FEAT #8886 User groups and privileges

sql/data_fr.sql

@@ -6,6 +6,21 @@ ALTER SEQUENCE users_id_seq RESTART WITH 1;
 INSERT INTO users (email, password, firstname, lastname, mode) VALUES ('jjane@maarch.com', '$2y$10$C.QSslBKD3yNMfRPuZfcaubFwPKiCkqqOUyAdOr5FSGKPaePwuEjG', 'Jenny', 'JANE', 'standard');
 INSERT INTO users (email, password, firstname, lastname, mode) VALUES ('ccornillac@maarch.com', '$2y$10$C.QSslBKD3yNMfRPuZfcaubFwPKiCkqqOUyAdOr5FSGKPaePwuEjG', 'Clovis', 'CORNILLAC', 'rest');
 
+------------
+--GROUPS
+------------
+TRUNCATE TABLE groups;
+ALTER SEQUENCE groups_id_seq RESTART WITH 2;
+INSERT INTO groups (id, label) VALUES (1, 'Administrateur');
+
+TRUNCATE TABLE groups_privileges;
+ALTER SEQUENCE groups_privileges_id_seq RESTART WITH 1;
+INSERT INTO groups_privileges (group_id, privilege) VALUES (1, 'manage_rest_users');
+
+TRUNCATE TABLE users_groups;
+ALTER SEQUENCE users_groups_id_seq RESTART WITH 1;
+INSERT INTO users_groups (group_id, user_id) VALUES (1, 1);
+
 ------------
 --DOCSERVERS
 ------------

sql/structure.sql

@@ -89,6 +89,37 @@ CREATE TABLE users
 )
 WITH (OIDS=FALSE);
 
+DROP TABLE IF EXISTS groups;
+CREATE TABLE groups
+(
+  id serial NOT NULL,
+  label character varying(128) NOT NULL,
+  CONSTRAINT groups_pkey PRIMARY KEY (id)
+)
+WITH (OIDS=FALSE);
+
+DROP TABLE IF EXISTS groups_privileges;
+CREATE TABLE groups_privileges
+(
+  id serial NOT NULL,
+  group_id INTEGER NOT NULL,
+  privilege character varying(128) NOT NULL,
+  CONSTRAINT groups_privileges_pkey PRIMARY KEY (id),
+  CONSTRAINT groups_privileges_unique_key UNIQUE (group_id, privilege)
+)
+WITH (OIDS=FALSE);
+
+DROP TABLE IF EXISTS users_groups;
+CREATE TABLE users_groups
+(
+    id serial NOT NULL,
+    group_id INTEGER NOT NULL,
+    user_id INTEGER NOT NULL,
+    CONSTRAINT users_groups_pkey PRIMARY KEY (id),
+    CONSTRAINT users_groups_unique_key UNIQUE (group_id, user_id)
+)
+WITH (OIDS=FALSE);
+
 DROP TABLE IF EXISTS docservers;
 CREATE TABLE docservers
 (

src/app/document/controllers/DocumentController.php

@@ -318,10 +318,13 @@ class DocumentController
 
     public function getHandwrittenDocumentById(Request $request, Response $response, array $args)
     {
-        if (!DocumentController::hasRightById(['id' => $args['id'], 'userId' => $GLOBALS['id']])) {
-            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        $user = UserModel::getById(['select' => ['mode'], 'id' => $GLOBALS['id']]);
+        if ($user['mode'] != 'rest') {
+            if (!DocumentController::hasRightById(['id' => $args['id'], 'userId' => $GLOBALS['id']])) {
+                return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+            }
         }
-
+        
         $adr = AdrModel::getDocumentsAdr([
             'select'    => ['path', 'filename', 'fingerprint'],
             'where'     => ['main_document_id = ?', 'type = ?'],
@@ -351,8 +354,11 @@ class DocumentController
 
     public function getStatusById(Request $request, Response $response, array $args)
     {
-        if (!DocumentController::hasRightById(['id' => $args['id'], 'userId' => $GLOBALS['id']])) {
-            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        $user = UserModel::getById(['select' => ['mode'], 'id' => $GLOBALS['id']]);
+        if ($user['mode'] != 'rest') {
+            if (!DocumentController::hasRightById(['id' => $args['id'], 'userId' => $GLOBALS['id']])) {
+                return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+            }
         }
 
         $document = DocumentModel::getById(['select' => ['status', 'mode'], 'id' => $args['id']]);

src/app/user/controllers/UserController.php

@@ -22,12 +22,19 @@ use Slim\Http\Request;
 use Slim\Http\Response;
 use SrcCore\controllers\PasswordController;
 use SrcCore\models\AuthenticationModel;
+use SrcCore\models\ValidatorModel;
+use User\models\UserGroupModel;
 use User\models\UserModel;
 
 class UserController
 {
     public function get(Request $request, Response $response)
     {
+        $user = UserModel::getById(['select' => ['mode'], 'id' => $GLOBALS['id']]);
+        if ($user['mode'] != 'rest') {
+            return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
+        }
+
         $users = UserModel::get([
             'select'    => ['id', 'firstname', 'lastname'],
             'where'     => ['mode = ?'],
@@ -50,11 +57,18 @@ class UserController
             $user['picture'] = 'data:image/png;base64,' . $user['picture'];
         }
 
+        $user['canManageRestUsers'] = UserController::hasPrivilege(['userId' => $args['id'], 'privilege' => 'manage_rest_users']);
+
         return $response->withJson(['user' => $user]);
     }
 
     public function create(Request $request, Response $response)
     {
+        $user = UserModel::getById(['select' => ['mode'], 'id' => $GLOBALS['id']]);
+        if ($user['mode'] != 'rest') {
+            return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
+        }
+
         $data = $request->getParams();
 
         if (!Validator::stringType()->notEmpty()->validate($data['firstname'])) {
@@ -69,7 +83,7 @@ class UserController
 
         $existingUser = UserModel::getByEmail(['email' => $data['email'], 'select' => ['id']]);
         if (!empty($existingUser)) {
-            return $response->withStatus(400)->withJson(['errors' => 'User already exist']);
+            return $response->withStatus(400)->withJson(['errors' => 'User already exists']);
         }
 
         $logingModes = ['standard', 'rest'];
@@ -146,8 +160,12 @@ class UserController
 
     public function updatePassword(Request $request, Response $response, array $args)
     {
+        $user = UserModel::getById(['select' => ['email', 'mode'], 'id' => $args['id']]);
+
         if ($GLOBALS['id'] != $args['id']) {
-            return $response->withStatus(403)->withJson(['errors' => 'User out of perimeter']);
+            if ($user['mode'] != 'rest' || !UserController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_rest_users'])) {
+                return $response->withStatus(403)->withJson(['errors' => 'User out of perimeter']);
+            }
         }
 
         $data = $request->getParams();
@@ -158,7 +176,6 @@ class UserController
             return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
         }
 
-        $user = UserModel::getById(['select' => ['email'], 'id' => $args['id']]);
         if ($data['newPassword'] != $data['passwordConfirmation']) {
             return $response->withStatus(400)->withJson(['errors' => 'New password does not match password confirmation']);
         } elseif (!AuthenticationModel::authentication(['email' => $user['email'], 'password' => $data['currentPassword']])) {
@@ -284,4 +301,22 @@ class UserController
 
         return $response->withJson(['success' => 'success']);
     }
+
+    public function hasPrivilege(array $args)
+    {
+        ValidatorModel::notEmpty($args, ['userId', 'privilege']);
+        ValidatorModel::intVal($args, ['userId']);
+        ValidatorModel::stringType($args, ['privilege']);
+
+        $groups = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$args['userId']]]);
+
+        foreach ($groups as $group) {
+            $privilege = UserGroupModel::getPrivileges(['select' => [1], 'where' => ['group_id = ?', 'privilege = ?'], 'data' => [$group['group_id'], $args['privilege']]]);
+            if (!empty($privilege)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }

src/app/user/models/UserGroupModel.php

+<?php
+
+/**
+* Copyright Maarch since 2008 under licence GPLv3.
+* See LICENCE.txt file at the root folder for more details.
+* This file is part of Maarch software.
+*
+*/
+
+/**
+* @brief User Group Model
+* @author dev@maarch.org
+*/
+
+namespace User\models;
+
+use SrcCore\models\DatabaseModel;
+use SrcCore\models\ValidatorModel;
+
+class UserGroupModel
+{
+    public static function get(array $aArgs)
+    {
+        ValidatorModel::arrayType($aArgs, ['select', 'where', 'data', 'orderBy']);
+        ValidatorModel::intType($aArgs, ['limit']);
+
+        $usersGroups = DatabaseModel::select([
+            'select'    => empty($aArgs['select']) ? ['*'] : $aArgs['select'],
+            'table'     => ['users_groups'],
+            'where'     => empty($aArgs['where']) ? [] : $aArgs['where'],
+            'data'      => empty($aArgs['data']) ? [] : $aArgs['data'],
+            'orderBy'   => empty($aArgs['orderBy']) ? [] : $aArgs['orderBy'],
+            'limit'     => empty($aArgs['limit']) ? 0 : $aArgs['limit']
+        ]);
+
+        return $usersGroups;
+    }
+
+    public static function getPrivileges(array $aArgs)
+    {
+        ValidatorModel::arrayType($aArgs, ['select', 'where', 'data', 'orderBy']);
+        ValidatorModel::intType($aArgs, ['limit']);
+
+        $groupsPrivileges = DatabaseModel::select([
+            'select'    => empty($aArgs['select']) ? ['*'] : $aArgs['select'],
+            'table'     => ['groups_privileges'],
+            'where'     => empty($aArgs['where']) ? [] : $aArgs['where'],
+            'data'      => empty($aArgs['data']) ? [] : $aArgs['data'],
+            'orderBy'   => empty($aArgs['orderBy']) ? [] : $aArgs['orderBy'],
+            'limit'     => empty($aArgs['limit']) ? 0 : $aArgs['limit']
+        ]);
+
+        return $groupsPrivileges;
+    }
+}