diff --git a/plugins/Tags/templates/Tags/index.php b/plugins/Tags/templates/Tags/index.php index 345809b..a6003e7 100644 --- a/plugins/Tags/templates/Tags/index.php +++ b/plugins/Tags/templates/Tags/index.php @@ -11,7 +11,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'type' => 'simple', 'text' => __('Add tag'), 'popover_url' => '/tags/add', - 'requirement' => !empty($loggedUser['role']['perm_admin']), + 'requirement' => !empty($loggedUser['role']['perm_community_admin']), ] ] ], @@ -67,13 +67,13 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'open_modal' => '/tags/edit/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'edit', - 'requirement' => !empty($loggedUser['role']['perm_admin']), + 'requirement' => !empty($loggedUser['role']['perm_community_admin']), ], [ 'open_modal' => '/tags/delete/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'trash', - 'requirement' => !empty($loggedUser['role']['perm_admin']), + 'requirement' => !empty($loggedUser['role']['perm_community_admin']), ], ] ] diff --git a/src/Command/FastUserEnrolmentCommand.php b/src/Command/FastUserEnrolmentCommand.php index 293469c..7898d17 100644 --- a/src/Command/FastUserEnrolmentCommand.php +++ b/src/Command/FastUserEnrolmentCommand.php @@ -100,12 +100,18 @@ class FastUserEnrolmentCommand extends Command die(1); } $defaultRole = $defaultRole->toArray(); - if (!empty($defaultRole['perm_admin'])) { + if (!empty($defaultRole['perm_community_admin'])) { $selection = $io->askChoice('The default role has the `admin` permission. Confirm giving the admin permission to users to be enrolled.', ['Y', 'N'], 'N'); if ($selection != 'Y') { die(1); } } + if (!empty($defaultRole['perm_community_admin'])) { + $selection = $io->askChoice('The default role has the `community_admin` permission. Confirm giving the admin permission to users to be enrolled.', ['Y', 'N'], 'N'); + if ($selection != 'Y') { + die(1); + } + } $this->role_id = $defaultRole['id']; } else { $role = $this->Users->Roles->find()->select(['id'])->where(['id' => $this->role_id])->first(); diff --git a/src/Controller/AlignmentsController.php b/src/Controller/AlignmentsController.php index c783148..a982edb 100644 --- a/src/Controller/AlignmentsController.php +++ b/src/Controller/AlignmentsController.php @@ -150,7 +150,7 @@ class AlignmentsController extends AppController private function canEditIndividual($indId): bool { $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } $this->loadModel('Individuals'); @@ -164,7 +164,7 @@ class AlignmentsController extends AppController private function canEditOrganisation($orgId): bool { $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } if ($currentUser['role']['perm_org_admin'] && $currentUser['organisation']['id'] == $orgId) { diff --git a/src/Controller/AppController.php b/src/Controller/AppController.php index 0b6aaa3..334f923 100644 --- a/src/Controller/AppController.php +++ b/src/Controller/AppController.php @@ -124,6 +124,7 @@ class AppController extends Controller $this->ACL->setUser($user); $this->request->getSession()->write('authUser', $user); $this->isAdmin = $user['role']['perm_admin']; + $this->isCommunityAdmin = $user['role']['perm_community_admin']; if (!$this->ParamHandler->isRest()) { $this->set('menu', $this->ACL->getMenu()); $this->set('loggedUser', $this->ACL->getUser()); @@ -155,7 +156,7 @@ class AppController extends Controller } if ($this->modelClass == 'Tags.Tags') { - $this->set('metaGroup', !empty($this->isAdmin) ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', !empty($this->isCommunityAdmin) ? 'Administration' : 'Cerebrate'); } $this->response = $this->response->withHeader('X-Frame-Options', 'DENY'); } diff --git a/src/Controller/AuthKeysController.php b/src/Controller/AuthKeysController.php index 7bca8d5..94e47d2 100644 --- a/src/Controller/AuthKeysController.php +++ b/src/Controller/AuthKeysController.php @@ -22,7 +22,7 @@ class AuthKeysController extends AppController { $currentUser = $this->ACL->getUser(); $conditions = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $conditions['Users.organisation_id'] = $currentUser['organisation_id']; if (empty($currentUser['role']['perm_org_admin'])) { $conditions['Users.id'] = $currentUser['id']; @@ -40,14 +40,14 @@ class AuthKeysController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function delete($id) { $currentUser = $this->ACL->getUser(); $conditions = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $conditions['Users.organisation_id'] = $currentUser['organisation_id']; if (empty($currentUser['role']['perm_org_admin'])) { $conditions['Users.id'] = $currentUser['id']; @@ -58,20 +58,20 @@ class AuthKeysController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function add() { - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); $validUsers = []; $userConditions = []; $currentUser = $this->ACL->getUser(); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { if (empty($currentUser['role']['perm_org_admin'])) { $userConditions['id'] = $currentUser['id']; } else { - $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->extract('id')->toList(); + $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_community_admin', 'perm_org_admin' => 0])->all()->extract('id')->toList(); $userConditions['organisation_id'] = $currentUser['organisation_id']; $userConditions['OR'] = [ ['role_id IN' => $role_ids], diff --git a/src/Controller/Component/ACLComponent.php b/src/Controller/Component/ACLComponent.php index 9619c35..a51cf50 100644 --- a/src/Controller/Component/ACLComponent.php +++ b/src/Controller/Component/ACLComponent.php @@ -41,14 +41,14 @@ class ACLComponent extends Component 'queryACL' => ['perm_admin'] ], 'Alignments' => [ - 'add' => ['perm_admin', 'perm_org_admin'], - 'delete' => ['perm_admin', 'perm_org_admin'], + 'add' => ['perm_community_admin', 'perm_org_admin'], + 'delete' => ['perm_community_admin', 'perm_org_admin'], 'index' => ['*'], 'view' => ['*'] ], 'AuditLogs' => [ - 'filtering' => ['perm_admin'], - 'index' => ['perm_admin'], + 'filtering' => ['perm_community_admin'], + 'index' => ['perm_community_admin'], ], 'AuthKeys' => [ 'add' => ['*'], @@ -56,17 +56,17 @@ class ACLComponent extends Component 'index' => ['*'] ], 'Broods' => [ - 'add' => ['perm_admin'], - 'delete' => ['perm_admin'], - 'downloadIndividual' => ['perm_admin'], - 'downloadOrg' => ['perm_admin'], - 'downloadSharingGroup' => ['perm_admin'], - 'edit' => ['perm_admin'], - 'index' => ['perm_admin'], - 'interconnectTools' => ['perm_admin'], - 'previewIndex' => ['perm_admin'], - 'testConnection' => ['perm_admin'], - 'view' => ['perm_admin'] + 'add' => ['perm_community_admin'], + 'delete' => ['perm_community_admin'], + 'downloadIndividual' => ['perm_community_admin'], + 'downloadOrg' => ['perm_community_admin'], + 'downloadSharingGroup' => ['perm_community_admin'], + 'edit' => ['perm_community_admin'], + 'index' => ['perm_community_admin'], + 'interconnectTools' => ['perm_community_admin'], + 'previewIndex' => ['perm_community_admin'], + 'testConnection' => ['perm_community_admin'], + 'view' => ['perm_community_admin'] ], 'EncryptionKeys' => [ 'view' => ['*'], @@ -76,29 +76,29 @@ class ACLComponent extends Component 'index' => ['*'] ], 'Enumerations' => [ - 'delete' => ['perm_admin'], + 'delete' => ['perm_community_admin'], 'index' => ['*'] ], 'EnumerationCollections' => [ 'view' => ['*'], - 'add' => ['perm_admin'], - 'edit' => ['perm_admin'], - 'delete' => ['perm_admin'], + 'add' => ['perm_community_admin'], + 'edit' => ['perm_community_admin'], + 'delete' => ['perm_community_admin'], 'index' => ['*'] ], 'Inbox' => [ - 'createEntry' => ['OR' => ['perm_admin', 'perm_sync']], - 'delete' => ['perm_admin'], - 'filtering' => ['perm_admin'], - 'index' => ['perm_admin'], - 'listProcessors' => ['OR' => ['perm_admin', 'perm_sync']], - 'process' => ['perm_admin'], - 'view' => ['perm_admin'], + 'createEntry' => ['OR' => ['perm_community_admin', 'perm_sync']], + 'delete' => ['perm_community_admin'], + 'filtering' => ['perm_community_admin'], + 'index' => ['perm_community_admin'], + 'listProcessors' => ['OR' => ['perm_community_admin', 'perm_sync']], + 'process' => ['perm_community_admin'], + 'view' => ['perm_community_admin'], ], 'Individuals' => [ - 'add' => ['perm_admin', 'perm_org_admin'], - 'delete' => ['perm_admin'], - 'edit' => ['perm_admin', 'perm_org_admin'], + 'add' => ['perm_community_admin', 'perm_org_admin'], + 'delete' => ['perm_community_admin'], + 'edit' => ['perm_community_admin', 'perm_org_admin'], 'filtering' => ['*'], 'index' => ['*'], 'tag' => ['*'], @@ -119,32 +119,32 @@ class ACLComponent extends Component 'topology' => ['perm_admin'], ], 'LocalTools' => [ - 'action' => ['perm_admin'], + 'action' => ['OR' => ['perm_admin', 'perm_community_admin']], 'add' => ['perm_admin'], 'batchAction' => ['perm_admin'], - 'broodTools' => ['perm_admin'], - 'connectionRequest' => ['perm_admin'], + 'broodTools' => ['OR' => ['perm_admin', 'perm_community_admin']], + 'connectionRequest' => ['OR' => ['perm_admin', 'perm_community_admin']], // 'connectLocal' => ['perm_admin'], 'delete' => ['perm_admin'], 'edit' => ['perm_admin'], - 'exposedTools' => ['OR' => ['perm_admin', 'perm_sync']], - 'index' => ['perm_admin'], + 'exposedTools' => ['OR' => ['perm_admin', 'perm_sync', 'perm_community_admin']], + 'index' => ['OR' => ['perm_admin', 'perm_community_admin']], 'connectorIndex' => ['perm_admin'], - 'view' => ['perm_admin'], - 'viewConnector' => ['perm_admin'] + 'view' => ['OR' => ['perm_admin', 'perm_community_admin']], + 'viewConnector' => ['OR' => ['perm_admin', 'perm_community_admin']] ], 'MailingLists' => [ - "add" => ['perm_org_admin'], - "addIndividual" => ['perm_org_admin'], - "delete" => ['perm_org_admin'], - "edit" => ['perm_org_admin'], + "add" => ['OR' => ['perm_org_admin', 'perm_community_admin']], + "addIndividual" => ['OR' => ['perm_org_admin', 'perm_community_admin']], + "delete" => ['OR' => ['perm_org_admin', 'perm_community_admin']], + "edit" => ['OR' => ['perm_org_admin', 'perm_community_admin']], "index" => ['*'], - "listIndividuals" => ['perm_org_admin'], - "removeIndividual" => ['perm_org_admin'], + "listIndividuals" => ['OR' => ['perm_org_admin', 'perm_community_admin']], + "removeIndividual" => ['OR' => ['perm_org_admin', 'perm_community_admin']], "view" => ['*'], ], 'MetaTemplateFields' => [ - 'index' => ['perm_admin'] + 'index' => ['perm_admin', 'perm_community_admin'] ], 'MetaTemplates' => [ 'createNewTemplate' => ['perm_admin'], @@ -164,30 +164,30 @@ class ACLComponent extends Component 'index' => ['perm_admin'], ], 'OrgGroups' => [ - 'add' => ['perm_admin'], - 'delete' => ['perm_admin'], - 'edit' => ['perm_admin'], + 'add' => ['perm_community_admin'], + 'delete' => ['perm_community_admin'], + 'edit' => ['perm_community_admin'], 'index' => ['*'], 'view' => ['*'], 'filtering' => ['*'], - 'tag' => ['perm_admin'], - 'untag' => ['perm_admin'], + 'tag' => ['perm_community_admin'], + 'untag' => ['perm_community_admin'], 'viewTags' => ['*'], 'listAdmins' => ['*'], 'listOrgs' => ['*'], - 'assignAdmin' => ['perm_admin'], - 'removeAdmin' => ['perm_admin'], - 'attachOrg' => ['perm_admin', 'perm_group_admin'], - 'detachOrg' => ['perm_admin', 'perm_group_admin'] + 'assignAdmin' => ['perm_community_admin'], + 'removeAdmin' => ['perm_community_admin'], + 'attachOrg' => ['perm_community_admin', 'perm_group_admin'], + 'detachOrg' => ['perm_community_admin', 'perm_group_admin'] ], 'Organisations' => [ - 'add' => ['perm_admin'], - 'delete' => ['perm_admin'], - 'edit' => ['perm_admin', 'perm_org_admin'], + 'add' => ['perm_community_admin'], + 'delete' => ['perm_community_admin'], + 'edit' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'filtering' => ['*'], 'index' => ['*'], - 'tag' => ['perm_org_admin'], - 'untag' => ['perm_org_admin'], + 'tag' => ['OR' => ['perm_org_admin', 'perm_community_admin']], + 'untag' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'view' => ['*'], 'viewTags' => ['*'] ], @@ -211,39 +211,39 @@ class ACLComponent extends Component "delete" => ['perm_admin'] ], 'Roles' => [ - 'add' => ['perm_admin'], - 'delete' => ['perm_admin'], - 'edit' => ['perm_admin'], + 'add' => ['perm_community_admin'], + 'delete' => ['perm_community_admin'], + 'edit' => ['perm_community_admin'], 'index' => ['*'], 'view' => ['*'] ], 'SharingGroups' => [ - 'add' => ['perm_org_admin'], - 'addOrg' => ['perm_org_admin'], - 'delete' => ['perm_org_admin'], - 'edit' => ['perm_org_admin'], + 'add' => ['OR' => ['perm_org_admin', 'perm_community_admin']], + 'addOrg' => ['OR' => ['perm_org_admin', 'perm_community_admin']], + 'delete' => ['OR' => ['perm_org_admin', 'perm_community_admin']], + 'edit' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'index' => ['*'], 'listOrgs' => ['*'], - 'removeOrg' => ['perm_org_admin'], + 'removeOrg' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'view' => ['*'] ], 'Tags' => [ - 'add' => ['perm_admin'], - 'delete' => ['perm_admin'], - 'edit' => ['perm_admin'], + 'add' => ['perm_community_admin'], + 'delete' => ['perm_community_admin'], + 'edit' => ['perm_community_admin'], 'index' => ['*'], 'view' => ['*'] ], 'Users' => [ - 'add' => ['perm_org_admin'], - 'delete' => ['perm_org_admin'], + 'add' => ['OR' => ['perm_org_admin', 'perm_community_admin']], + 'delete' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'edit' => ['*'], - 'index' => ['perm_org_admin'], + 'index' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'login' => ['*'], 'logout' => ['*'], 'register' => ['*'], 'settings' => ['*'], - 'toggle' => ['perm_org_admin'], + 'toggle' => ['OR' => ['perm_org_admin', 'perm_community_admin']], 'view' => ['*'] ], 'UserSettings' => [ @@ -354,14 +354,14 @@ class ACLComponent extends Component if (empty($user) || empty($currentUser)) { return false; } - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } if ($user['id'] === $currentUser['id']) { return true; } - if ($user['role']['perm_admin']) { + if ($user['role']['perm_community_admin']) { return false; // org_admins cannot edit admins } if ($currentUser['role']['perm_org_admin'] && $user['role']['perm_group_admin']) { @@ -401,7 +401,7 @@ class ACLComponent extends Component return true; } if (!empty($this->user->role->perm_admin)) { - return true; + //return true; } //$this->__checkLoggedActions($user, $controller, $action); if (isset($this->aclList['*'][$action])) { @@ -589,7 +589,7 @@ class ACLComponent extends Component } foreach ($this->aclList as $controller => $actions) { foreach ($actions as $action => $permissions) { - if ($role['perm_admin']) { + if ($role['perm_admin'] && empty($permissions)) { $results = $this->__formatControllerAction($results, $controller, $action, $url_mode); } elseif (in_array('*', $permissions)) { $results = $this->__formatControllerAction($results, $controller, $action, $url_mode); diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php index e6d6f6c..9330740 100644 --- a/src/Controller/Component/CRUDComponent.php +++ b/src/Controller/Component/CRUDComponent.php @@ -526,10 +526,10 @@ class CRUDComponent extends Component if (!empty($errors)) { if (count($errors) == 1) { $field = array_keys($errors)[0]; - $fieldError = implode(', ', array_values($errors[$field])); + $fieldError = json_encode($errors[$field]); $validationMessage = __('{0}: {1}', $field, $fieldError); } else { - $validationMessage = __('There has been validation issues with multiple fields'); + $validationMessage = __('There has been validation issues with multiple fields: {0}', json_encode($errors)); } } return $validationMessage; diff --git a/src/Controller/Component/Navigation/Tags.php b/src/Controller/Component/Navigation/Tags.php index 0af9849..20be662 100644 --- a/src/Controller/Component/Navigation/Tags.php +++ b/src/Controller/Component/Navigation/Tags.php @@ -8,7 +8,7 @@ class TagsNavigation extends BaseNavigation public function addLinks() { $controller = 'Tags'; - if (empty($this->viewVars['loggedUser']['role']['perm_admin'])) { + if (empty($this->viewVars['loggedUser']['role']['perm_community_admin'])) { $this->bcf->removeLink($controller, 'view', $controller, 'edit'); $this->bcf->removeLink($controller, 'edit', $controller, 'edit'); } @@ -17,7 +17,7 @@ class TagsNavigation extends BaseNavigation public function addActions() { $controller = 'Tags'; - if (empty($this->viewVars['loggedUser']['role']['perm_admin'])) { + if (empty($this->viewVars['loggedUser']['role']['perm_community_admin'])) { $this->bcf->removeAction($controller, 'view', $controller, 'delete'); $this->bcf->removeAction($controller, 'edit', $controller, 'delete'); } diff --git a/src/Controller/Component/NavigationComponent.php b/src/Controller/Component/NavigationComponent.php index d3e03f1..b758b28 100644 --- a/src/Controller/Component/NavigationComponent.php +++ b/src/Controller/Component/NavigationComponent.php @@ -312,12 +312,12 @@ class BreadcrumbFactory $this->addAction($controller, 'view', $controller, 'add'); $this->addAction($controller, 'view', $controller, 'delete'); - if (!empty($loggedUser['role']['perm_admin'])) { + if (!empty($loggedUser['role']['perm_community_admin'])) { $this->addAction($controller, 'view', $controller, 'audit'); } $this->addAction($controller, 'edit', $controller, 'add'); $this->addAction($controller, 'edit', $controller, 'delete'); - if (!empty($loggedUser['role']['perm_admin'])) { + if (!empty($loggedUser['role']['perm_community_admin'])) { $this->addAction($controller, 'edit', $controller, 'audit'); } } diff --git a/src/Controller/Component/RestResponseComponent.php b/src/Controller/Component/RestResponseComponent.php index 10f36cd..4bc5edf 100644 --- a/src/Controller/Component/RestResponseComponent.php +++ b/src/Controller/Component/RestResponseComponent.php @@ -140,6 +140,7 @@ class RestResponseComponent extends Component 'perm_delegate', 'perm_sync', 'perm_admin', + 'perm_community_admin', 'perm_audit', 'perm_auth', 'perm_site_admin', @@ -160,6 +161,7 @@ class RestResponseComponent extends Component 'perm_delegate', 'perm_sync', 'perm_admin', + 'perm_community_admin', 'perm_audit', 'perm_auth', 'perm_site_admin', @@ -1253,6 +1255,11 @@ class RestResponseComponent extends Component 'type' => 'integer', 'values' => array(1 => 'True', 0 => 'False' ) ), + 'perm_community_admin' => array( + 'input' => 'radio', + 'type' => 'integer', + 'values' => array(1 => 'True', 0 => 'False' ) + ), 'perm_audit' => array( 'input' => 'radio', 'type' => 'integer', diff --git a/src/Controller/EncryptionKeysController.php b/src/Controller/EncryptionKeysController.php index 3637095..4c75bbc 100644 --- a/src/Controller/EncryptionKeysController.php +++ b/src/Controller/EncryptionKeysController.php @@ -64,7 +64,7 @@ class EncryptionKeysController extends AppController $dropdownData = []; $currentUser = $this->ACL->getUser(); $params = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params = $this->buildBeforeSave($params, $currentUser, $orgConditions, $individualConditions, $dropdownData); } $this->CRUD->delete($id, $params); @@ -77,7 +77,7 @@ class EncryptionKeysController extends AppController private function buildBeforeSave(array $params, $currentUser, array &$orgConditions, array &$individualConditions, array &$dropdownData): array { - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $orgConditions = [ 'id' => $currentUser['organisation_id'] ]; @@ -154,7 +154,7 @@ class EncryptionKeysController extends AppController ], 'redirect' => $this->referer() ]; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params = $this->buildBeforeSave($params, $currentUser, $orgConditions, $individualConditions, $dropdownData); } $this->CRUD->edit($id, $params); diff --git a/src/Controller/IndividualsController.php b/src/Controller/IndividualsController.php index 776f75f..c37a0d2 100644 --- a/src/Controller/IndividualsController.php +++ b/src/Controller/IndividualsController.php @@ -29,7 +29,7 @@ class IndividualsController extends AppController public function index() { $currentUser = $this->ACL->getUser(); - $orgAdmin = !$currentUser['role']['perm_admin'] && $currentUser['role']['perm_org_admin']; + $orgAdmin = !$currentUser['role']['perm_community_admin'] && $currentUser['role']['perm_org_admin']; $this->CRUD->index([ 'filters' => $this->filterFields, 'quickFilters' => $this->quickFilterFields, @@ -37,7 +37,7 @@ class IndividualsController extends AppController 'contain' => $this->containFields, 'statisticsFields' => $this->statisticsFields, 'afterFind' => function($data) use ($currentUser) { - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { $data['user'] = $this->Individuals->Users->find()->select(['id', 'username', 'Organisations.id', 'Organisations.name'])->contain('Organisations')->where(['individual_id' => $data['id']])->all()->toArray(); } return $data; @@ -88,7 +88,7 @@ class IndividualsController extends AppController $currentUser = $this->ACL->getUser(); $this->CRUD->edit($id, [ 'beforeSave' => function($data) use ($currentUser) { - if ($currentUser['role']['perm_admin'] && isset($data['uuid'])) { + if ($currentUser['role']['perm_community_admin'] && isset($data['uuid'])) { unset($data['uuid']); } return $data; @@ -157,7 +157,7 @@ class IndividualsController extends AppController private function canEdit($indId): bool { $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } $validIndividuals = $this->Individuals->getValidIndividualsToEdit($currentUser); @@ -174,7 +174,7 @@ class IndividualsController extends AppController return false; } $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } return false; diff --git a/src/Controller/MailingListsController.php b/src/Controller/MailingListsController.php index 43a18cc..0054d03 100644 --- a/src/Controller/MailingListsController.php +++ b/src/Controller/MailingListsController.php @@ -29,7 +29,7 @@ class MailingListsController extends AppController 'quickFilters' => $this->quickFilterFields, 'statisticsFields' => $this->statisticsFields, 'afterFind' => function ($row) use ($currentUser) { - if (empty($currentUser['role']['perm_admin']) && $row['user_id'] != $currentUser['id']) { + if (empty($currentUser['role']['perm_community_admin']) && $row['user_id'] != $currentUser['id']) { if (!$this->MailingLists->isIndividualListed($currentUser['individual_id'], $row)) { $row = false; } @@ -66,7 +66,7 @@ class MailingListsController extends AppController $this->CRUD->view($id, [ 'contain' => $this->containFields, 'afterFind' => function($data) use ($currentUser) { - if (empty($currentUser['role']['perm_admin']) && $data['user_id'] != $currentUser['id']) { + if (empty($currentUser['role']['perm_community_admin']) && $data['user_id'] != $currentUser['id']) { if (!$this->MailingLists->isIndividualListed($currentUser['individual_id'], $data)) { $data = []; } @@ -84,7 +84,7 @@ class MailingListsController extends AppController { $currentUser = $this->ACL->getUser(); $params = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params['conditions'] = ['user_id' => $currentUser['id']]; } $this->CRUD->edit($id, $params); @@ -98,7 +98,7 @@ class MailingListsController extends AppController public function delete($id) { $currentUser = $this->ACL->getUser(); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params['conditions'] = ['user_id' => $currentUser['id']]; } $this->CRUD->delete($id, $params); @@ -131,7 +131,7 @@ class MailingListsController extends AppController if (is_null($mailingList)) { throw new NotFoundException(__('Invalid {0}.', Inflector::singularize($this->MailingLists->getAlias()))); } - if (empty($currentUser['role']['perm_admin']) && $mailingList['user_id'] != $currentUser['id']) { + if (empty($currentUser['role']['perm_community_admin']) && $mailingList['user_id'] != $currentUser['id']) { if (!$this->MailingLists->isIndividualListed($currentUser['individual_id'], $mailingList)) { throw new NotFoundException(__('Invalid {0}.', Inflector::singularize($this->MailingLists->getAlias()))); } @@ -197,7 +197,7 @@ class MailingListsController extends AppController $params = [ 'contain' => ['Individuals', 'MetaFields'] ]; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params['conditions'] = ['user_id' => $currentUser['id']]; } $mailingList = $this->MailingLists->get($mailinglist_id, $params); @@ -274,7 +274,7 @@ class MailingListsController extends AppController $params = [ 'contain' => ['Individuals', 'MetaFields'] ]; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params['conditions'] = ['user_id' => $currentUser['id']]; } $mailingList = $this->MailingLists->get($mailinglist_id, $params); diff --git a/src/Controller/OrgGroupsController.php b/src/Controller/OrgGroupsController.php index c775da5..58f11a9 100644 --- a/src/Controller/OrgGroupsController.php +++ b/src/Controller/OrgGroupsController.php @@ -121,7 +121,7 @@ class OrgGroupsController extends AppController private function canEdit($groupId): bool { $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } if ($currentUser['role']['perm_group_admin']) { @@ -140,7 +140,7 @@ class OrgGroupsController extends AppController private function canEditDefinition($groupId): bool { $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } return false; @@ -154,7 +154,7 @@ class OrgGroupsController extends AppController } $orgGroup = $this->OrgGroups->get($groupId, ['contain' => ['Users' => ['Individuals', 'Organisations']]]); $this->set('data', $orgGroup['users']); - $this->set('canEdit', $this->ACL->getUser()['role']['perm_admin']); + $this->set('canEdit', $this->ACL->getUser()['role']['perm_community_admin']); $this->set('groupId', $groupId); } @@ -172,7 +172,7 @@ class OrgGroupsController extends AppController public function assignAdmin($groupId) { - if (!$this->ACL->getUser()['role']['perm_admin']) { + if (!$this->ACL->getUser()['role']['perm_community_admin']) { throw new MethodNotAllowedException(__('You do not have permission to edit this group.')); } $this->CRUD->linkObjects(__FUNCTION__, $groupId, 'OrgGroups', 'Users', ['redirect' => '/orgGroups/listAdmins/' . $groupId]); @@ -188,7 +188,7 @@ class OrgGroupsController extends AppController $validRoles = $this->Roles->find('list')->disableHydration()->select( ['id', 'name'] )->where( - ['OR' => ['perm_admin' => 1, 'perm_group_admin' => 1]] + ['OR' => ['perm_community_admin' => 1, 'perm_group_admin' => 1]] )->toArray(); $admins = $this->Users->find('list')->disableHydration()->select(['id', 'username'])->where(['Users.role_id IN' => array_keys($validRoles)])->toArray(); asort($admins, SORT_STRING | SORT_FLAG_CASE); @@ -207,7 +207,7 @@ class OrgGroupsController extends AppController public function removeAdmin($groupId, $adminId) { - if (!$this->ACL->getUser()['role']['perm_admin']) { + if (!$this->ACL->getUser()['role']['perm_community_admin']) { throw new MethodNotAllowedException(__('You do not have permission to edit this group.')); } $this->CRUD->unlinkObjects(__FUNCTION__, $groupId, $adminId, 'OrgGroups', 'Users'); diff --git a/src/Controller/OrganisationsController.php b/src/Controller/OrganisationsController.php index 4274443..6d1ba06 100644 --- a/src/Controller/OrganisationsController.php +++ b/src/Controller/OrganisationsController.php @@ -121,7 +121,7 @@ class OrganisationsController extends AppController $currentUser = $this->ACL->getUser(); $this->CRUD->edit($id, [ 'beforeSave' => function($data) use ($currentUser) { - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { unset($data['uuid']); } return $data; @@ -181,7 +181,7 @@ class OrganisationsController extends AppController private function canEdit($orgId): bool { $currentUser = $this->ACL->getUser(); - if ($currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_community_admin']) { return true; } diff --git a/src/Controller/RolesController.php b/src/Controller/RolesController.php index 77daa5e..9e909c1 100644 --- a/src/Controller/RolesController.php +++ b/src/Controller/RolesController.php @@ -12,7 +12,7 @@ use Cake\Http\Exception\ForbiddenException; class RolesController extends AppController { - public $filterFields = ['name', 'uuid', 'perm_admin', 'Users.id', 'perm_org_admin']; + public $filterFields = ['name', 'uuid', 'perm_admin', 'perm_community_admin', 'Users.id', 'perm_org_admin']; public $quickFilterFields = ['name']; public $containFields = []; @@ -26,7 +26,7 @@ class RolesController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function add() @@ -44,7 +44,7 @@ class RolesController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function view($id) @@ -54,7 +54,7 @@ class RolesController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function edit($id) @@ -72,7 +72,7 @@ class RolesController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); $this->render('add'); } @@ -83,6 +83,6 @@ class RolesController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } } diff --git a/src/Controller/SharingGroupsController.php b/src/Controller/SharingGroupsController.php index 56f9a52..640b2a4 100644 --- a/src/Controller/SharingGroupsController.php +++ b/src/Controller/SharingGroupsController.php @@ -26,7 +26,7 @@ class SharingGroupsController extends AppController 'quickFilters' => $this->quickFilterFields, 'conditions' => $conditions, 'afterFind' => function ($row) use ($currentUser) { - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $orgFound = false; if (!empty($row['sharing_group_orgs'])) { foreach ($row['sharing_group_orgs'] as $org) { @@ -56,7 +56,7 @@ class SharingGroupsController extends AppController 'user_id' => $this->ACL->getUser()['id'] ], 'beforeSave' => function($data) use ($currentUser) { - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { $data['organisation_id'] = $currentUser['organisation_id']; } return $data; @@ -78,7 +78,7 @@ class SharingGroupsController extends AppController $this->CRUD->view($id, [ 'contain' => ['SharingGroupOrgs', 'Organisations', 'Users' => ['fields' => ['id', 'username']]], 'afterFind' => function($data) use ($currentUser) { - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $orgFound = false; if (!empty($data['sharing_group_orgs'])) { foreach ($data['sharing_group_orgs'] as $org) { @@ -104,7 +104,7 @@ class SharingGroupsController extends AppController { $params = []; $currentUser = $this->ACL->getUser(); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params['conditions'] = ['organisation_id' => $currentUser['organisation_id']]; } $params['fields'] = ['name', 'releasability', 'description', 'active']; @@ -124,7 +124,7 @@ class SharingGroupsController extends AppController { $currentUser = $this->ACL->getUser(); $params = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $params['conditions'] = ['organisation_id' => $currentUser['organisation_id']]; } $this->CRUD->delete($id, $params); @@ -140,7 +140,7 @@ class SharingGroupsController extends AppController $sharingGroup = $this->SharingGroups->get($id, [ 'contain' => 'SharingGroupOrgs' ]); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { if ($sharingGroup['organisation_id'] !== $currentUser['organisation_id']) { $sharingGroup = null; } @@ -212,7 +212,7 @@ class SharingGroupsController extends AppController $sharingGroup = $this->SharingGroups->get($id, [ 'contain' => 'SharingGroupOrgs' ]); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { if ($sharingGroup['organisation_id'] !== $currentUser['organisation_id']) { $sharingGroup = null; } @@ -278,7 +278,7 @@ class SharingGroupsController extends AppController private function getAvailableOrgForSg($user) { $organisations = []; - if (!empty($user['role']['perm_admin'])) { + if (!empty($user['role']['perm_community_admin'])) { $organisations = $this->SharingGroups->Organisations->find('list')->order(['name' => 'ASC'])->toArray(); } else { $organisations = $this->SharingGroups->Organisations->find('list', [ diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php index 2a06985..877d25f 100644 --- a/src/Controller/UserSettingsController.php +++ b/src/Controller/UserSettingsController.php @@ -22,7 +22,7 @@ class UserSettingsController extends AppController { $conditions = []; $currentUser = $this->ACL->getUser(); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $conditions['user_id'] = $currentUser->id; } $this->CRUD->index([ @@ -39,7 +39,7 @@ class UserSettingsController extends AppController $conditions = [ 'id' => $this->request->getQuery('Users_id') ]; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $conditions['organisation_id'] = $currentUser['organisation_id']; } $settingsForUser = $this->UserSettings->Users->find()->where($conditions)->first(); @@ -76,7 +76,7 @@ class UserSettingsController extends AppController if (!empty($existingSetting)) { throw new MethodNotAllowedException(__('You cannot create a setting that already exists for the given user.')); } - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $data['user_id'] = $currentUser->id; } return $data; @@ -87,7 +87,7 @@ class UserSettingsController extends AppController return $responsePayload; } $allUsers = $this->UserSettings->Users->find('list', ['keyField' => 'id', 'valueField' => 'username'])->order(['username' => 'ASC']); - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $allUsers->where(['id' => $currentUser->id]); $user_id = $currentUser->id; } else if (!is_null($user_id)) { @@ -109,7 +109,7 @@ class UserSettingsController extends AppController $currentUser = $this->ACL->getUser(); $validUsers = []; $individual_ids = []; - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { if ($currentUser['role']['perm_org_admin']) { $validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->where(['organisation_id' => $currentUser['organisation']['id']])->all()->toArray(); } else { @@ -272,7 +272,7 @@ class UserSettingsController extends AppController { $currentUser = $this->ACL->getUser(); $isAllowed = false; - if (!empty($currentUser['role']['perm_admin'])) { + if (!empty($currentUser['role']['perm_community_admin'])) { $isAllowed = true; } else { if (is_numeric($setting)) { @@ -301,7 +301,7 @@ class UserSettingsController extends AppController if (is_bool($user_id)) { return $currentUser; } - if (!empty($currentUser['role']['perm_admin'])) { + if (!empty($currentUser['role']['perm_community_admin'])) { $user = $this->Users->get($user_id, [ 'contain' => ['Roles', 'Individuals' => 'Organisations'] ]); diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index d86f314..7be3d69 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -28,7 +28,7 @@ class UsersController extends AppController $currentUser = $this->ACL->getUser(); $conditions = []; $validOrgIDsFOrEdition = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $conditions['organisation_id IN'] = [$currentUser['organisation_id']]; if (!empty($currentUser['role']['perm_group_admin'])) { $this->loadModel('OrgGroups'); @@ -66,7 +66,7 @@ class UsersController extends AppController } $this->set( 'validRoles', - $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->toArray() + $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_community_admin' => 0, 'perm_org_admin' => 0])->all()->toArray() ); $this->set('validOrgIDsFOrEdition', $validOrgIDsFOrEdition); } @@ -84,12 +84,12 @@ class UsersController extends AppController 'sort' => ['email' => 'asc'] ]; $individual_ids = []; - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { if ($currentUser['role']['perm_group_admin']) { - $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0])->all()->toArray(); + $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_community_admin' => 0, 'perm_group_admin' => 0])->all()->toArray(); $individual_ids = $this->Users->Individuals->find('aligned', ['organisation_id' => $currentUser['organisation_id']])->all()->extract('id')->toArray(); } else { - $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0, 'perm_org_admin' => 0])->all()->toArray(); + $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_community_admin' => 0, 'perm_group_admin' => 0, 'perm_org_admin' => 0])->all()->toArray(); } if (empty($individual_ids)) { @@ -116,7 +116,7 @@ class UsersController extends AppController if (!isset($data['role_id']) && !empty($defaultRole)) { $data['role_id'] = $defaultRole['id']; } - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { $validOrgs = $this->Users->getValidOrgsForUser($currentUser); if ($currentUser['role']['perm_group_admin']) { if (!empty($data['organisation_id']) && !in_array($currentUser['organisation_id'], $validOrgs)) { @@ -136,7 +136,7 @@ class UsersController extends AppController } $data['individual']['alignments'][] = ['type' => 'Member', 'organisation' => ['uuid' => $existingOrg['uuid']]]; $data['individual_id'] = $this->Users->Individuals->captureIndividual($data['individual'], true); - } else if (!$currentUser['role']['perm_admin'] && isset($data['individual_id'])) { + } else if (!$currentUser['role']['perm_community_admin'] && isset($data['individual_id'])) { if (!in_array($data['individual_id'], $individual_ids)) { throw new MethodNotAllowedException(__('The selected individual is not aligned with your organisation. Creating a user for them is not permitted.')); } @@ -177,7 +177,7 @@ class UsersController extends AppController $alignments = array_map(function($value) { return array_values($value); }, $alignments); */ $org_conditions = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $validOrgs = $this->Users->getValidOrgsForUser($currentUser); $org_conditions = ['id IN' => $validOrgs]; } @@ -191,13 +191,13 @@ class UsersController extends AppController ]; $this->set(compact('dropdownData')); $this->set('defaultRole', $defaultRole['id'] ?? null); - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function view($id = false) { $currentUser = $this->ACL->getUser(); - if (empty($id) || (empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) { + if (empty($id) || (empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_community_admin']))) { $id = $this->ACL->getUser()['id']; } $keycloakUsersParsed = null; @@ -213,7 +213,7 @@ class UsersController extends AppController 'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations', 'OrgGroups'], 'afterFind' => function($data) use ($keycloakUsersParsed, $currentUser) { if ( - empty($currentUser['role']['perm_admin']) && + empty($currentUser['role']['perm_community_admin']) && ($currentUser['organisation_id'] != $data['organisation_id']) && (empty($currentUser['role']['perm_group_admin']) || !$this->ACL->canEditUser($currentUser, $data)) ) { @@ -240,11 +240,13 @@ class UsersController extends AppController { $currentUser = $this->ACL->getUser(); $validRoles = []; - if (!$currentUser['role']['perm_admin']) { + $validOrgIds = []; + if (!$currentUser['role']['perm_community_admin']) { if ($currentUser['role']['perm_group_admin']) { - $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0])->all()->toArray(); + $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_community_admin' => 0, 'perm_group_admin' => 0])->all()->toArray(); + $validOrgIds = $this->Users->Organisations->OrgGroups->getGroupOrgIdsForUser($currentUser); } else { - $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0, 'perm_org_admin' => 0])->all()->toArray(); + $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_community_admin' => 0, 'perm_group_admin' => 0, 'perm_org_admin' => 0])->all()->toArray(); } } else { $validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray(); @@ -266,10 +268,10 @@ class UsersController extends AppController ]; if ($this->request->is(['get'])) { $params['fields'] = array_merge($params['fields'], ['role_id', 'disabled']); - if (!empty($this->ACL->getUser()['role']['perm_admin'])) { + if (!empty($this->ACL->getUser()['role']['perm_community_admin']) || !empty($this->ACL->getUser()['role']['perm_group_admin'])) { $params['fields'][] = 'organisation_id'; } - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { $params['afterFind'] = function ($user, &$params) use ($currentUser) { if (!empty($user)) { // We don't have a 404 if (!$this->ACL->canEditUser($currentUser, $user)) { @@ -288,14 +290,23 @@ class UsersController extends AppController }; } } - if ($this->request->is(['post', 'put']) && !empty($this->ACL->getUser()['role']['perm_admin'])) { + if ($this->request->is(['post', 'put']) && !empty($this->ACL->getUser()['role']['perm_community_admin'])) { $params['fields'][] = 'role_id'; $params['fields'][] = 'organisation_id'; $params['fields'][] = 'disabled'; - } else if ($this->request->is(['post', 'put']) && !empty($this->ACL->getUser()['role']['perm_org_admin'])) { + } else if ( + $this->request->is(['post', 'put']) && + ( + !empty($this->ACL->getUser()['role']['perm_org_admin']) || + !empty($this->ACL->getUser()['role']['perm_group_admin']) + ) + ) { + if (!empty($this->ACL->getUser()['role']['perm_group_admin'])) { + $params['fields'][] = 'organisation_id'; + } $params['fields'][] = 'role_id'; $params['fields'][] = 'disabled'; - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { $params['afterFind'] = function ($data, &$params) use ($currentUser, $validRoles) { if (!in_array($data['role_id'], array_keys($validRoles)) && $this->ACL->getUser()['id'] != $data['id']) { throw new MethodNotAllowedException(__('You cannot edit the given privileged user.')); @@ -319,8 +330,11 @@ class UsersController extends AppController return $responsePayload; } $org_conditions = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $org_conditions = ['id' => $currentUser['organisation_id']]; + if (!empty($currentUser['role']['perm_group_admin'])) { + $org_conditions = ['id IN' => $validOrgIds]; + } } if ($this->ACL->getUser()['id'] == $id) { $validRoles[$this->ACL->getUser()['role']['id']] = $this->ACL->getUser()['role']['name']; // include the current role of the user @@ -344,7 +358,7 @@ class UsersController extends AppController 'contain' => 'Roles' ]; $currentUser = $this->ACL->getUser(); - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { $params['afterFind'] = function ($user, &$params) use ($currentUser) { if (!$this->ACL->canEditUser($currentUser, $user)) { throw new MethodNotAllowedException(__('You cannot edit the given user.')); @@ -363,7 +377,7 @@ class UsersController extends AppController { $currentUser = $this->ACL->getUser(); $validRoles = []; - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { $validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray(); } $params = [ @@ -374,7 +388,7 @@ class UsersController extends AppController if (!$this->ACL->canEditUser($currentUser, $data)) { throw new MethodNotAllowedException(__('You cannot edit the given user.')); } - if (!$currentUser['role']['perm_admin']) { + if (!$currentUser['role']['perm_community_admin']) { if ($data['organisation_id'] !== $currentUser['organisation_id']) { throw new MethodNotAllowedException(__('You do not have permission to delete the given user.')); } @@ -395,7 +409,7 @@ class UsersController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate'); + $this->set('metaGroup', $this->isCommunityAdmin ? 'Administration' : 'Cerebrate'); } public function login() @@ -469,7 +483,7 @@ class UsersController extends AppController { $editingAnotherUser = false; $currentUser = $this->ACL->getUser(); - if ((empty($currentUser['role']['perm_admin']) && empty($currentUser['role']['perm_group_admin'])) || $user_id == $currentUser->id) { + if ((empty($currentUser['role']['perm_community_admin']) && empty($currentUser['role']['perm_group_admin'])) || $user_id == $currentUser->id) { $user = $currentUser; } else { $user = $this->Users->get($user_id, [ diff --git a/src/Model/Behavior/NotifyAdminsBehavior.php b/src/Model/Behavior/NotifyAdminsBehavior.php index d07df96..c6a3306 100644 --- a/src/Model/Behavior/NotifyAdminsBehavior.php +++ b/src/Model/Behavior/NotifyAdminsBehavior.php @@ -75,7 +75,7 @@ class NotifyAdminsBehavior extends Behavior $loggedUser = Configure::read('loggedUser'); if ( empty(Configure::read('inbox.data_change_notify_for_all', false)) && - (empty($loggedUser) || !empty($loggedUser['role']['perm_admin']) || !empty($loggedUser['role']['perm_sync'])) + (empty($loggedUser) || !empty($loggedUser['role']['perm_admin']) || !empty($loggedUser['role']['perm_sync']) || !empty(empty($loggedUser['role']['perm_community_admin']))) ) { return false; } diff --git a/src/Model/Table/EncryptionKeysTable.php b/src/Model/Table/EncryptionKeysTable.php index 00b9ab4..d2c6b55 100644 --- a/src/Model/Table/EncryptionKeysTable.php +++ b/src/Model/Table/EncryptionKeysTable.php @@ -164,7 +164,7 @@ class EncryptionKeysTable extends AppTable if ($entity['owner_model'] !== 'organisation') { return false; } - if (!empty($user['role']['perm_admin'])) { + if (!empty($user['role']['perm_community_admin'])) { return true; } if ( @@ -181,7 +181,7 @@ class EncryptionKeysTable extends AppTable if ($entity['owner_model'] !== 'individual') { return false; } - if (!empty($user['role']['perm_admin'])) { + if (!empty($user['role']['perm_community_admin'])) { return true; } if ($user['role']['perm_org_admin']) { diff --git a/src/Model/Table/InboxTable.php b/src/Model/Table/InboxTable.php index 4a90910..7aa9d66 100644 --- a/src/Model/Table/InboxTable.php +++ b/src/Model/Table/InboxTable.php @@ -77,7 +77,7 @@ class InboxTable extends AppTable { $this->Users = \Cake\ORM\TableRegistry::getTableLocator()->get('Users'); $conditions = []; - if (empty($currentUser['role']['perm_admin'])) { + if (empty($currentUser['role']['perm_community_admin'])) { $conditions['organisation_id IN'] = [$currentUser['organisation_id']]; } $users = $this->Users->find()->where($conditions)->all()->extract('username')->toList(); diff --git a/src/Model/Table/IndividualsTable.php b/src/Model/Table/IndividualsTable.php index 8940618..cd77512 100644 --- a/src/Model/Table/IndividualsTable.php +++ b/src/Model/Table/IndividualsTable.php @@ -126,28 +126,44 @@ class IndividualsTable extends AppTable public function getValidIndividualsToEdit(object $currentUser): array { $isSiteAdmin = $currentUser['role']['perm_admin']; + $isCommunityAdmin = $currentUser['role']['perm_community_admin']; $isGroupAdmin = $currentUser['role']['perm_group_admin']; $validRoles = $this->Users->Roles->find('list')->select(['id']); if (!$isSiteAdmin) { - $validRoles->where(['perm_admin' => 0]); + $validRoles->where(['perm_community_admin' => 0]); } $validRoles = $validRoles->all()->toArray(); $conditions = [ 'disabled' => 0 ]; - if (!$isSiteAdmin) { + if (!$isCommunityAdmin) { $conditions['OR'] = [ ['role_id IN' => array_keys($validRoles)], ['id' => $currentUser['id']] ]; if ($isGroupAdmin) { $OrgGroups = \Cake\ORM\TableRegistry::getTableLocator()->get('OrgGroups'); - $conditions['organisation_id IN'] = $OrgGroups->getGroupOrgIdsForUser($currentUser); + $orgGroupIds = $OrgGroups->getGroupOrgIdsForUser($currentUser); + $conditions['organisation_id IN'] = $orgGroupIds; } else { $conditions['organisation_id'] = $currentUser['organisation_id']; } } $validIndividualIds = $this->Users->find()->select(['individual_id'])->where($conditions)->all()->extract('individual_id')->toArray(); + if (!$isCommunityAdmin) { + $conditions = []; + if ($isGroupAdmin) { + $conditions = ['organisation_id IN' => $orgGroupIds]; + } else { + $conditions['organisation_id'] = $currentUser['organisation_id']; + } + $alignmentBasedIndividualIds = $this->Alignments->find('list', [ + 'keyField' => 'id', + 'valueField' => 'individual_id' + ])->where($conditions)->all()->toList(); + $validIndividualIds = array_merge($validIndividualIds, $alignmentBasedIndividualIds); + $validIndividualIds = array_unique($validIndividualIds); + } return $validIndividualIds; } diff --git a/src/Model/Table/InstanceTable.php b/src/Model/Table/InstanceTable.php index 596a80d..e184594 100644 --- a/src/Model/Table/InstanceTable.php +++ b/src/Model/Table/InstanceTable.php @@ -38,7 +38,7 @@ class InstanceTable extends AppTable 'conditions' => false, 'afterFind' => function($result, $user) { foreach ($result as $i => $row) { - if (empty($user['role']['perm_admin'])) { + if (empty($user['role']['perm_community_admin'])) { $orgFound = false; if (!empty($row['sharing_group_orgs'])) { foreach ($row['sharing_group_orgs'] as $org) { @@ -58,7 +58,7 @@ class InstanceTable extends AppTable 'Users' => [ 'conditions' => function($user) { $conditions = []; - if (empty($user['role']['perm_admin'])) { + if (empty($user['role']['perm_community_admin'])) { $conditions['Users.organisation_id'] = $user['organisation_id']; } return $conditions; @@ -264,8 +264,10 @@ class InstanceTable extends AppTable $broods = ''; $edges = ''; // pre-run the loop to get the latest version - foreach ($data['broods'] as $brood) { - if ($brood['status']['code'] === 200) { + foreach ($data['broods'] as $k => $brood) { + if (!isset($brood['status']['code'])) { + $data['broods'][$k]['status']['code'] = 495 . ' - SSL error'; + } else if ($brood['status']['code'] === 200) { if (version_compare($brood['status']['response']['version'], $newest) > 0) { $newest = $brood['status']['response']['version']; } diff --git a/src/Model/Table/OrgGroupsTable.php b/src/Model/Table/OrgGroupsTable.php index 955eadc..febbbc5 100644 --- a/src/Model/Table/OrgGroupsTable.php +++ b/src/Model/Table/OrgGroupsTable.php @@ -38,7 +38,7 @@ class OrgGroupsTable extends AppTable public function checkIfGroupAdmin(int $groupId, User $user): bool { - if (!empty($user['role']['perm_admin'])) { + if (!empty($user['role']['perm_community_admin'])) { return true; } $orgGroup = $this->get($groupId, ['contain' => 'Users']); diff --git a/src/Model/Table/OrganisationsTable.php b/src/Model/Table/OrganisationsTable.php index 34d5a57..0b04579 100644 --- a/src/Model/Table/OrganisationsTable.php +++ b/src/Model/Table/OrganisationsTable.php @@ -87,7 +87,7 @@ class OrganisationsTable extends AppTable public function getEditableOrganisationsForUser($user): array { $query = $this->find(); - if (empty($user['role']['perm_admin'])) { + if (empty($user['role']['perm_community_admin'])) { if (!empty($user['role']['perm_org_admin'])) { $query->where(['Organisations.id' => $user['organisation']['id']]); } else { diff --git a/src/Model/Table/UsersTable.php b/src/Model/Table/UsersTable.php index 66254e2..14c4750 100644 --- a/src/Model/Table/UsersTable.php +++ b/src/Model/Table/UsersTable.php @@ -111,7 +111,6 @@ class UsersTable extends AppTable } } } - if (!$enabled && !empty($entity->_metafields_to_delete)) { foreach ($entity->_metafields_to_delete as $metaFieldToDelete) { if ($metaFieldToDelete['field'] === $permission_name) { @@ -120,7 +119,7 @@ class UsersTable extends AppTable } } - if ($valueToCompareTo > $permission_data['limit']) { + if ($enabled && $valueToCompareTo > $permission_data['limit']) { return [ $permission_name => __( @@ -202,7 +201,7 @@ class UsersTable extends AppTable foreach ($permissionRestrictionCheck as $permission_name => $errors) { foreach ($entity->meta_fields as $i => $metaField) { if ($metaField['field'] === $permission_name) { - $entity->meta_fields[$i]->setErrors(['value' => $errors]); + $entity->setErrors(['meta_fields' => [$permission_name => $errors]]); } } } @@ -220,6 +219,7 @@ class UsersTable extends AppTable $role = $this->Roles->newEntity([ 'name' => 'admin', 'perm_admin' => 1, + 'perm_community_admin' => 1, 'perm_org_admin' => 1, 'perm_sync' => 1 ]); diff --git a/templates/EnumerationCollections/index.php b/templates/EnumerationCollections/index.php index a4cefd1..1d45296 100644 --- a/templates/EnumerationCollections/index.php +++ b/templates/EnumerationCollections/index.php @@ -1,6 +1,6 @@ role->perm_admin)) { +if (!empty($loggedUser->role->perm_community_admin)) { $topbarChildren[] = [ 'type' => 'simple', 'children' => [ @@ -81,13 +81,13 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'open_modal' => '/enumerationCollections/edit/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'edit', - 'requirement' => !empty($loggedUser['role']['perm_admin']) + 'requirement' => !empty($loggedUser['role']['perm_community_admin']) ], [ 'open_modal' => '/enumerationCollections/delete/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'trash', - 'requirement' => !empty($loggedUser['role']['perm_admin']) + 'requirement' => !empty($loggedUser['role']['perm_community_admin']) ], ] ] diff --git a/templates/Enumerations/index.php b/templates/Enumerations/index.php index e1b8e1b..adaa97d 100644 --- a/templates/Enumerations/index.php +++ b/templates/Enumerations/index.php @@ -34,7 +34,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'open_modal' => '/enumerations/delete/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'trash', - 'requirement' => !empty($loggedUser['role']['perm_admin']) + 'requirement' => !empty($loggedUser['role']['perm_community_admin']) ], ] ] diff --git a/templates/Individuals/add.php b/templates/Individuals/add.php index 393419d..e14a46a 100644 --- a/templates/Individuals/add.php +++ b/templates/Individuals/add.php @@ -24,7 +24,7 @@ array( 'field' => 'tag_list', 'type' => 'tags', - 'requirements' => ($this->request->getParam('action') === 'edit' && $loggedUser['role']['perm_admin']) + 'requirements' => ($this->request->getParam('action') === 'edit' && $loggedUser['role']['perm_community_admin']) ), ), 'submit' => array( diff --git a/templates/Individuals/index.php b/templates/Individuals/index.php index 463f4de..99a031c 100644 --- a/templates/Individuals/index.php +++ b/templates/Individuals/index.php @@ -91,7 +91,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'icon' => 'edit', 'complex_requirement' => [ 'function' => function ($row, $options) use ($loggedUser, $editableIds) { - if ($loggedUser['role']['perm_admin'] || ($editableIds && in_array($row['id'], $editableIds))) { + if ($loggedUser['role']['perm_community_admin'] || ($editableIds && in_array($row['id'], $editableIds))) { return true; } return false; @@ -107,7 +107,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ if (!empty($row['user'])) { // cannot delete individuals with associated user(s) return false; } - return (bool)$loggedUser['role']['perm_admin']; + return (bool)$loggedUser['role']['perm_community_admin']; } ] ], diff --git a/templates/OrgGroups/index.php b/templates/OrgGroups/index.php index ad714bf..e6ca633 100644 --- a/templates/OrgGroups/index.php +++ b/templates/OrgGroups/index.php @@ -12,7 +12,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'text' => __('Add group'), 'class' => 'btn btn-primary', 'popover_url' => '/orgGroups/add', - 'requirement' => !empty($loggedUser['role']['perm_admin']), + 'requirement' => !empty($loggedUser['role']['perm_community_admin']), ] ] ], @@ -73,13 +73,13 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'open_modal' => '/orgGroups/edit/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'edit', - 'requirement' => $loggedUser['role']['perm_admin'] + 'requirement' => $loggedUser['role']['perm_community_admin'] ], [ 'open_modal' => '/orgGroups/delete/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'trash', - 'requirement' => $loggedUser['role']['perm_admin'] + 'requirement' => $loggedUser['role']['perm_community_admin'] ], ] ] diff --git a/templates/Organisations/add.php b/templates/Organisations/add.php index d8d9a99..d60da33 100644 --- a/templates/Organisations/add.php +++ b/templates/Organisations/add.php @@ -12,7 +12,7 @@ 'label' => 'UUID', 'type' => 'uuid', 'tooltip' => __('If the Organisation already has a known UUID in another application such as MISP or another Cerebrate, please re-use this one.'), - 'requirements' => $loggedUser['role']['perm_admin'] + 'requirements' => $loggedUser['role']['perm_community_admin'] ), array( 'field' => 'url' diff --git a/templates/Organisations/index.php b/templates/Organisations/index.php index b081b88..6b62fe9 100644 --- a/templates/Organisations/index.php +++ b/templates/Organisations/index.php @@ -12,7 +12,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'text' => __('Add organisation'), 'class' => 'btn btn-primary', 'popover_url' => '/organisations/add', - 'requirement' => !empty($loggedUser['role']['perm_admin']), + 'requirement' => !empty($loggedUser['role']['perm_community_admin']), ] ] ], @@ -110,7 +110,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'icon' => 'edit', 'complex_requirement' => [ 'function' => function ($row, $options) use ($loggedUser, $validOrgs) { - if ($loggedUser['role']['perm_admin'] || ($loggedUser['role']['perm_org_admin'] && $row['id'] == $loggedUser['organisation']['id'])) { + if ($loggedUser['role']['perm_community_admin'] || ($loggedUser['role']['perm_org_admin'] && $row['id'] == $loggedUser['organisation']['id'])) { return true; } if ($loggedUser['role']['perm_group_admin'] && in_array($row['id'], $validOrgs)) { @@ -124,7 +124,7 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'open_modal' => '/organisations/delete/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'trash', - 'requirement' => $loggedUser['role']['perm_admin'] + 'requirement' => $loggedUser['role']['perm_community_admin'] ], ] ] diff --git a/templates/Roles/add.php b/templates/Roles/add.php index f01e773..4d6028f 100644 --- a/templates/Roles/add.php +++ b/templates/Roles/add.php @@ -10,7 +10,12 @@ [ 'field' => 'perm_admin', 'type' => 'checkbox', - 'label' => 'Full admin privilege' + 'label' => 'Site admin privilege (instance management)' + ], + [ + 'field' => 'perm_community', + 'type' => 'checkbox', + 'label' => 'Community admin privilege (data admin)' ], [ 'field' => 'perm_group_admin', diff --git a/templates/Roles/index.php b/templates/Roles/index.php index a5f2ffb..60eda62 100644 --- a/templates/Roles/index.php +++ b/templates/Roles/index.php @@ -1,6 +1,6 @@ role->perm_admin)) { +if (!empty($loggedUser->role->perm_community_admin)) { $topbarChildren[] = [ 'type' => 'simple', 'children' => [ @@ -45,11 +45,17 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'placeholder' => __('Leave empty to auto generate') ], [ - 'name' => __('Admin'), + 'name' => __('Site Admin'), 'sort' => 'perm_admin', 'data_path' => 'perm_admin', 'element' => 'boolean' ], + [ + 'name' => __('Community Admin'), + 'sort' => 'perm_community_admin', + 'data_path' => 'perm_community_admin', + 'element' => 'boolean' + ], [ 'name' => __('Group Admin'), 'sort' => 'perm_group_admin', @@ -89,13 +95,13 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'open_modal' => '/roles/edit/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'edit', - 'requirement' => !empty($loggedUser['role']['perm_admin']) + 'requirement' => !empty($loggedUser['role']['perm_community_admin']) ], [ 'open_modal' => '/roles/delete/[onclick_params_data_path]', 'modal_params_data_path' => 'id', 'icon' => 'trash', - 'requirement' => !empty($loggedUser['role']['perm_admin']) + 'requirement' => !empty($loggedUser['role']['perm_community_admin']) ], ] ] diff --git a/templates/Roles/view.php b/templates/Roles/view.php index 01d0c8d..f16ae39 100644 --- a/templates/Roles/view.php +++ b/templates/Roles/view.php @@ -13,10 +13,15 @@ echo $this->element( 'path' => 'name' ], [ - 'key' => __('Admin permission'), + 'key' => __('Site admin permission (instance management)'), 'path' => 'perm_admin', 'type' => 'boolean' ], + [ + 'key' => __('Community admin permission (data admin)'), + 'path' => 'perm_community_admin', + 'type' => 'boolean' + ], [ 'key' => __('Organisation Group admin permission'), 'path' => 'perm_group_admin',