Only change ROLE_ANONYMOUS in Opencast if explicitly set by user (#1290)

* check if a workflow can run before setting acls

* fix typo

* only change ROLE_ANONYMOUS if user decided to do so

* fix typo

* Set visibility in Stud.IP to the one in Opencast

* Update lib/Routes/Video/VideoWorldwideShareUpdate.php

Co-authored-by: Dennis Benz <[email protected]>

* respond with error code 500 in case of error

---------

Co-authored-by: Dennis Benz <[email protected]>

Author: tgloeggl

composer.lock

@@ -4,11 +4,10 @@
 
 use \DBManager;
 use \PDO;
-use \Configuration as StudipConfiguration;
 
-use Opencast\LTI\OpencastLTI;
 use Opencast\VersionHelper;
 use Opencast\Providers\Perm;
+use Opencast\Models\Videos;
 
 class Helpers
 {
@@ -302,10 +301,6 @@ public static function filterACLs($acls, $studip_acls)
 
         $possible_roles = array_column($studip_acls, 'role');
 
-        if (\Config::get()->OPENCAST_ALLOW_PUBLIC_SHARING) {
-            $possible_roles[] = 'ROLE_ANONYMOUS';
-        }
-
         sort($acls);
 
         $result = [];
@@ -372,4 +367,48 @@ public static function notifyUsers($eventType, $event, $video)
             );
         }
     }
+
+    /**
+     * Determines if an event can run a workflow.
+     *
+     * This function checks if the given event meets the criteria for running a republish workflow.
+     * It ensures that:
+     * 1. The event is not empty
+     * 2. The event has an 'engage-player' publication status
+     * 3. The associated video is not in a 'running' or 'failed' state
+     *
+     * @param object $event The Opencast event object to check
+     * @param object $video The associated video object from the Stud.IP system
+     *
+     * @return boolean Returns true if the event can run a workflow, false otherwise
+     */
+    public static function canEventRunWorkflow($event, Videos $video)
+    {
+        if (empty($event)
+            || in_array('engage-player', (array)$event->publication_status) === false
+            || $video->state == 'running' || $video->state == 'failed')
+        {
+            return false;
+        }
+
+        return true;
+    }
+
+
+    public static function isWorldReadable($oc_acls)
+    {
+        // check if ACL contains ROLE_ANONYMOUS
+        $has_anonymous_role = false;
+        foreach ($oc_acls as $acl_entry) {
+            if ($acl_entry['role'] === 'ROLE_ANONYMOUS'
+                && $acl_entry['action'] === 'read'
+                && $acl_entry['allow'] === true
+            ) {
+                $has_anonymous_role = true;
+                break;
+            }
+        }
+
+        return $has_anonymous_role;
+    }
 }

lib/Models/Helpers.php

@@ -61,7 +61,7 @@ public function getACL($episode_id)
     }
 
     /**
-     * Sets ACL for an episode in connected Opencast
+     * Sets ACL for an episode in connected Opencast and republishes metadata
      *
      * @param string $episode_id id of episode
      * @param object $acl the acl object
@@ -70,8 +70,17 @@ public function getACL($episode_id)
      */
     public function setACL($episode_id, $acl)
     {
-        $response = $this->opencastApi->eventsApi->updateAcl($episode_id, $acl);
-        return $response;
+        $workflow_client = ApiWorkflowsClient::getInstance($this->config_id);
+
+        $response = $this->opencastApi->eventsApi->updateAcl($episode_id, array_values($acl));
+
+        // republish metadata, if updating the ACL was succesful
+        if (in_array($response['code'], ['200', '204']) === true) {
+            $workflow_client->republish($episode_id);
+            return true;
+        }
+
+        return false;
     }
 
     /**

lib/Models/REST/ApiEventsClient.php

@@ -83,8 +83,8 @@ public function fileRequest($file_url)
     {
         $response = $this->ocRestClient->get($file_url, [
             'auth'            => [$this->username, $this->password],
-            'timeout'         => 60,
-            'connect_timeout' => 60,
+            'timeout'         => 2,
+            'connect_timeout' => 2,
         ]);
 
         $result = [];

lib/Models/REST/RestClient.php

@@ -715,7 +715,7 @@ public function updateMetadata($event)
         // Only allow updating of metadata if event has publications
         $oc_event = $api_event_client->getEpisode($this->episode);
 
-        if (empty($oc_event) || in_array('engage-player', (array)$oc_event->publication_status) === false) {
+        if (!Helpers::canEventRunWorkflow($oc_event, $this)) {
             return false;
         }
 
@@ -751,23 +751,6 @@ public function updateMetadata($event)
         $response = $api_event_client->updateMetadata($this->episode, $metadata);
         $republish = in_array($response['code'], [200, 204]) === true;
 
-        $result = null;
-
-        if (\Config::get()->OPENCAST_ALLOW_PUBLIC_SHARING
-            && $this->visibility != $event['visibility']
-        ) {
-            $result = $this->updateAcl($event['visibility']);
-
-            if ($result['republish']) {
-                $republish = true;
-            }
-
-            if ($result['update']) {
-                $this->visibility = $event['visibility'];
-                $this->store();
-            }
-        }
-
         if ($republish) {
             $api_wf_client = ApiWorkflowsClient::getInstance($this->config_id);
 
@@ -817,6 +800,62 @@ public function removeVideo()
         return $this->delete();
     }
 
+    public function setWorldVisibility($visibility)
+    {
+        // get current ACL for event in Opencast
+        $api_client  = ApiEventsClient::getInstance($this->config_id);
+        $current_acl = $api_client->getAcl($this->episode);
+
+        if (empty($current_acl)) {
+            return false;
+        }
+
+        // check if ACL contains ROLE_ANONYMOUS
+        $has_anonymous_role = Helpers::isWorldReadable($current_acl);
+
+        if ($visibility === 'public' && $this->visibility !== 'public') {
+            if (!$has_anonymous_role) {
+                // Add ROLE_ANONYMOUS to the ACL
+                $current_acl[] = [
+                    'allow'  => true,
+                    'role'   => 'ROLE_ANONYMOUS',
+                    'action' => 'read'
+                ];
+
+                // Update the ACL in Opencast
+                if ($api_client->setACL($this->episode, $current_acl)) {
+                    // Update local visibility
+                    $this->visibility = 'public';
+                    $this->store();
+
+                    return true;
+                }
+
+                return false;
+            }
+        } else if ($visibility !== 'public' && $this->visibility === 'public') {
+            if ($has_anonymous_role) {
+                // Remove ROLE_ANONYMOUS from the ACL
+                $current_acl = array_filter($current_acl, function($acl_entry) {
+                    return $acl_entry['role'] !== 'ROLE_ANONYMOUS';
+                });
+
+                // Update the ACL in Opencast
+                if ($api_client->setACL($this->episode, $current_acl)) {
+                    // Update local visibility
+                    $this->visibility = $visibility;
+                    $this->store();
+
+                    return true;
+                }
+
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Check that the episode has its unique ACL and set it if necessary
      *
@@ -831,32 +870,21 @@ public function removeVideo()
     public static function checkEventACL($eventType, $episode, $video)
     {
         // Only allow updating of metadata if event has publications
-        if (empty($episode) || in_array('engage-player', (array)$episode->publication_status) === false) {
+        if (!Helpers::canEventRunWorkflow($episode, $video)) {
             return;
         }
 
-        $workflow_client = ApiWorkflowsClient::getInstance($video->config_id);
-
-        $results = $video->updateAcl(null, json_decode(json_encode($episode->acl), true));
-
-        if ($results['republish'] == true) {
-            $workflow_client->republish($video->episode);
-        }
+        return $video->updateAcl(json_decode(json_encode($episode->acl), true));
     }
 
     /**
      * Update the ACL in Opencast if necessary
      *
-     * @param string $new_vis The targeted new visibility. If empty, use the current on to check
+     * @param string $current_acl The current ACL in Opencast
      *
-     * @return array Returns an array of the following form, stating if a republish is necessary and if the
-     *   update in was succesful:
-     *  [
-     *      republish' => boolean
-     *     'update'    => boolean
-     *  ]
+     * @return bool whether ACL was updated or not
      */
-    public function updateAcl($new_vis = null, $current_acl = null)
+    public function updateAcl($current_acl = null)
     {
         $api_client  = ApiEventsClient::getInstance($this->config_id);
         if (empty($current_acl)) {
@@ -869,6 +897,12 @@ public function updateAcl($new_vis = null, $current_acl = null)
         }
 
         $acl = [];
+        if (Helpers::isWorldReadable($current_acl)) {
+            $this->visibility = 'public';
+        } else {
+            $this->visibility = 'internal';
+        }
+        $this->store();
 
         // Don't set event id roles if episode id role access is activated by user
         if (!$this->config->settings['episode_id_role_access'] ?? true) {
@@ -905,44 +939,17 @@ public function updateAcl($new_vis = null, $current_acl = null)
 
         $acl = array_merge($acl, Helpers::createACLsForCourses($courses));
 
-        // add anonymous role if video is world visible
-        if (\Config::get()->OPENCAST_ALLOW_PUBLIC_SHARING && (
-            ($new_vis && $new_vis == 'public')
-            || (!$new_vis && $this->visibility == 'public')
-        )) {
-            $acl[] = [
-                'allow'  => true,
-                'role'   => 'ROLE_ANONYMOUS',
-                'action' => 'read'
-            ];
-        }
-
         sort($acl);
 
         $oc_acls = Helpers::filterACLs($current_acl, $acl);
 
         if ($acl <> $oc_acls['studip']) {
             $new_acl = array_merge($oc_acls['other'], $acl);
 
-            $result = $api_client->setACL($this->episode, $new_acl);
-
-            if (in_array($result['code'], ['200', '204']) === false) {
-                return [
-                    'republish' => false,
-                    'update'    => false
-                ];
-            }
-
-            return [
-                'republish' => true,
-                'update'    => true
-            ];
+            return $api_client->setACL($this->episode, $new_acl);
         }
 
-        return [
-            'republish' => false,
-            'update'    => true
-        ];
+        return false;
     }
 
     /**

lib/Models/Videos.php

@@ -65,6 +65,8 @@ public function authenticatedRoutes(RouteCollectorProxy $group)
         $group->put("/videos/{token}/shares", Routes\Video\VideoSharesUpdate::class);
         $group->post("/videos/{course_id}/copy", Routes\Video\VideoCopyToCourse::class);
 
+        $group->put("/videos/{token}/worldwide_share", Routes\Video\VideoWorldwideShareUpdate::class);
+
         // Courseware routes
         $group->get("/courseware/videos", Routes\Courseware\CoursewareVideoList::class);
 
@@ -123,7 +125,6 @@ public function authenticatedRoutes(RouteCollectorProxy $group)
         $group->get("/tags/videos/course/{course_id}", Routes\Tags\TagListForCourseVideos::class);
 
         $group->get("/config/simple", Routes\Config\SimpleConfigList::class);
-        $group->post("/log", Routes\Log\LogEntryCreate::class);
 
         $group->get("/discovery", Routes\DiscoveryIndex::class);
     }