Merge pull request #92 from sheldor1510/unity-perms

Created UnityPerms Class
UnityHPC · Jul 17, 2023 · a716b8a · a716b8a
2 parents 77d871d + 5e587f3
commit a716b8a
Show file tree

Hide file tree

Showing 4 changed files with 365 additions and 3 deletions.
diff --git a/resources/lib/UnityPerms.php b/resources/lib/UnityPerms.php
@@ -0,0 +1,131 @@
+<?php
+
+namespace UnityWebPortal\lib;
+
+class UnityPerms
+{
+    private $SQL;
+    private $USER;
+
+    public function __construct($SQL, $USER)
+    {
+        $this->SQL = $SQL;
+        $this->USER = $USER;
+    }
+
+    public function checkApproveUser($uid, $operated_on, $group)
+    {
+        if (!$this->USER->isInGroup($uid, $group)) {
+            return false;
+        }
+
+        $role = $this->SQL->getRole($uid, $group);
+
+        if ($this->SQL->hasPerm($role, 'unity.admin') || $this->SQL->hasPerm($role, 'unity.admin_no_grant')) {
+            return true;
+        }
+
+        if (!$this->SQL->hasPerm($role, 'unity.approve_user')) {
+            return false;
+        }
+
+        $operated_on_role = $this->SQL->getRole($operated_on, $group);
+
+        if ($this->SQL->getPriority($operated_on_role) >= $this->SQL->getPriority($role)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function checkDenyUser($uid, $operated_on, $group)
+    {
+        if (!$this->USER->isInGroup($uid, $group)) {
+            return false;
+        }
+
+        $role = $this->SQL->getRole($uid, $group);
+
+        if ($this->SQL->hasPerm($role, 'unity.admin') || $this->SQL->hasPerm($role, 'unity.admin_no_grant')) {
+            return true;
+        }
+
+        if (!$this->SQL->hasPerm($role, 'unity.deny_user')) {
+            return false;
+        }
+
+        $operated_on_role = $this->SQL->getRole($operated_on, $group);
+
+        if ($this->SQL->getPriority($operated_on_role) >= $this->SQL->getPriority($role)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function checkGrantRole($uid, $group, $role)
+    {
+        if (!$this->USER->isInGroup($uid, $group)) {
+            return false;
+        }
+
+        if (!$this->SQL->roleAvailableInGroup($uid, $group, $role)) {
+            return false;
+        }
+
+        $user_role = $this->SQL->getRole($uid, $group);
+
+        if ($this->SQL->hasPerm($user_role, 'unity.admin_no_grant') && $role == 'unity.admin') {
+            return false;
+        }
+
+        if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) {
+            return true;
+        }
+
+        if (!$this->SQL->hasPerm($user_role, 'unity.grant_role')) {
+            return false;
+        }
+
+        $role_to_grant = $this->SQL->getRole($role, $group);
+
+        if ($this->SQL->getPriority($role_to_grant) >= $this->SQL->getPriority($user_role)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function checkRevokeRole($uid, $group, $role)
+    {
+        if (!$this->USER->isInGroup($uid, $group)) {
+            return false;
+        }
+
+        if (!$this->SQL->roleAvailableInGroup($uid, $group, $role)) {
+            return false;
+        }
+
+        $user_role = $this->SQL->getRole($uid, $group);
+
+        if ($this->SQL->hasPerm($user_role, 'unity.admin_no_grant') && $role == 'unity.admin') {
+            return false;
+        }
+
+        if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) {
+            return true;
+        }
+
+        if (!$this->SQL->hasPerm($user_role, 'unity.revoke_role')) {
+            return false;
+        }
+
+        $role_to_revoke = $this->SQL->getRole($role, $group);
+
+        if ($this->SQL->getPriority($role_to_revoke) >= $this->SQL->getPriority($user_role)) {
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/resources/lib/UnitySQL.php b/resources/lib/UnitySQL.php
@@ -14,6 +14,12 @@ class UnitySQL
     private const TABLE_AUDIT_LOG = "audit_log";
     private const TABLE_ACCOUNT_DELETION_REQUESTS = "account_deletion_requests";
     private const TABLE_SITEVARS = "sitevars";
+    private const TABLE_GROUP_ROLES = "groupRoles";
+    private const TABLE_GROUP_TYPES = "groupTypes";
+    private const TABLE_GROUP_ROLE_ASSIGNMENTS = "groupRoleAssignments";
+    private const TABLE_GROUP_REQUESTS = "groupRequests";
+    private const TABLE_GROUP_JOIN_REQUESTS = "groupJoinRequests";
+
 
     private const REQUEST_ADMIN = "admin";
 
@@ -299,4 +305,70 @@ public function updateSiteVar($name, $value)
 
         $stmt->execute();
     }
+
+    public function getRole($uid, $group)
+    {
+        $stmt = $this->conn->prepare(
+            "SELECT * FROM " . self::TABLE_GROUP_ROLE_ASSIGNMENTS . " WHERE user=:uid AND `group`=:group"
+        );
+        $stmt->bindParam(":uid", $uid);
+        $stmt->bindParam(":group", $group);
+
+        $stmt->execute();
+
+        return $stmt->fetchAll()[0]['role'];
+    }
+
+    public function hasPerm($role, $perm)
+    {
+        $stmt = $this->conn->prepare(
+            "SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role"
+        );
+        $stmt->bindParam(":role", $role);
+
+        $stmt->execute();
+
+        $row = $stmt->fetchAll()[0];
+        $perms = explode(",", $row['perms']);
+        return in_array($perm, $perms);
+    }
+
+    public function getPriority($role)
+    {
+        $stmt = $this->conn->prepare(
+            "SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role"
+        );
+        $stmt->bindParam(":role", $role);
+
+        $stmt->execute();
+
+        $row = $stmt->fetchAll()[0];
+        return $row['priority'];
+    }
+
+    public function roleAvailableInGroup($uid, $group, $role)
+    {
+        $stmt = $this->conn->prepare(
+            "SELECT * FROM " . self::TABLE_GROUP_ROLE_ASSIGNMENTS . " WHERE user=:uid AND `group`=:group"
+        );
+        $stmt->bindParam(":uid", $uid);
+        $stmt->bindParam(":group", $group);
+
+        $stmt->execute();
+        $row = $stmt->fetchAll()[0];
+
+        $group_slug = $row['group'];
+
+        $stmt = $this->conn->prepare(
+            "SELECT * FROM " . self::TABLE_GROUP_TYPES . " WHERE slug=:slug"
+        );
+
+        $stmt->bindParam(":slug", $group_slug);
+        $stmt->execute();
+
+        $row = $stmt->fetchAll()[0];
+        $roles = explode(",", $row['roles']);
+
+        return in_array($role, $roles);
+    }
 }
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
@@ -671,4 +671,29 @@ public function hasRequestedAccountDeletion()
     {
         return $this->SQL->accDeletionRequestExists($this->getUID());
     }
+
+    /**
+     * Checks whether a user is in a group or not
+     * @param  string  $uid   uid of the user
+     * @param  string  or object $group group to check
+     * @return boolean true if user is in group, false if not
+     */
+
+    public function isInGroup($uid, $group)
+    {
+        if (gettype($group) == "string") {
+            $group_checked = new UnityGroup(
+                $group,
+                $this->LDAP,
+                $this->SQL,
+                $this->MAILER,
+                $this->REDIS,
+                $this->WEBHOOK
+            );
+        } else {
+            $group_checked = $group;
+        }
+
+        return in_array($uid, $group_checked->getGroupMemberUIDs());
+    }
 }