Fix and review for the hardcoded permission checks in API Routes and UI

lib/Models/Tags.php

@@ -115,7 +115,8 @@ public static function getCourseVideosTags($course_id)
                 ' INNER JOIN oc_playlist_seminar AS ops ON (ops.playlist_id = opv.playlist_id AND ops.seminar_id = :cid)';
         $params = [':cid' => $course_id];
 
-        if (!$perm->have_studip_perm('dozent', $course_id)) {
+        $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+        if (!$perm->have_studip_perm($required_course_perm, $course_id)) {
             $query .= ' LEFT JOIN oc_playlist_seminar_video AS opsv ON (opsv.playlist_seminar_id = ops.id AND opsv.video_id = opv.video_id)'.
                 ' WHERE (opsv.visibility IS NULL AND opsv.visible_timestamp IS NULL AND ops.visibility = "visible"'.
                 ' OR opsv.visibility = "visible" AND opsv.visible_timestamp IS NULL'.

lib/Providers/Perm.php

@@ -126,7 +126,7 @@ public static function hasRole($check_role, $user_id = null)
      * @param string $check_role
      * @param string $user_id
      *
-     * @return boolean
+     * @return array|boolean list of institutes or false if the checks are not met!
      */
     public static function getRoleInstitutes($check_role, $user_id)
     {

lib/Routes/Course/CourseConfig.php

@@ -36,7 +36,8 @@ public function __invoke(Request $request, Response $response, $args)
 
         if (empty($series)) {
             // only tutor or above should be able to trigger this series creation!
-            if ($perm->have_studip_perm('tutor', $course_id)) {
+            $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+            if ($perm->have_studip_perm($required_course_perm, $course_id)) {
                 // No series for this course yet! Create one!
                 $config_id = \Config::get()->OPENCAST_DEFAULT_SERVER;
                 $series_client = new SeriesClient($config_id);

lib/Routes/Course/CourseListForPlaylistVideos.php

@@ -23,6 +23,7 @@ public function __invoke(Request $request, Response $response, $args)
         global $perm;
 
         $params = $request->getQueryParams();
+        $course_id = isset($params['cid']) ? $params['cid'] : null;
 
         // first, check if user has access to this playlist
         $playlist = Playlists::findOneByToken($args['token']);
@@ -32,23 +33,23 @@ public function __invoke(Request $request, Response $response, $args)
 
         // check if playlist is connected to the passed course and user is part of that course as well
         $permission = false;
-        if ($params['cid']) {
-            if ($perm->have_studip_perm('user', $params['cid'])) {
+        if ($course_id && !empty($playlist->courses)) {
+            $playlist_connected_courses_ids = array_column($playlist->courses->toArray(), 'id');
+            if ($perm->have_studip_perm('user', $course_id) && in_array($course_id, $playlist_connected_courses_ids)) {
                 $permission = true;
             }
         }
 
-        if (!$params['cid'] || !$permission) {
+        if (!$course_id || !$permission) {
             // check what permissions the current user has on the playlist
             $uperm = $playlist->getUserPerm();
 
-            if (empty($uperm) || !$uperm)
-            {
+            if (empty($uperm) || !$uperm) {
                 throw new \AccessDeniedException();
             }
         }
 
-        $courses_ids = PlaylistSeminars::getPlaylistVideosCourses($playlist->id, $params['cid']);
+        $courses_ids = PlaylistSeminars::getPlaylistVideosCourses($playlist->id, $course_id);
 
         return $this->createResponse(PlaylistSeminars::getCoursesArray($courses_ids), $response->withStatus(200));
     }

lib/Routes/Course/CourseSetUpload.php

@@ -24,7 +24,8 @@ public function __invoke(Request $request, Response $response, $args)
         $course_id = $args['course_id'];
         $upload = $args['upload'] ? 1 : 0;
 
-        if (!$perm->have_studip_perm('tutor', $course_id)) {
+        $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+        if (!$perm->have_studip_perm($required_course_perm, $course_id)) {
             throw new \AccessDeniedException();
         }
 
@@ -35,4 +36,4 @@ public function __invoke(Request $request, Response $response, $args)
 
         return $response->withStatus(204);
     }
-}
+}

lib/Routes/Playlist/Authority.php

@@ -14,7 +14,8 @@ public static function canAddAndRemoveVideoInPlaylist(\Seminar_User $user, Playl
             return true;
         }
 
-        if ($playlist->haveCoursePerm('tutor') && $video->haveCoursePerm('tutor')) {
+        $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+        if ($playlist->haveCoursePerm($required_course_perm) && $video->haveCoursePerm($required_course_perm)) {
             return true;
         }
 

lib/Routes/Playlist/PlaylistAddToCourse.php

@@ -41,8 +41,9 @@ public function __invoke(Request $request, Response $response, $args)
 
             // Add record to the PlaylistSeminars based on courses
             if (!empty($courses)) {
+                $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
                 foreach ($courses as $course) {
-                    if ($perm->have_studip_perm('tutor', $course['id'])) {
+                    if ($perm->have_studip_perm($required_course_perm, $course['id'])) {
                         $playlist_seminar = new PlaylistSeminars;
                         $playlist_seminar->playlist_id = $playlist->id;
                         $playlist_seminar->seminar_id = $course['id'];

lib/Routes/Playlist/PlaylistCopy.php

@@ -41,7 +41,8 @@ public function __invoke(Request $request, Response $response, $args)
 
         // Check permission on course destination
         if (!empty($destination_course)) {
-            if (!$perm->have_studip_perm('tutor', $destination_course)) {
+            $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+            if (!$perm->have_studip_perm($required_course_perm, $destination_course)) {
                 throw new \AccessDeniedException();
             }
         }

lib/Routes/Playlist/PlaylistVideoList.php

@@ -22,6 +22,7 @@ public function __invoke(Request $request, Response $response, $args)
         global $perm;
 
         $params = $request->getQueryParams();
+        $course_id = isset($params['cid']) ? $params['cid'] : null;
 
         // first, check if user has access to this playlist
         $playlist = Playlists::findOneByToken($args['token']);
@@ -32,18 +33,18 @@ public function __invoke(Request $request, Response $response, $args)
 
         // check if playlist is connected to the passed course and user is part of that course as well
         $permission = false;
-        if ($params['cid']) {
-            if ($perm->have_studip_perm('user', $params['cid'])) {
+        if ($course_id && !empty($playlist->courses)) {
+            $playlist_connected_courses_ids = array_column($playlist->courses->toArray(), 'id');
+            if ($perm->have_studip_perm('user', $course_id) && in_array($course_id, $playlist_connected_courses_ids)) {
                 $permission = true;
             }
         }
 
-        if (!$params['cid'] || !$permission) {
+        if (!$course_id || !$permission) {
             // check what permissions the current user has on the playlist
             $uperm = $playlist->getUserPerm();
 
-            if (empty($uperm) || !$uperm)
-            {
+            if (empty($uperm) || !$uperm) {
                 throw new \AccessDeniedException();
             }
         }
@@ -53,7 +54,7 @@ public function __invoke(Request $request, Response $response, $args)
 
         $ret = [];
         foreach ($videos['videos'] as $video) {
-            $video_array = $video->toSanitizedArray($params['cid'], $playlist->id);
+            $video_array = $video->toSanitizedArray($course_id, $playlist->id);
             if (!empty($video_array['perm']) && ($video_array['perm'] == 'owner' || $video_array['perm'] == 'write'))
             {
                 $video_array['perms'] = $video->perms->toSanitizedArray();

lib/Routes/Tags/TagListForPlaylistVideos.php

@@ -20,6 +20,7 @@ public function __invoke(Request $request, Response $response, $args)
         global $perm;
 
         $params = $request->getQueryParams();
+        $course_id = isset($params['cid']) ? $params['cid'] : null;
 
         // first, check if user has access to this playlist
         $playlist = Playlists::findOneByToken($args['token']);
@@ -29,13 +30,14 @@ public function __invoke(Request $request, Response $response, $args)
 
         // check if playlist is connected to the passed course and user is part of that course as well
         $permission = false;
-        if ($params['cid']) {
-            if ($perm->have_studip_perm('user', $params['cid'])) {
+        if ($course_id && !empty($playlist->courses)) {
+            $playlist_connected_courses_ids = array_column($playlist->courses->toArray(), 'id');
+            if ($perm->have_studip_perm('user', $course_id) && in_array($course_id, $playlist_connected_courses_ids)) {
                 $permission = true;
             }
         }
 
-        if (!$params['cid'] || !$permission) {
+        if (!$course_id || !$permission) {
             // check what permissions the current user has on the playlist
             $uperm = $playlist->getUserPerm();
 
@@ -45,7 +47,7 @@ public function __invoke(Request $request, Response $response, $args)
             }
         }
 
-        $ret = Tags::getPlaylistVideosTags($playlist->id, $params['cid']);
+        $ret = Tags::getPlaylistVideosTags($playlist->id, $course_id);
 
         return $this->createResponse($ret, $response->withStatus(200));
     }

lib/Routes/Video/VideoCopyToCourse.php

@@ -23,7 +23,8 @@ public function __invoke(Request $request, Response $response, $args)
         global $perm, $user;
 
         $course_id = $args['course_id'];
-        if (!$perm->have_studip_perm('tutor', $course_id)) {
+        $required_course_perm = \Config::get()->OPENCAST_TUTOR_EPISODE_PERM ? 'tutor' : 'dozent';
+        if (!$perm->have_studip_perm($required_course_perm, $course_id)) {
             throw new \AccessDeniedException();
         }
 

vueapp/components/Playlists/PlaylistAddVideos.vue

@@ -68,10 +68,6 @@ export default {
     },
 
     props: {
-        canEdit: {
-            type: Boolean,
-            default: true,
-        },
         canUpload: {
             type: Boolean,
             default: true,

vueapp/components/Videos/VideoRow.vue

@@ -15,7 +15,7 @@
         <td v-if="showCheckbox">
             <input type="checkbox" :checked="isChecked" @click.stop="toggleVideo">
         </td>
-        <td v-else-if="canUpload">
+        <td v-else-if="userHasSelectableVideos && canUpload">
         </td>
 
         <td class="oc--playercontainer">
@@ -199,14 +199,6 @@ export default {
             type: Number,
             required: true
         },
-        canMoveUp: {
-            type: Boolean,
-            default: false
-        },
-        canMoveDown: {
-            type: Boolean,
-            default: false
-        },
         selectable: {
             type: Boolean,
             default: false
@@ -225,6 +217,10 @@ export default {
         showActions: {
             type: Boolean,
             default: true
+        },
+        userHasSelectableVideos: {
+            type: Boolean,
+            default: false
         }
     },
 

vueapp/components/Videos/VideosTable.vue

@@ -93,6 +93,7 @@
                         :showActions="showActions"
                         @doAction="doAction"
                         @redirectAction="redirectAction"
+                        :userHasSelectableVideos="userHasSelectableVideos"
                     ></VideoRow>
                 </template>
             </draggable>
@@ -101,7 +102,7 @@
                 <tr>
                     <td :colspan="numberOfColumns">
                         <span class="oc--bulk-actions">
-                            <StudipButton v-if="canUpload" icon="remove" @click.prevent="removeVideosFromPlaylist" :disabled="!hasCheckedVideos">
+                            <StudipButton v-if="canUpload && userHasSelectableVideos" icon="remove" @click.prevent="removeVideosFromPlaylist" :disabled="!hasCheckedVideos">
                                 {{ $gettext('Aus Wiedergabeliste entfernen') }}
                             </StudipButton>
                         </span>
@@ -305,11 +306,11 @@ export default {
         ]),
 
         numberOfColumns() {
-          return 7 - (this.showCheckbox ? 0 : 1) - (this.showActions ? 0 : 1);
+            return 7 - (this.showCheckbox ? 0 : 1) - (this.showActions ? 0 : 1);
         },
 
         showCheckbox() {
-            return this.selectable || this.canEdit || this.canUpload;
+            return (this.selectable || this.canEdit || this.canUpload) && this.userHasSelectableVideos;
         },
 
         isCourse() {
@@ -348,6 +349,14 @@ export default {
             }
         },
 
+        userHasSelectableVideos() {
+            let has_videos_with_write_perm = false;
+            if (this.loadedVideos.length > 0) {
+                has_videos_with_write_perm = this.loadedVideos.filter(v => v.perm == 'write' || v.perm == 'owner').length > 0;
+            }
+            return has_videos_with_write_perm;
+        },
+
         serversCheckSuccessful() {
             return Object.values(this.isLTIAuthenticated).every(server => server);
         }

vueapp/views/Course.vue

@@ -19,7 +19,6 @@
         />
 
         <PlaylistAddVideos v-if="showPlaylistAddVideosDialog"
-            :canEdit="canEdit"
             :canUpload="canUpload"
             @done="closePlaylistAddVideosDialog"
             @cancel="closePlaylistAddVideosDialog"