mirror of
https://github.com/verdigado/organization_folders.git
synced 2024-11-24 05:30:27 +01:00
Allow organization folder admins to view/update/... all resources of organization folder, regardless of manager rights inheritance
This commit is contained in:
parent
fb3f9836a2
commit
24b8b615d3
1 changed files with 27 additions and 2 deletions
|
@ -6,14 +6,17 @@ use OCP\IUser;
|
||||||
use OCP\IGroupManager;
|
use OCP\IGroupManager;
|
||||||
|
|
||||||
use OCA\OrganizationFolders\Db\Resource;
|
use OCA\OrganizationFolders\Db\Resource;
|
||||||
|
use OCA\OrganizationFolders\Service\OrganizationFolderMemberService;
|
||||||
use OCA\OrganizationFolders\Service\ResourceService;
|
use OCA\OrganizationFolders\Service\ResourceService;
|
||||||
use OCA\OrganizationFolders\Service\ResourceMemberService;
|
use OCA\OrganizationFolders\Service\ResourceMemberService;
|
||||||
|
use OCA\OrganizationFolders\Enum\OrganizationFolderMemberPermissionLevel;
|
||||||
use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel;
|
use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel;
|
||||||
use OCA\OrganizationFolders\Enum\PrincipalType;
|
use OCA\OrganizationFolders\Enum\PrincipalType;
|
||||||
use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;
|
use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;
|
||||||
|
|
||||||
class ResourceVoter extends Voter {
|
class ResourceVoter extends Voter {
|
||||||
public function __construct(
|
public function __construct(
|
||||||
|
private OrganizationFolderMemberService $organizationFolderMemberService,
|
||||||
private ResourceService $resourceService,
|
private ResourceService $resourceService,
|
||||||
private ResourceMemberService $resourceMemberService,
|
private ResourceMemberService $resourceMemberService,
|
||||||
private IGroupManager $groupManager,
|
private IGroupManager $groupManager,
|
||||||
|
@ -45,7 +48,29 @@ class ResourceVoter extends Voter {
|
||||||
}
|
}
|
||||||
|
|
||||||
private function isResourceOrganizationFolderAdmin(IUser $user, Resource $resource): bool {
|
private function isResourceOrganizationFolderAdmin(IUser $user, Resource $resource): bool {
|
||||||
// TODO: implement
|
$organizationFolderMembers = $this->organizationFolderMemberService->findAll($resource->getOrganizationFolderId(), [
|
||||||
|
"permissionLevel" => OrganizationFolderMemberPermissionLevel::ADMIN,
|
||||||
|
]);
|
||||||
|
|
||||||
|
foreach($organizationFolderMembers as $organizationFolderMember) {
|
||||||
|
// should be true for all returned members because of the filter, double check because of the big security implications
|
||||||
|
if($organizationFolderMember->getPermissionLevel() === OrganizationFolderMemberPermissionLevel::ADMIN->value) {
|
||||||
|
$principal = $organizationFolderMember->getPrincipal();
|
||||||
|
|
||||||
|
if($principal->getType() === PrincipalType::GROUP) {
|
||||||
|
if($this->userIsInGroup($user, $principal->getId())) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
} else if($principal->getType() === PrincipalType::ROLE) {
|
||||||
|
[$organizationProviderId, $roleId] = explode(":", $principal->getId(), 2);
|
||||||
|
|
||||||
|
if($this->userHasRole($user, $organizationProviderId, $roleId)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -105,5 +130,5 @@ class ResourceVoter extends Voter {
|
||||||
$role = $organizationProvider->getRole($roleId);
|
$role = $organizationProvider->getRole($roleId);
|
||||||
|
|
||||||
return $this->userIsInGroup($user, $role->getMembersGroup());
|
return $this->userIsInGroup($user, $role->getMembersGroup());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue