improving permission checks for scheduling, (#1297)

fixes #1205

Author: ferishili

OpencastV3.class.php

@@ -201,7 +201,7 @@ public function getTabNavigation($course_id)
             PluginEngine::getURL($this, ['target_view' => 'videos'], 'course#/course/videos')
         ));
 
-        if ($GLOBALS['perm']->have_studip_perm('tutor', $course_id) &&
+        if (Perm::schedulingAllowed($course_id) &&
             Config::get()->OPENCAST_ALLOW_SCHEDULER &&
             Helpers::checkCourseDefaultPlaylist($course_id)) {
             $main->addSubNavigation('schedule', new Navigation(

lib/Providers/Perm.php

@@ -184,4 +184,28 @@ public static function courseBelongsToInstitute($course_id, $inst_id)
 
         return false;
     }
+
+    /**
+     * Checks, whether the current user is able to perform the scheduling in a course
+     *
+     * @param  string $context_id   course or institute id
+     * @param  string $user_id      user id
+     *
+     * @return boolean              true if allowed, false otherwise
+     */
+    public static function schedulingAllowed($context_id = null, $user_id = null)
+    {
+        if (is_null($user_id)) {
+            $user_id = $GLOBALS['user']->id;
+        }
+
+        if (is_null($context_id)) {
+            $context_id = \Context::getId();
+        }
+
+        // Reuse the config to make sure that the tutor gets the lecture permission when configured!
+        $required_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+
+        return $GLOBALS['perm']->have_studip_perm($required_perm, $context_id, $user_id);
+    }
 }

lib/Routes/Course/CourseConfig.php

@@ -57,11 +57,12 @@ public function __invoke(Request $request, Response $response, $args)
             'series'    => [
                 'series_id'  => $series->series_id,
             ],
-            'workflow'       => SeminarWorkflowConfiguration::getWorkflowForCourse($course_id),
-            'edit_allowed'   => Perm::editAllowed($course_id),
-            'upload_allowed' => Perm::uploadAllowed($course_id),
-            'upload_enabled' => \CourseConfig::get($course_id)->OPENCAST_ALLOW_STUDENT_UPLOAD ? 1 : 0,
-            'has_default_playlist' => Helpers::checkCourseDefaultPlaylist($course_id)
+            'workflow'              => SeminarWorkflowConfiguration::getWorkflowForCourse($course_id),
+            'edit_allowed'          => Perm::editAllowed($course_id),
+            'upload_allowed'        => Perm::uploadAllowed($course_id),
+            'upload_enabled'        => \CourseConfig::get($course_id)->OPENCAST_ALLOW_STUDENT_UPLOAD ? 1 : 0,
+            'has_default_playlist'  => Helpers::checkCourseDefaultPlaylist($course_id),
+            'scheduling_allowed'    => Perm::schedulingAllowed($course_id)
         ];
 
         return $this->createResponse($results, $response);

lib/Routes/Course/CourseListSchedule.php

@@ -7,16 +7,27 @@
 use Opencast\OpencastTrait;
 use Opencast\OpencastController;
 use Opencast\Models\ScheduleHelper;
+use Opencast\Providers\Perm;
 
 class CourseListSchedule extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
+        global $user;
+
         $course_id = $args['course_id'];
         $semester_filter = $args['semester_filter'];
 
+        if (empty($course_id)) {
+            throw new Error('Es fehlen Parameter!', 422);
+        }
+
+        if (!Perm::schedulingAllowed($course_id, $user->id)) {
+            throw new \AccessDeniedException();
+        }
+
         $semester_list = ScheduleHelper::getSemesterList($course_id);
         $allow_schedule_alternate = \Config::get()->OPENCAST_ALLOW_ALTERNATE_SCHEDULE;
 
@@ -31,4 +42,4 @@ public function __invoke(Request $request, Response $response, $args)
 
         return $this->createResponse($response_data, $response);
     }
-}
+}

lib/Routes/Playlist/PlaylistScheduleUpdate.php

@@ -9,28 +9,28 @@
 use Opencast\OpencastController;
 use Opencast\Models\ScheduleHelper;
 use Opencast\Models\Playlists;
+use Opencast\Providers\Perm;
 
 class PlaylistScheduleUpdate extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
-        global $perm;
-
-        if (!$perm->have_perm('tutor')) {
-            throw new \AccessDeniedException();
-        }
+        global $user;
 
         $course_id = $args['course_id'];
         $token = $args['token'];
         $type = $args['type'];
 
-
         if (empty($token) || empty($course_id) || empty($type) || !in_array($type, ['livestreams', 'scheduled'])) {
             throw new Error('Es fehlen Parameter!', 422);
         }
 
+        if (!Perm::schedulingAllowed($course_id, $user->id)) {
+            throw new \AccessDeniedException();
+        }
+
         $playlist = Playlists::findOneByToken($token);
 
         if (empty($playlist)) {

lib/Routes/Schedule/ScheduleAdd.php

@@ -8,18 +8,15 @@
 use Opencast\OpencastTrait;
 use Opencast\OpencastController;
 use Opencast\Models\ScheduleHelper;
+use Opencast\Providers\Perm;
 
 class ScheduleAdd extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
-        global $perm;
-
-        if (!$perm->have_perm('tutor')) {
-            throw new \AccessDeniedException();
-        }
+        global $user;
 
         $termin_id = $args['termin_id'];
         $course_id = $args['course_id'];
@@ -28,6 +25,10 @@ public function __invoke(Request $request, Response $response, $args)
             throw new Error('Es fehlen Parameter!', 422);
         }
 
+        if (!Perm::schedulingAllowed($course_id, $user->id)) {
+            throw new \AccessDeniedException();
+        }
+
         $json = $this->getRequestData($request);
 
         $livestream = !empty($json['livestream']) ? true : false;

lib/Routes/Schedule/ScheduleBulk.php

@@ -8,20 +8,18 @@
 use Opencast\OpencastTrait;
 use Opencast\OpencastController;
 use Opencast\Models\ScheduleHelper;
+use Opencast\Providers\Perm;
 
 class ScheduleBulk extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
-        global $perm;
-
-        if (!$perm->have_perm('tutor')) {
-            throw new \AccessDeniedException();
-        }
+        global $user;
 
         $course_id = $args['course_id'];
+
         $json = $this->getRequestData($request);
         $termin_ids = isset($json['termin_ids']) ? $json['termin_ids'] : [];
         $action = isset($json['action']) ? $json['action'] : null;
@@ -30,6 +28,10 @@ public function __invoke(Request $request, Response $response, $args)
             throw new Error('Es fehlen Parameter!', 422);
         }
 
+        if (!Perm::schedulingAllowed($course_id, $user->id)) {
+            throw new \AccessDeniedException();
+        }
+
         $message_type = 'success';
         $message_text = _('Die angeforderte Massenaktion wurde ausgeführt.');
         $errors = [];

lib/Routes/Schedule/ScheduleDelete.php

@@ -8,18 +8,15 @@
 use Opencast\OpencastTrait;
 use Opencast\OpencastController;
 use Opencast\Models\ScheduleHelper;
+use Opencast\Providers\Perm;
 
 class ScheduleDelete extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
-        global $perm;
-
-        if (!$perm->have_perm('tutor')) {
-            throw new \AccessDeniedException();
-        }
+        global $user;
 
         $termin_id = $args['termin_id'];
         $course_id = $args['course_id'];
@@ -28,10 +25,14 @@ public function __invoke(Request $request, Response $response, $args)
             throw new Error('Es fehlen Parameter!', 422);
         }
 
+        if (!Perm::schedulingAllowed($course_id, $user->id)) {
+            throw new \AccessDeniedException();
+        }
+
         if (ScheduleHelper::deleteEventForSeminar($course_id, $termin_id)) {
             return $response->withStatus(204);
         }
-        
+
         throw new Error(_('Die geplante Aufzeichnung konnte nicht entfernt werden.'), 409);
     }
 }

lib/Routes/Schedule/ScheduleShow.php

@@ -8,13 +8,18 @@
 use Opencast\Errors\Error;
 use Opencast\OpencastTrait;
 use Opencast\OpencastController;
+use Opencast\Providers\Perm;
 
 class ScheduleShow extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
+        // TODO: This needs to be filled up with course id and user id!
+        if (!Perm::schedulingAllowed()) {
+            throw new \AccessDeniedException();
+        }
         // TODO: Fill this up when necessary!
         return $response->withStatus(200);
     }

lib/Routes/Schedule/ScheduleUpdate.php

@@ -8,18 +8,15 @@
 use Opencast\OpencastTrait;
 use Opencast\OpencastController;
 use Opencast\Models\ScheduleHelper;
+use Opencast\Providers\Perm;
 
 class ScheduleUpdate extends OpencastController
 {
     use OpencastTrait;
 
     public function __invoke(Request $request, Response $response, $args)
     {
-        global $perm;
-
-        if (!$perm->have_perm('tutor')) {
-            throw new \AccessDeniedException();
-        }
+        global $user;
 
         $termin_id = $args['termin_id'];
         $course_id = $args['course_id'];
@@ -28,6 +25,10 @@ public function __invoke(Request $request, Response $response, $args)
             throw new Error('Es fehlen Parameter!', 422);
         }
 
+        if (!Perm::schedulingAllowed($course_id, $user->id)) {
+            throw new \AccessDeniedException();
+        }
+
         $json = $this->getRequestData($request);
         $start = isset($json['start']) ? $json['start'] : null;
         $end = isset($json['end']) ? $json['end'] : null;

vueapp/components/Courses/CoursesSidebar.vue

@@ -283,9 +283,10 @@ export default {
 
         canSchedule() {
             try {
-                return this.cid !== undefined &&
-                    this.currentUser.can_edit &&
-                        this.simple_config_list['settings']['OPENCAST_ALLOW_SCHEDULER'];
+                return this.cid !== undefined && // Make sure this is happening in a course!
+                    this.currentUser.can_edit && // Make sure the user has sufficient "global" rights.
+                    this.simple_config_list['settings']['OPENCAST_ALLOW_SCHEDULER'] && // Make sure it is configured!
+                    this.course_config.scheduling_allowed; // Make sure the user is allowed to schedule recordings in the course!
             } catch (error) {
                 return false;
             }
@@ -411,6 +412,9 @@ export default {
         },
 
         updateScheduledRecordingsPlaylists(type) {
+            if (!this.canSchedule) {
+                return;
+            }
             this.$store.dispatch('clearMessages');
             if (type == 'scheduled') {
                 this.$store.dispatch('setSchedulePlaylist', this.schedulePlaylistToken)

vueapp/components/Schedule/ScheduleList.vue

@@ -100,7 +100,7 @@
         <MessageBox v-else-if="!schedule_loading" type="info">
             {{ $gettext('Es gibt bisher keine Termine.') }}
         </MessageBox>
-         <ScheduleLoading v-else :allow_schedule_alternate="allow_schedule_alternate"/>
+        <ScheduleLoading v-else :allow_schedule_alternate="allow_schedule_alternate"/>
     </div>
 </template>