Skip to content

Commit

Permalink
First step to limit the customer backend (#15)
Browse files Browse the repository at this point in the history 
* Add structure page

* Roles and permission refactoring

* make [last|first]name required and add acceptance tests for functional admin

* fix tests and domain logic during user creation

* fix issues with special role CAN_MANAGE_ONLY_OWNED_USERS and fix tests

* fix missing permission
  • Loading branch information
@GlennCavarle
GlennCavarle authored Jun 17, 2018
1 parent 22b87f6 commit e5df68a
Show file tree
Hide file tree
Showing 40 changed files with 1,280 additions and 629 deletions.
152 changes: 123 additions & 29 deletions config/packages/security.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,39 +1,133 @@
security:
access_decision_manager:
strategy: unanimous
allow_if_all_abstain: false

role_hierarchy:
ROLE_VIEWER:

#PERMISSONS
CAN_MANAGE_FOLDERS:
- CAN_SHOW_FOLDER
- CAN_CREATE_FOLDER
- CAN_EDIT_FOLDER
- CAN_DELETE_FOLDER

CAN_MANAGE_STRUCTURES:
- CAN_SHOW_STRUCTURE
- CAN_CREATE_STRUCTURE
- CAN_EDIT_STRUCTURE
- CAN_DELETE_STRUCTURE

CAN_MANAGE_STRUCTURE_TYPES:
- CAN_SHOW_STRUCTURE_TYPE
- CAN_CREATE_STRUCTURE_TYPE
- CAN_EDIT_STRUCTURE_TYPE
- CAN_DELETE_STRUCTURE_TYPE

CAN_MANAGE_APPLICATIONS:
- CAN_SHOW_APPLICATION
- CAN_CREATE_APPLICATION
- CAN_EDIT_APPLICATION
- CAN_DELETE_APPLICATION

CAN_MANAGE_PIA_TEMPLATES:
- CAN_SHOW_PIA_TEMPLATE
- CAN_CREATE_PIA_TEMPLATE
- CAN_EDIT_PIA_TEMPLATE
- CAN_DELETE_PIA_TEMPLATE

CAN_EXPLORE_PIAS:
- CAN_SHOW_PIA
- CAN_SHOW_FOLDER
- CAN_SHOW_MEASURE
- CAN_SHOW_EVALUATION
- CAN_SHOW_ANSWER
- CAN_SHOW_COMMENT

CAN_MANAGE_PIAS:
- CAN_SHOW_PIA
- CAN_CREATE_PIA
- CAN_EDIT_PIA
- CAN_DELETE_PIA

CAN_MANAGE_ANSWERS:
- CAN_SHOW_ANSWER
- CAN_CREATE_ANSWER
- CAN_EDIT_ANSWER
- CAN_DELETE_ANSWER

CAN_MANAGE_EVALUATIONS:
- CAN_SHOW_EVALUATION
- CAN_CREATE_EVALUATION
- CAN_EDIT_EVALUATION
- CAN_DELETE_EVALUATION

CAN_MANAGE_MEASURES:
- CAN_SHOW_MEASURE
- CAN_CREATE_MEASURE
- CAN_EDIT_MEASURE
- CAN_DELETE_MEASURE

CAN_MANAGE_COMMENTS:
- CAN_SHOW_COMMENT
- CAN_CREATE_COMMENT
- CAN_EDIT_COMMENT
- CAN_DELETE_COMMENT

CAN_MANAGE_ATTACHMENTS:
- CAN_SHOW_ATTACHMENT
- CAN_CREATE_ATTACHMENT
- CAN_EDIT_ATTACHMENT
- CAN_DELETE_ATTACHMENT


CAN_MANAGE_USERS:
- CAN_SHOW_USER
- CAN_CREATE_USER
- CAN_EDIT_USER
- CAN_DELETE_USER

#Special permission which limit to owned users (from the same structure)
CAN_MANAGE_ONLY_OWNED_USERS:
- CAN_SHOW_USER
- CAN_CREATE_USER
- CAN_EDIT_USER
- CAN_DELETE_USER

#ROLE DEFINITIONS
ROLE_USER:
- CAN_EXPLORE_PIAS

ROLE_CONTROLLER:
- ROLE_USER
- ROLE_PIA_LIST
- ROLE_PIA_VIEW
- ROLE_MEASURE_LIST
- ROLE_MEASURE_VIEW
- ROLE_EVALUATION_LIST
- ROLE_EVALUATION_VIEW
- ROLE_ANSWER_LIST
- ROLE_ANSWER_VIEW
- CAN_MANAGE_MEASURES
- CAN_MANAGE_ANSWERS
- CAN_MANAGE_COMMENTS
- CAN_MANAGE_ATTACHMENTS
- CAN_MANAGE_EVALUATIONS

ROLE_DPO:
- ROLE_VIEWER
- ROLE_PIA_CREATE
- ROLE_PIA_EDIT
- ROLE_PIA_DELETE
- ROLE_MEASURE_DELETE
- ROLE_EVALUATION_CREATE
- ROLE_EVALUATION_EDIT
- ROLE_EVALUATION_DELETE
- ROLE_ANSWER_DELETE
ROLE_CONTROLLER:
- ROLE_VIEWER
- ROLE_PIA_EDIT
- ROLE_MEASURE_CREATE
- ROLE_MEASURE_EDIT
- ROLE_ANSWER_CREATE
- ROLE_ANSWER_EDIT
- ROLE_ANSWER_DELETE
- ROLE_CONTROLLER
- CAN_MANAGE_PIAS
- CAN_SHOW_PIA_TEMPLATE
- CAN_IMPORT_PIA
- CAN_MANAGE_FOLDERS

ROLE_ADMIN:
- ROLE_DPO
- ROLE_CONTROLLER
ROLE_SUPER_ADMIN:
- CAN_MANAGE_ONLY_OWNED_USERS

ROLE_TECHNICAL_ADMIN:
- ROLE_ADMIN
- CAN_MANAGE_USERS
- CAN_EXPORT_PIA
- CAN_MANAGE_STRUCTURES
- CAN_MANAGE_STRUCTURE_TYPES
- CAN_MANAGE_PIA_TEMPLATES
- CAN_MANAGE_APPLICATIONS
ROLE_SUPER_ADMIN:
- ROLE_TECHNICAL_ADMIN


encoders:
FOS\UserBundle\Model\UserInterface:
Expand All @@ -53,7 +147,7 @@ security:
# # login_path: /login
# # check_path: /login_check
# provider: fos_userbundle

api:
pattern: ^/(pias|profile|pia-templates|folders)
fos_oauth: true
Expand Down
5 changes: 5 additions & 0 deletions config/pialab/parameters.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
parameters:

pialab.user_creation_limit: 10
pialab.mono_structure: true

21 changes: 19 additions & 2 deletions config/services.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
# Put parameters here that don't need to change on each machine where the app is deployed
# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
imports:
- { resource: pialab/parameters.yaml }

parameters:
locale: 'en'
locale: 'fr'

services:
_defaults:
Expand Down Expand Up @@ -31,13 +34,27 @@ services:
tags:
- { name: kernel.event_subscriber }


PiaApi\Form\Type\RolesType:
tags: [form.type]

PiaApi\Security\Voter\PermissionVoter:
arguments: ['@security.role_hierarchy']
tags: [security.voter]
PiaApi\Security\Voter\CanManageUsersVoter:
tags: [security.voter]

PiaApi\Security\Role\RoleHierarchy:
arguments: ['@security.token_storage', '%security.role_hierarchy.roles%', '@security.role_hierarchy']


PiaApi\Auth\ClientManager:
arguments:
- '@fos_oauth_server.entity_manager'
- '%fos_oauth_server.model.client.class%'

FOS\OAuthServerBundle\Model\ClientManagerInterface: '@PiaApi\Auth\ClientManager'

# Used to fix bug when updating and entity througth REST api
# jms_serializer.object_constructor:
# alias: jms_serializer.doctrine_object_constructor
Expand Down
35 changes: 35 additions & 0 deletions public/assets/js/modal.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
$(document).on('click', 'a[data-modal]', (e) => {
e.preventDefault();
e.stopPropagation();
e.stopImmediatePropagation();

let button = $(e.currentTarget);
let url = button.attr('href');

let modal = $('.ui.modal');
modal.hide();

$.ajax({
url: url,
success: (html) => {
let modal = $('.ui.modal');

modal.find('.header').html(button.attr('title'));

modal
.find('.content')
.html(html);

modal.find('.content .negative, .content .deny, .content .cancel').on('click', (e) => {
$(e.currentTarget).closest('.ui.modal').modal('hide');
});

modal.find('.actions').remove();

$('.ui.checkbox').checkbox();
$('.ui.dropdown').dropdown();

modal.modal('show');
}
})
});
25 changes: 5 additions & 20 deletions src/Controller/BackOffice/OauthController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@
use FOS\OAuthServerBundle\Model\ClientManagerInterface;
use OAuth2\OAuth2;
use PiaApi\Entity\Oauth\Client;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use PiaApi\Form\Application\CreateApplicationForm;
use PiaApi\Form\Application\EditApplicationForm;
use PiaApi\Form\Application\RemoveApplicationForm;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

class OauthController extends BackOfficeAbstractController
Expand All @@ -35,15 +35,10 @@ public function __construct(ClientManagerInterface $fosOauthClientManager)

/**
* @Route("/manageApplications", name="manage_applications")
* @Security("is_granted('CAN_SHOW_APPLICATION')")
*/
public function manageApplicationsAction(Request $request)
{
if (!$this->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
return $this->redirect($this->generateUrl('fos_user_security_login'));
}

$this->canAccess();

$pagerfanta = $this->buildPager($request, Client::class);

return $this->render('pia/Application/manageApplications.html.twig', [
Expand All @@ -53,13 +48,12 @@ public function manageApplicationsAction(Request $request)

/**
* @Route("/manageApplications/addApplication", name="manage_applications_add_application")
* @Security("is_granted('CAN_CREATE_APPLICATION')")
*
* @param Request $request
*/
public function addApplicationAction(Request $request)
{
$this->canAccess();

$form = $this->createForm(CreateApplicationForm::class, [
'allowedGrantTypes' => [
OAuth2::GRANT_TYPE_IMPLICIT => OAuth2::GRANT_TYPE_IMPLICIT,
Expand Down Expand Up @@ -95,13 +89,12 @@ public function addApplicationAction(Request $request)

/**
* @Route("/manageApplications/editApplication/{applicationId}", name="manage_applications_edit_application")
* @Security("is_granted('CAN_EDIT_APPLICATION')")
*
* @param Request $request
*/
public function editApplicationAction(Request $request)
{
$this->canAccess();

$userId = $request->get('applicationId');
$user = $this->getDoctrine()->getRepository(Client::class)->find($userId);

Expand Down Expand Up @@ -131,13 +124,12 @@ public function editApplicationAction(Request $request)

/**
* @Route("/manageApplications/removeApplication/{applicationId}", name="manage_applications_remove_application")
* @Security("is_granted('CAN_DELETE_APPLICATION')")
*
* @param Request $request
*/
public function removeApplicationAction(Request $request)
{
$this->canAccess();

$applicationId = $request->get('applicationId');
$user = $this->getDoctrine()->getRepository(Client::class)->find($applicationId);

Expand Down Expand Up @@ -168,11 +160,4 @@ public function removeApplicationAction(Request $request)
'form' => $form->createView(),
]);
}

protected function canAccess()
{
if (!$this->isGranted('ROLE_SUPER_ADMIN')) {
throw new AccessDeniedHttpException();
}
}
}
Loading

0 comments on commit e5df68a

Please sign in to comment.