Merge pull request #5 from RhubarbPHP/feature/DefinedRolePermissions

defined role permission management

Author: samnotsowise

.gitignore

@@ -0,0 +1,5 @@
+/.idea/
+/composer.lock
+/vendor/
+/tests/_output/*
+/bin/

CHANGELOG.md

@@ -1,6 +1,14 @@
 # Change log
 
+### 1.2.0
+
+* Added:    Codeception
+* Added:    .gitignore file
+* Added:    Custard command to update roles and permissions
+* Added:    Module now has method for updating roles and managing their assigned permissions
+
 ### 1.1.1
+
 * Fixed:    Authentication module updated with leaf v1 support
 
 ### 1.1.0

codeception.yml

@@ -0,0 +1,21 @@
+actor: Tester
+paths:
+    tests: tests
+    log: tests/_output
+    data: tests/_data
+    support: tests/_support
+    envs: tests/_envs
+settings:
+    bootstrap: _bootstrap.php
+    colors: true
+    memory_limit: 1024M
+extensions:
+    enabled:
+        - Codeception\Extension\RunFailed
+modules:
+    config:
+        Db:
+            dsn: ''
+            user: ''
+            password: ''
+            dump: tests/_data/dump.sql

composer.json

@@ -13,9 +13,13 @@
   "require": {
     "rhubarbphp/rhubarb": "^1.1",
     "rhubarbphp/module-stem": "^1.2",
-    "rhubarbphp/scaffold-authentication": "^1.0"
+    "rhubarbphp/scaffold-authentication": "^1.0",
+    "rhubarbphp/custard": "^1.0"
   },
   "require-dev": {
-    "phpunit/phpunit": "3.*"
+    "codeception/codeception": "2.1.*"
+  },
+  "config": {
+    "bin-dir": "bin/"
   }
 }

src/AuthenticationWithRolesModule.php

@@ -18,7 +18,13 @@
 
 namespace Rhubarb\Scaffolds\AuthenticationWithRoles;
 
+use Rhubarb\Custard\Command\CustardCommand;
 use Rhubarb\Scaffolds\Authentication\AuthenticationModule;
+use Rhubarb\Scaffolds\AuthenticationWithRoles\Commands\UpdateRolePermissionsCommand;
+use Rhubarb\Stem\Exceptions\RecordNotFoundException;
+use Rhubarb\Stem\Filters\Equals;
+use Rhubarb\Stem\Filters\Not;
+use Rhubarb\Stem\Filters\OneOf;
 use Rhubarb\Stem\Schema\SolutionSchema;
 
 /**
@@ -35,6 +41,78 @@ public function initialise()
     {
         parent::initialise();
 
-        SolutionSchema::registerSchema("Authentication", __NAMESPACE__ . '\DatabaseSchema');
+        SolutionSchema::registerSchema('Authentication', DatabaseSchema::class);
     }
-}
+
+    public static function updateRolePermissions()
+    {
+        /** @var Role[] $roleRecords */
+        $roleRecords = [];
+        /** @var Permission $permissionRecords */
+        $permissionRecords = [];
+
+        $permissionAssignmentIDs = [];
+
+        $permissionMaintainer = function (
+            $permissionRules,
+            $allow
+        ) use (
+            &$permissionRecords,
+            &$roleRecords,
+            &$permissionAssignmentIDs
+        ) {
+            foreach ($permissionRules as $roleName => $permissions) {
+                if (!isset($roleRecords[$roleName])) {
+                    try {
+                        $role = Role::findFirst(new Equals('RoleName', $roleName));
+                    } catch (RecordNotFoundException $ex) {
+                        $role = new Role();
+                        $role->RoleName = $roleName;
+                        $role->save();
+                    }
+                    $roleRecords[$roleName] = $role;
+                }
+
+                foreach ($permissions as $permissionPath) {
+                    if (!isset($permissionRecords[$permissionPath])) {
+                        try {
+                            $permission = Permission::findFirst(new Equals('PermissionPath', $permissionPath));
+                        } catch (RecordNotFoundException $ex) {
+                            $permission = new Permission();
+                            $permission->PermissionPath = $permissionPath;
+                            $permission->PermissionName = $permissionPath;
+                            $permission->save();
+                        }
+                        $permissionRecords[$permissionPath] = $permission;
+                    }
+                    $permissionAssignmentIDs[] = $allow
+                        ? $roleRecords[$roleName]->allow($permissionRecords[$permissionPath])
+                        : $roleRecords[$roleName]->deny($permissionRecords[$permissionPath]);
+                }
+            }
+        };
+
+        /** @var RolePermissionDefinitions $settings */
+        $settings = RolePermissionDefinitions::singleton();
+
+        $permissionMaintainer($settings->allowRolePermissions, true);
+        $permissionMaintainer($settings->denyRolePermissions, false);
+
+        if (count($permissionAssignmentIDs) > 0) {
+            PermissionAssignment::find(
+                new Not(new OneOf('PermissionAssignmentID', $permissionAssignmentIDs))
+            )->deleteAll();
+        }
+    }
+
+    /**
+     * @return CustardCommand[]
+     */
+    public function getCustardCommands()
+    {
+        $commands = parent::getCustardCommands();
+        $commands[] = new UpdateRolePermissionsCommand();
+
+        return $commands;
+    }
+}

src/Commands/UpdateRolePermissionsCommand.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace Rhubarb\Scaffolds\AuthenticationWithRoles\Commands;
+
+use Rhubarb\Scaffolds\AuthenticationWithRoles\AuthenticationWithRolesModule;
+use Rhubarb\Stem\Custard\RequiresRepositoryCommand;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Question\Question;
+
+class UpdateRolePermissionsCommand extends RequiresRepositoryCommand
+{
+    protected function configure()
+    {
+        $this->setName('auth:update-role-permissions')
+            ->setDescription('Updates Roles and Permissions according to a definitions specified in the application. Useful if the application does not allow users to customise role permissions.')
+            ->addOption('f', null, null, 'Forces update - does not prompt user');
+
+        parent::configure();
+    }
+
+    protected function executeWithConnection(InputInterface $input, OutputInterface $output)
+    {
+        $helper = $this->getHelper('question');
+
+        $force = $input->getOption('f');
+
+        if (!$force) {
+            $output->writeln('<comment>Warning: New roles may be created, and all permissions associated with a role may be updated/removed if not specified in RolePermissionDefinitions.</comment>');
+        }
+        $verify = new Question(
+            '<question>Are you sure you want to proceed? [y/n] </question>'
+        );
+        $verify->setValidator(function ($value) use ($output) {
+            if (stripos($value, 'y') !== 0) {
+                $output->writeln('<error>Aborted</error>');
+                return false;
+            }
+            return true;
+        });
+        if ($force || $helper->ask($input, $output, $verify)) {
+            if (!$force) {
+                $output->writeln('<comment>If you would like to suppress user verification in the future, use the --f option</comment>');
+            }
+            AuthenticationWithRolesModule::updateRolePermissions();
+            $output->writeln('<info>Role Permissions Updated</info>');
+        }
+    }
+}

src/RolePermissionDefinitions.php

@@ -0,0 +1,55 @@
+<?php
+
+namespace Rhubarb\Scaffolds\AuthenticationWithRoles;
+
+use Rhubarb\Crown\Settings;
+
+class RolePermissionDefinitions extends Settings
+{
+    public $allowRolePermissions = [];
+    public $denyRolePermissions = [];
+
+    /**
+     * @param string $role
+     * @param array $permissions
+     */
+    public function allowPermissionsForRole($role, $permissions)
+    {
+        $this->setRolePermissionProperty($role, $permissions, true);
+    }
+
+    /**
+     * @param string $role
+     * @param array $permissions
+     */
+    public function denyPermissionsForRole($role, $permissions)
+    {
+        $this->setRolePermissionProperty($role, $permissions, false);
+    }
+
+    /**
+     * @param string $role
+     * @param array $allowPermissions
+     * @param array $denyPermissions
+     */
+    public function setPermissionsForRole($role, $allowPermissions, $denyPermissions)
+    {
+        $this->setRolePermissionProperty($role, $allowPermissions, true);
+        $this->setRolePermissionProperty($role, $denyPermissions, false);
+    }
+
+    /**
+     * @param string $role
+     * @param string $permissions
+     * @param bool $allow
+     */
+    private function setRolePermissionProperty($role, $permissions, $allow)
+    {
+        $property = $allow ? 'allowRolePermissions' : 'denyRolePermissions';
+        $array = $this->$property;
+        $array[$role] = isset($array[$role])
+            ? array_merge($array[$role], $permissions)
+            : $permissions;
+        $this->$property = $array;
+    }
+}

tests/_bootstrap.php

@@ -0,0 +1,2 @@
+<?php
+// This is global bootstrap for autoloading

tests/_data/dump.sql

@@ -0,0 +1 @@
+/* Replace this file with actual dump of your database */

tests/_output/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore