organization_folders/lib/Security/ResourceVoter.php

<?php

namespace OCA\OrganizationFolders\Security;

use OCP\IUser;
use OCP\IGroupManager;

use OCA\OrganizationFolders\Db\Resource;
use OCA\OrganizationFolders\Model\OrganizationFolder;
use OCA\OrganizationFolders\Service\OrganizationFolderService;
use OCA\OrganizationFolders\Service\OrganizationFolderMemberService;
use OCA\OrganizationFolders\Service\ResourceService;
use OCA\OrganizationFolders\Service\ResourceMemberService;
use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel;
use OCA\OrganizationFolders\Enum\PrincipalType;
use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;
use OCA\OrganizationFolders\Security\OrganizationFolderVoter;

class ResourceVoter extends Voter {
	public function __construct(
        private OrganizationFolderService $organizationFolderService,
        private OrganizationFolderMemberService $organizationFolderMemberService,
		private ResourceService $resourceService,
        private ResourceMemberService $resourceMemberService,
		private IGroupManager $groupManager,
        private OrganizationProviderManager $organizationProviderManager,
        private OrganizationFolderVoter $organizationFolderVoter,
	) {
	}
	protected function supports(string $attribute, mixed $subject): bool {
		return $subject instanceof Resource || $subject === Resource::class;
	}


	protected function voteOnAttribute(string $attribute, mixed $subject, ?IUser $user): bool {
		if (!$user) {
			return false;
        }

		/** @var Resource */
		$resource = $subject;
		return match ($attribute) {
			'READ' => $this->isGranted( $user, $resource),
            // can read limited information about the resource (true: limited read is allowed, full read may be allowed, false: limited read is not allowed, full read may be allowed (!))
            'READ_LIMITED' => $this->isGrantedLimitedRead($user, $resource),
            'UPDATE' => $this->isGranted($user, $resource),
			'DELETE' => $this->isGranted($user, $resource),
            'UPDATE_MEMBERS' => $this->isGranted($user, $resource),
            'CREATE_SUBRESOURCE' => $this->isGranted($user, $resource),
			default => throw new \LogicException('This code should not be reached!')
		};
	}

    private function allowedToManageAllResourcesInOrganizationFolder(IUser $user, OrganizationFolder $resourceOrganizationFolder): bool {
        return $this->organizationFolderVoter->vote($user, $resourceOrganizationFolder, ["MANAGE_ALL_RESOURCES"]) === self::ACCESS_GRANTED;
    }

	/**
	 * @param IUser $user
	 * @param Resource $resource
	 * @return bool
	 */
	private function isResourceManager(IUser $user, Resource $resource, OrganizationFolder $resourceOrganizationFolder): bool {
		$resourceMembers = $this->resourceMemberService->findAll($resource->getId());

        foreach($resourceMembers as $resourceMember) {
            if($resourceMember->getPermissionLevel() === ResourceMemberPermissionLevel::MANAGER->value) {
                $principal = $resourceMember->getPrincipal();

                if($principal->getType() === PrincipalType::USER) {
                    if($principal->getId() === $user->getUID()) {
                        return true;
                    }
                } else if($principal->getType() === PrincipalType::GROUP) {
                    if($this->userIsInGroup($user, $principal->getId())) {
                        return true;
                    }
                } else if($principal->getType() === PrincipalType::ROLE) {
                    [$organizationProviderId, $roleId] = explode(":", $principal->getId(), 2);
					
                    if($this->userHasRole($user, $organizationProviderId, $roleId)) {
                        return true;
                    }
                }
            }
        }

        // inherit manager permissions from level above
        if($resource->getInheritManagers()) {
            if(!is_null($resource->getParentResource())) {
                // not top-level resource -> allowed to manage resource if allowed to manage parent resource
                $parentResource = $this->resourceService->getParentResource($resource);

                if(!is_null($parentResource)) {
                    return $this->isResourceManager($user, $parentResource, $resourceOrganizationFolder);
                }
            } else {
                // top-level resource -> allowed to manage resource if manager of organization folder
                return $this->organizationFolderVoter->vote($user, $resourceOrganizationFolder, ["MANAGE_TOP_LEVEL_RESOURCES"]) === self::ACCESS_GRANTED;
            }
        }

        return false;
	}

	protected function isGranted(IUser $user, Resource $resource): bool {
        $resourceOrganizationFolder = $this->organizationFolderService->find($resource->getOrganizationFolderId());

		return $this->allowedToManageAllResourcesInOrganizationFolder($user, $resourceOrganizationFolder)
                || $this->isResourceManager($user, $resource, $resourceOrganizationFolder);
	}

    protected function isGrantedLimitedRead(IUser $user, Resource $resource): bool {
        $subResources = $this->resourceService->getAllSubResources($resource);

        foreach($subResources as $subResource) {
            if($this->isManagerOfAnySubresource($user, $subResource)) {
                return true;
            }
        }

        return false;
    }

    protected function isManagerOfAnySubresource(IUser $user, Resource $resource) {
        if($this->isGranted($user, $resource)) {
            return true;
        }

        $subResources = $this->resourceService->getAllSubResources($resource);

        foreach($subResources as $subResource) {
            if($this->isManagerOfAnySubresource($user, $subResource)) {
                return true;
            }
        }

        return false;
    }

    private function userIsInGroup(IUser $user, string $groupId): bool {
        return $this->groupManager->isInGroup($user->getUID(), $groupId);
    }

    private function userHasRole(IUser $user, string $organizationProviderId, string $roleId): bool {
        $organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationProviderId);
        $role = $organizationProvider->getRole($roleId);

        return $this->userIsInGroup($user, $role->getMembersGroup());
    }
}
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`<?php`

			`namespace OCA\OrganizationFolders\Security;`

			`use OCP\IUser;`
			`use OCP\IGroupManager;`

			`use OCA\OrganizationFolders\Db\Resource;`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`use OCA\OrganizationFolders\Model\OrganizationFolder;`
			`use OCA\OrganizationFolders\Service\OrganizationFolderService;`
Allow organization folder admins to view/update/... all resources of organization folder, regardless of manager rights inheritance 2024-11-16 03:23:19 +01:00			`use OCA\OrganizationFolders\Service\OrganizationFolderMemberService;`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`use OCA\OrganizationFolders\Service\ResourceService;`
			`use OCA\OrganizationFolders\Service\ResourceMemberService;`
many small resource member related improvements 2024-11-16 03:06:21 +01:00			`use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel;`
added user-has-manager-permissions dav prop; added principal model and simplified the ACL code with it 2024-11-12 15:36:07 +01:00			`use OCA\OrganizationFolders\Enum\PrincipalType;`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`use OCA\OrganizationFolders\Security\OrganizationFolderVoter;`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00
			`class ResourceVoter extends Voter {`
			`public function __construct(`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`private OrganizationFolderService $organizationFolderService,`
Allow organization folder admins to view/update/... all resources of organization folder, regardless of manager rights inheritance 2024-11-16 03:23:19 +01:00			`private OrganizationFolderMemberService $organizationFolderMemberService,`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`private ResourceService $resourceService,`
			`private ResourceMemberService $resourceMemberService,`
			`private IGroupManager $groupManager,`
			`private OrganizationProviderManager $organizationProviderManager,`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`private OrganizationFolderVoter $organizationFolderVoter,`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`) {`
			`}`
			`protected function supports(string $attribute, mixed $subject): bool {`
			`return $subject instanceof Resource \|\| $subject === Resource::class;`
			`}`


			`protected function voteOnAttribute(string $attribute, mixed $subject, ?IUser $user): bool {`
			`if (!$user) {`
			`return false;`
			`}`

			`/** @var Resource */`
			`$resource = $subject;`
			`return match ($attribute) {`
added subresources api endpoint 2024-11-25 15:28:40 +01:00			`'READ' => $this->isGranted( $user, $resource),`
			`// can read limited information about the resource (true: limited read is allowed, full read may be allowed, false: limited read is not allowed, full read may be allowed (!))`
			`'READ_LIMITED' => $this->isGrantedLimitedRead($user, $resource),`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`'UPDATE' => $this->isGranted($user, $resource),`
			`'DELETE' => $this->isGranted($user, $resource),`
added user-has-manager-permissions dav prop; added principal model and simplified the ACL code with it 2024-11-12 15:36:07 +01:00			`'UPDATE_MEMBERS' => $this->isGranted($user, $resource),`
many small resource member related improvements 2024-11-16 03:06:21 +01:00			`'CREATE_SUBRESOURCE' => $this->isGranted($user, $resource),`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`default => throw new \LogicException('This code should not be reached!')`
			`};`
			`}`

added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`private function allowedToManageAllResourcesInOrganizationFolder(IUser $user, OrganizationFolder $resourceOrganizationFolder): bool {`
			`return $this->organizationFolderVoter->vote($user, $resourceOrganizationFolder, ["MANAGE_ALL_RESOURCES"]) === self::ACCESS_GRANTED;`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`}`

			`/**`
			`* @param IUser $user`
			`* @param Resource $resource`
			`* @return bool`
			`*/`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`private function isResourceManager(IUser $user, Resource $resource, OrganizationFolder $resourceOrganizationFolder): bool {`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`$resourceMembers = $this->resourceMemberService->findAll($resource->getId());`

			`foreach($resourceMembers as $resourceMember) {`
many small resource member related improvements 2024-11-16 03:06:21 +01:00			`if($resourceMember->getPermissionLevel() === ResourceMemberPermissionLevel::MANAGER->value) {`
added user-has-manager-permissions dav prop; added principal model and simplified the ACL code with it 2024-11-12 15:36:07 +01:00			`$principal = $resourceMember->getPrincipal();`

			`if($principal->getType() === PrincipalType::USER) {`
			`if($principal->getId() === $user->getUID()) {`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`return true;`
			`}`
added user-has-manager-permissions dav prop; added principal model and simplified the ACL code with it 2024-11-12 15:36:07 +01:00			`} else if($principal->getType() === PrincipalType::GROUP) {`
many small resource member related improvements 2024-11-16 03:06:21 +01:00			`if($this->userIsInGroup($user, $principal->getId())) {`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`return true;`
			`}`
added user-has-manager-permissions dav prop; added principal model and simplified the ACL code with it 2024-11-12 15:36:07 +01:00			`} else if($principal->getType() === PrincipalType::ROLE) {`
			`[$organizationProviderId, $roleId] = explode(":", $principal->getId(), 2);`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00
many small resource member related improvements 2024-11-16 03:06:21 +01:00			`if($this->userHasRole($user, $organizationProviderId, $roleId)) {`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`return true;`
			`}`
			`}`
			`}`
			`}`

added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`// inherit manager permissions from level above`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`if($resource->getInheritManagers()) {`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`if(!is_null($resource->getParentResource())) {`
			`// not top-level resource -> allowed to manage resource if allowed to manage parent resource`
			`$parentResource = $this->resourceService->getParentResource($resource);`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`if(!is_null($parentResource)) {`
			`return $this->isResourceManager($user, $parentResource, $resourceOrganizationFolder);`
			`}`
			`} else {`
			`// top-level resource -> allowed to manage resource if manager of organization folder`
			`return $this->organizationFolderVoter->vote($user, $resourceOrganizationFolder, ["MANAGE_TOP_LEVEL_RESOURCES"]) === self::ACCESS_GRANTED;`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`}`
			`}`

			`return false;`
			`}`

			`protected function isGranted(IUser $user, Resource $resource): bool {`
added OrganizationFolder security voter; improved Resource security voter 2024-11-18 18:04:40 +01:00			`$resourceOrganizationFolder = $this->organizationFolderService->find($resource->getOrganizationFolderId());`

			`return $this->allowedToManageAllResourcesInOrganizationFolder($user, $resourceOrganizationFolder)`
			`\|\| $this->isResourceManager($user, $resource, $resourceOrganizationFolder);`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`}`
many small resource member related improvements 2024-11-16 03:06:21 +01:00
added subresources api endpoint 2024-11-25 15:28:40 +01:00			`protected function isGrantedLimitedRead(IUser $user, Resource $resource): bool {`
			`$subResources = $this->resourceService->getAllSubResources($resource);`

			`foreach($subResources as $subResource) {`
			`if($this->isManagerOfAnySubresource($user, $subResource)) {`
			`return true;`
			`}`
			`}`

			`return false;`
			`}`

			`protected function isManagerOfAnySubresource(IUser $user, Resource $resource) {`
			`if($this->isGranted($user, $resource)) {`
			`return true;`
			`}`

			`$subResources = $this->resourceService->getAllSubResources($resource);`

			`foreach($subResources as $subResource) {`
			`if($this->isManagerOfAnySubresource($user, $subResource)) {`
			`return true;`
			`}`
			`}`

			`return false;`
			`}`

many small resource member related improvements 2024-11-16 03:06:21 +01:00			`private function userIsInGroup(IUser $user, string $groupId): bool {`
			`return $this->groupManager->isInGroup($user->getUID(), $groupId);`
			`}`

			`private function userHasRole(IUser $user, string $organizationProviderId, string $roleId): bool {`
			`$organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationProviderId);`
			`$role = $organizationProvider->getRole($roleId);`

			`return $this->userIsInGroup($user, $role->getMembersGroup());`
Allow organization folder admins to view/update/... all resources of organization folder, regardless of manager rights inheritance 2024-11-16 03:23:19 +01:00			`}`
Added security classes and draft version of ResourceVoter 2024-11-06 22:11:16 +01:00			`}`