry v0.7
- * @param Integer CO Person ID
- * @param Integer CO ID
- * @return Array CoEnrollmentFlow information, as returned by find
- */
-
- protected function _findAuthorized($state, $query, $results = array()) {
- if($state == 'before') {
- // Called before the find is performed
-
- // We don't do anything special here
-
- return $query;
- } elseif($state == 'after') {
- // Called after the find is performed
-
- // Walk through the returned Enrollment Flows and see if the specified
CO Person
- // is authorized. If the CO Person is a CMP or CO Admin, they are
always authorized.
-
- $filteredResults = array();
-
- foreach($results as $coEF) {
- if($this->authorize($coEF, $query['authorizeCoPersonId'])) {
- $filteredResults[] = $coEF;
- }
- }
-
- return $filteredResults;
- }
- }
-
- /**
* Determine if a CO Person is authorized to run an Enrollment Flow.
*
* @since COmanage Registry v0.7
* @param Array CO Enrollment Flow, as returned by find
* @param Integer CO Person ID
+ * @param RoleComponent
* @return Boolean True if the CO Person is authorized, false otherwise
*/
- public function authorize($coEF, $coPersonId) {
+ public function authorize($coEF, $coPersonId, $Role) {
// If no authz is required, return true before we bother with any other
checks
if($coEF['CoEnrollmentFlow']['authz_level'] ==
EnrollmentAuthzEnum::None) {
@@ -179,11 +145,9 @@
return true;
}
- $CoRole = ClassRegistry::init('CoRole');
-
// If CO Person is a CO admin, they are always authorized
- if($CoRole->isCoAdmin($coPersonId, $coEF['CoEnrollmentFlow']['co_id'])) {
+ if($Role->isCoAdmin($coPersonId, $coEF['CoEnrollmentFlow']['co_id'])) {
return true;
}
@@ -192,27 +156,27 @@
// We effectively already handled this, above
break;
case EnrollmentAuthzEnum::CoGroupMember:
- if($CoRole->isCoGroupMember($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'],
$coEF['CoEnrollmentFlow']['authz_co_group_id'])) {
+ if($Role->isCoGroupMember($coPersonId,
$coEF['CoEnrollmentFlow']['authz_co_group_id'])) {
return true;
- }
+ }
break;
case EnrollmentAuthzEnum::CoOrCouAdmin:
- if($CoRole->isCoOrCouAdmin($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'])) {
+ if($Role->isCoOrCouAdmin($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'])) {
return true;
}
break;
case EnrollmentAuthzEnum::CoPerson:
- if($CoRole->isCoPerson($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'])) {
+ if($Role->isCoPerson($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'])) {
return true;
}
break;
case EnrollmentAuthzEnum::CouAdmin:
- if($CoRole->isCouAdmin($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'],
$coEF['CoEnrollmentFlow']['authz_cou_id'])) {
+ if($Role->isCouAdmin($coPersonId,
$coEF['CoEnrollmentFlow']['authz_cou_id'])) {
return true;
}
break;
case EnrollmentAuthzEnum::CouPerson:
- if($CoRole->isCouPerson($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'],
$coEF['CoEnrollmentFlow']['authz_cou_id'])) {
+ if($Role->isCouPerson($coPersonId,
$coEF['CoEnrollmentFlow']['co_id'],
$coEF['CoEnrollmentFlow']['authz_cou_id'])) {
return true;
}
break;
Modified: registry/trunk/app/Model/CoPerson.php
===================================================================
--- registry/trunk/app/Model/CoPerson.php 2013-01-09 03:11:35 UTC (rev
405)
+++ registry/trunk/app/Model/CoPerson.php 2013-01-18 23:58:32 UTC (rev
406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Person Model
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -36,6 +36,7 @@
public $belongsTo = array("Co"); // A CO Person Source
is attached to one CO
public $hasOne = array(
+ "CoNsfDemographic" => array('dependent' => true),
// A person can have one invite (per CO)
"CoInvite" => array('dependent' => true),
// A person can have one (preferred) name per CO
@@ -199,6 +200,21 @@
$args['conditions']['Identifier.status'] = StatusEnum::Active;
$args['contain'] = false;
+ if($coId != null) {
+ // Only pull records associated with this CO ID
+
+ $args['joins'][0]['table'] = 'co_people';
+ $args['joins'][0]['alias'] = 'CoPerson';
+ $args['joins'][0]['type'] = 'LEFT';
+ $args['joins'][0]['conditions'][0] =
'Identifier.co_person_id=CoPerson.id';
+ $args['joins'][1]['table'] = 'org_identities';
+ $args['joins'][1]['alias'] = 'OrgIdentity';
+ $args['joins'][1]['type'] = 'LEFT';
+ $args['joins'][1]['conditions'][0] =
'Identifier.org_identity_id=OrgIdentity.id';
+ $args['conditions']['OR']['CoPerson.co_id'] = $coId;
+ $args['conditions']['OR']['OrgIdentity.co_id'] = $coId;
+ }
+
if($identifierType) {
$args['conditions']['Identifier.type'] = $identifierType;
}
Modified: registry/trunk/app/Model/CoPersonRole.php
===================================================================
--- registry/trunk/app/Model/CoPersonRole.php 2013-01-09 03:11:35 UTC (rev
405)
+++ registry/trunk/app/Model/CoPersonRole.php 2013-01-18 23:58:32 UTC (rev
406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Person Role Model
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.2
@@ -29,6 +29,9 @@
// Current schema version for API
public $version = "1.0";
+ // Add behaviors
+ public $actsAs = array('Containable');
+
// Association rules from this model to other models
public $belongsTo = array(
// A CO Org Person To is attached to one COU
@@ -38,7 +41,7 @@
'foreignKey' => 'co_person_id'
),
// A CO Org Person To is attached to one CO Person
- "CoPerson" => array(
+ "SponsorCoPerson" => array(
'className' => 'CoPerson',
'foreignKey' => 'sponsor_co_person_id'
) // foreign key to sponsor
Modified: registry/trunk/app/View/CoEnrollmentFlows/select.ctp
===================================================================
--- registry/trunk/app/View/CoEnrollmentFlows/select.ctp 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/View/CoEnrollmentFlows/select.ctp 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Enrollment Flow Select View
*
- * Copyright (C) 2012 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2012-3 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2012 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2012-3 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.5
@@ -29,7 +29,7 @@
<table id="cous" class="ui-widget">
<thead>
<tr class="ui-widget-header">
- <th><?php print $this->Paginator->sort('name', _txt('fd.name'));
?></th>
+ <th><?php print _txt('fd.name'); ?></th>
<th><?php print _txt('fd.actions'); ?></th>
</tr>
</thead>
@@ -66,8 +66,7 @@
<tfoot>
<tr class="ui-widget-header">
<th colspan="2">
- <?php print $this->Paginator->numbers(); ?>
- </td>
+ </th>
</tr>
</tfoot>
</table>
Modified: registry/trunk/app/View/CoNsfDemographics/fields.inc
===================================================================
--- registry/trunk/app/View/CoNsfDemographics/fields.inc 2013-01-09
03:11:35 UTC (rev 405)
+++ registry/trunk/app/View/CoNsfDemographics/fields.inc 2013-01-18
23:58:32 UTC (rev 406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO NSF Demographic Fields
*
- * Copyright (C) 2011-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2011-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2011-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2011-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.3
@@ -49,17 +49,10 @@
$args = array('default' => $cur_co['Co']['id']);
print $this->Form->hidden('co_id', $args). "\n";
- // Get Co Person ID
- if(isset($this->request->params['named']['co_person_id']))
- {
- // For edit
- $args = array('default' =>
$this->request->params['named']['co_person_id']);
+ if(isset($this->request->params['named']['copersonid'])) {
+ // Populate default CO Person ID for add
+ $args = array('default' =>
Sanitize::html($this->request->params['named']['copersonid']));
}
- else
- {
- // Get ID for add
- $args = array('default' =>
$this->request->data['CoNsfDemographic']['co_person_id']);
- }
print $this->Form->hidden('co_person_id', $args). "\n";
@@ -90,7 +83,7 @@
$emptyArg = array('empty' => true);
?>
-<table id="<?php print $this->action; ?>_co" class="ui-widget">
+<table id="<?php print $this->action; ?>_co_nsf_demographic"
class="ui-widget">
<tbody>
<tr class="line2">
<td>
@@ -202,5 +195,5 @@
<?php
if($e)
- print $this->Form->submit($submit_label, array('onClick' =>
'on_submit()'));
+ print $this->Form->submit($submit_label);
?>
Modified: registry/trunk/app/View/CoPeople/fields.inc
===================================================================
--- registry/trunk/app/View/CoPeople/fields.inc 2013-01-09 03:11:35 UTC (rev
405)
+++ registry/trunk/app/View/CoPeople/fields.inc 2013-01-18 23:58:32 UTC (rev
406)
@@ -2,7 +2,7 @@
/**
* COmanage Registry CO Person Fields
*
- * Copyright (C) 2010-12 University Corporation for Advanced Internet
Development, Inc.
+ * Copyright (C) 2010-13 University Corporation for Advanced Internet
Development, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -14,7 +14,7 @@
* KIND, either express or implied. See the License for the specific
language governing
* permissions and limitations under the License.
*
- * @copyright Copyright (C) 2010-12 University Corporation for Advanced
Internet Development, Inc.
+ * @copyright Copyright (C) 2010-13 University Corporation for Advanced
Internet Development, Inc.
* @link http://www.internet2.edu/comanage COmanage Project
* @package registry
* @since COmanage Registry v0.1
@@ -50,21 +50,34 @@
if($this->action != "invite")
{
- print $this->Html->link(_txt('ct.org_identities.1'),
- array('controller' => 'org_identities',
- 'action' => ($e && !$es ? 'edit' : 'view'),
-
$co_people[0]['CoOrgIdentityLink'][0]['org_identity_id'],
- 'co' => ($pool_org_identities ? false :
$cur_co['Co']['id'])),
- array('class' => 'linkbutton'));
-
- // If demographics data does not exist, demographics controller will
redirect to add
- $args = array('controller' => 'co_nsf_demographics',
- 'action' => 'editself',
- 'co' => ($pool_org_identities ? false :
$cur_co['Co']['id']));
- $classArg = array('class' => 'linkbutton');
+ if(!empty($co_people[0]['CoOrgIdentityLink'][0]['org_identity_id'])) {
+ print $this->Html->link(_txt('ct.org_identities.1'),
+ array('controller' => 'org_identities',
+ 'action' => ($e && !$es ? 'edit' :
'view'),
+
$co_people[0]['CoOrgIdentityLink'][0]['org_identity_id'],
+ 'co' => ($pool_org_identities ? false
: $cur_co['Co']['id'])),
+ array('class' => 'linkbutton'));
+ }
+
+ // Adjust the link to the NSF Demographics Controller according to
whether or
+ // not data has been set.
+
+ $l = array();
+ $l['controller'] = 'co_nsf_demographics';
+
+ if(empty($co_people[0]['CoNsfDemographic']['id'])) {
+ $l['action'] = 'add';
+ $l['copersonid'] = $co_people[0]['CoPerson']['id'];
+ } else {
+ $l['action'] = 'edit';
+ $l[] = $co_people[0]['CoNsfDemographic']['id'];
+ }
+
+ $l['co'] = $co_people[0]['CoPerson']['co_id'];
+
print $this->Html->link(_txt('ct.co_nsf_demographics.1'),
- $args,
- $classArg);
+ $l,
+ array('class' => 'linkbutton'));
// Autogenerate Identifiers button
if(!empty($co_identifier_assignments)) {
@@ -83,9 +96,11 @@
// Populate the cross reference
print $this->Form->hidden('CoPerson.co_id', array('default' =>
$cur_co['Co']['id'])). "\n";
print $this->Form->hidden('CoOrgIdentityLink.0.id'). "\n";
- print $this->Form->hidden('CoOrgIdentityLink.0.org_identity_id',
array('default' =>
$co_people[0]['CoOrgIdentityLink'][0]['org_identity_id'])). "\n";
+ if(!empty($co_people[0]['CoOrgIdentityLink'][0]['org_identity_id'])) {
+ print $this->Form->hidden('CoOrgIdentityLink.0.org_identity_id',
array('default' =>
$co_people[0]['CoOrgIdentityLink'][0]['org_identity_id'])). "\n";
+ }
// Default status is 'Pending'
- echo $this->Form->hidden('status', array('default' => 'P')). "\n";
+ print $this->Form->hidden('status', array('default' => 'P')). "\n";
}
else
{
- [comanage-dev] r406 - in registry/trunk/app: Controller Controller/Component Lib Model View/CoEnrollmentFlows View/CoNsfDemographics View/CoPeople, svnlog, 01/18/2013
Archive powered by MHonArc 2.6.16.