User Group & ACLs updates

Apply new permissions methods

Author: smg6511

Diff for: core/src/Revolution/Processors/Security/Access/UserGroup/AccessNamespace/GetList.php

@@ -42,6 +42,13 @@ class GetList extends GetListProcessor
     /** @var modUserGroup $userGroup */
     public $userGroup;
 
+    /** @var bool $canCreate Whether user can assign a new Category ACL entry for a given User Group */
+    public $canCreate = false;
+    /** @var bool $canEdit Whether user can change a Category ACL entry for a given User Group */
+    public $canEdit = false;
+    /** @var bool $canRemove Whether user can remove a Category ACL entry for a given User Group */
+    public $canRemove = false;
+
     /**
      * @return bool
      */
@@ -64,6 +71,15 @@ public function initialize()
         if ($this->getProperty('sort') == 'role_display') {
             $this->setProperty('sort', 'authority');
         }
+        /*
+            Currently, all actions essentially relate to editing a User Group.
+            Nonetheless, we maintain each separately to remain consistent with how permissions
+            are relayed throughout the MODX app
+        */
+        $canChange = $this->modx->hasPermission('usergroup_edit') && $this->modx->hasPermission('usergroup_save');
+        $this->canCreate = $canChange;
+        $this->canEdit = $canChange;
+        $this->canRemove = $canChange;
         return $initialized;
     }
 
@@ -142,33 +158,31 @@ public function useSecondaryGroupCondition(string $sortBy, string $groupBy, stri
      */
     public function prepareRow(xPDOObject $object)
     {
-        $objectArray = $object->toArray();
-        if (empty($objectArray['name'])) {
-            $objectArray['name'] = '(' . $this->modx->lexicon('none') . ')';
+        $permissions = [
+            'create' => $this->canCreate,
+            'update' => $this->canEdit,
+            'delete' => $this->canRemove
+        ];
+
+        $aclData = $object->toArray();
+        if (empty($aclData['name'])) {
+            $aclData['name'] = '(' . $this->modx->lexicon('none') . ')';
         }
-        $objectArray['authority_name'] = !empty($objectArray['role_name'])
-            ? $objectArray['role_name'] . ' - ' . $objectArray['authority']
-            : $objectArray['authority']
+        $aclData['authority_name'] = !empty($aclData['role_name'])
+            ? $aclData['role_name'] . ' - ' . $aclData['authority']
+            : $aclData['authority']
             ;
 
         /* get permissions list */
-        $data = $objectArray['policy_data'];
-        unset($objectArray['policy_data']);
+        $aclData['policyPermissions'] = [];
+        $data = $aclData['policy_data'];
+        unset($aclData['policy_data']);
         $data = $this->modx->fromJSON($data);
         if (!empty($data)) {
-            $permissions = [];
-            foreach ($data as $permission => $enabled) {
-                if (!$enabled) {
-                    continue;
-                }
-                $permissions[] = $permission;
-            }
-            $objectArray['permissions'] = implode(', ', $permissions);
+            $aclData['policyPermissions'] = array_keys($data, 1);
         }
+        $aclData['permissions'] = $permissions;
 
-        $cls = 'pedit premove';
-        $objectArray['cls'] = $cls;
-
-        return $objectArray;
+        return $aclData;
     }
 }

Diff for: core/src/Revolution/Processors/Security/Access/UserGroup/Category/GetList.php

@@ -43,6 +43,13 @@ class GetList extends GetListProcessor
     /** @var modUserGroup $userGroup */
     public $userGroup;
 
+    /** @var bool $canCreate Whether user can assign a new Category ACL entry for a given User Group */
+    public $canCreate = false;
+    /** @var bool $canEdit Whether user can change a Category ACL entry for a given User Group */
+    public $canEdit = false;
+    /** @var bool $canRemove Whether user can remove a Category ACL entry for a given User Group */
+    public $canRemove = false;
+
     /**
      * @return bool
      */
@@ -65,6 +72,15 @@ public function initialize()
         if ($this->getProperty('sort') == 'role_display') {
             $this->setProperty('sort', 'authority');
         }
+        /*
+            Currently, all actions essentially relate to editing a User Group.
+            Nonetheless, we maintain each separately to remain consistent with how permissions
+            are relayed throughout the MODX app
+        */
+        $canChange = $this->modx->hasPermission('usergroup_edit') && $this->modx->hasPermission('usergroup_save');
+        $this->canCreate = $canChange;
+        $this->canEdit = $canChange;
+        $this->canRemove = $canChange;
         return $initialized;
     }
 
@@ -143,33 +159,35 @@ public function useSecondaryGroupCondition(string $sortBy, string $groupBy, stri
      */
     public function prepareRow(xPDOObject $object)
     {
-        $objectArray = $object->toArray();
-        if (empty($objectArray['name'])) {
-            $objectArray['name'] = '(' . $this->modx->lexicon('none') . ')';
+        $permissions = [
+            'create' => $this->canCreate,
+            'update' => $this->canEdit,
+            'delete' => $this->canRemove
+        ];
+
+        $aclData = $object->toArray();
+        if (empty($aclData['name'])) {
+            $aclData['name'] = '(' . $this->modx->lexicon('none') . ')';
         }
 
         /* get permissions list */
-        $data = $objectArray['policy_data'];
-        unset($objectArray['policy_data']);
+        $aclData['policyPermissions'] = [];
+        $data = $aclData['policy_data'];
+        unset($aclData['policy_data']);
         $data = $this->modx->fromJSON($data);
         if (!empty($data)) {
-            $permissions = [];
-            foreach ($data as $permission => $enabled) {
-                if (!$enabled) {
-                    continue;
-                }
-                $permissions[] = $permission;
-            }
-            $objectArray['permissions'] = implode(', ', $permissions);
+            $aclData['policyPermissions'] = array_keys($data, 1);
         }
-
-        $cls = '';
-        if (($objectArray['target'] === 'web' || $objectArray['target'] === 'mgr') && $objectArray['policy_name'] === 'Administrator' && ($this->userGroup && $this->userGroup->get('name') === 'Administrator')) {
-        } else {
-            $cls .= 'pedit premove';
+        if (
+            in_array($aclData['target'], ['web', 'mgr'])
+            && $aclData['policy_name'] === 'Administrator'
+            && ($this->userGroup && $this->userGroup->get('name') === 'Administrator')
+        ) {
+            $permissions['edit'] = false;
+            $permissions['delete'] = false;
         }
-        $objectArray['cls'] = $cls;
+        $aclData['permissions'] = $permissions;
 
-        return $objectArray;
+        return $aclData;
     }
 }

Diff for: core/src/Revolution/Processors/Security/Access/UserGroup/Context/GetList.php

@@ -41,6 +41,13 @@ class GetList extends GetListProcessor
     /** @var modUserGroup $userGroup */
     public $userGroup;
 
+    /** @var bool $canCreate Whether user can assign a new Context ACL entry for a given User Group */
+    public $canCreate = false;
+    /** @var bool $canEdit Whether user can change a Context ACL entry for a given User Group */
+    public $canEdit = false;
+    /** @var bool $canRemove Whether user can remove a Context ACL entry for a given User Group */
+    public $canRemove = false;
+
     /**
      * @return mixed
      */
@@ -63,6 +70,15 @@ public function initialize()
         if ($this->getProperty('sort') == 'role_display') {
             $this->setProperty('sort', 'authority');
         }
+        /*
+            Currently, all actions essentially relate to editing a User Group.
+            Nonetheless, we maintain each separately to remain consistent with how permissions
+            are relayed throughout the MODX app
+        */
+        $canChange = $this->modx->hasPermission('usergroup_edit') && $this->modx->hasPermission('usergroup_save');
+        $this->canCreate = $canChange;
+        $this->canEdit = $canChange;
+        $this->canRemove = $canChange;
         return $initialized;
     }
 
@@ -135,37 +151,35 @@ public function useSecondaryGroupCondition(string $sortBy, string $groupBy, stri
      */
     public function prepareRow(xPDOObject $object)
     {
-        $objectArray = $object->toArray();
-        if (empty($objectArray['name'])) {
-            $objectArray['name'] = '(' . $this->modx->lexicon('none') . ')';
+        $permissions = [
+            'create' => $this->canCreate,
+            'update' => $this->canEdit,
+            'delete' => $this->canRemove
+        ];
+
+        $aclData = $object->toArray();
+        if (empty($aclData['name'])) {
+            $aclData['name'] = '(' . $this->modx->lexicon('none') . ')';
         }
 
         /* get permissions list */
-        $data = $objectArray['policy_data'];
-        unset($objectArray['policy_data']);
+        $aclData['policyPermissions'] = [];
+        $data = $aclData['policy_data'];
+        unset($aclData['policy_data']);
         $data = $this->modx->fromJSON($data);
         if (!empty($data)) {
-            $permissions = [];
-            foreach ($data as $permission => $enabled) {
-                if (!$enabled) {
-                    continue;
-                }
-                $permissions[] = $permission;
-            }
-            $objectArray['permissions'] = implode(', ', $permissions);
+            $aclData['policyPermissions'] = array_keys($data, 1);
         }
-
-        $cls = '';
         if (
-            ($objectArray['target'] === 'web' || $objectArray['target'] === 'mgr')
-            && $objectArray['policy_name'] === 'Administrator'
+            in_array($aclData['target'], ['web', 'mgr'])
+            && $aclData['policy_name'] === 'Administrator'
             && ($this->userGroup && $this->userGroup->get('name') === 'Administrator')
         ) {
-        } else {
-            $cls .= 'pedit premove';
+            $permissions['edit'] = false;
+            $permissions['delete'] = false;
         }
-        $objectArray['cls'] = $cls;
+        $aclData['permissions'] = $permissions;
 
-        return $objectArray;
+        return $aclData;
     }
 }

Diff for: core/src/Revolution/Processors/Security/Access/UserGroup/ResourceGroup/GetList.php

@@ -43,6 +43,13 @@ class GetList extends GetListProcessor
     /** @var modUserGroup $userGroup */
     public $userGroup;
 
+    /** @var bool $canCreate Whether user can assign a new Resource Group ACL entry for a given User Group */
+    public $canCreate = false;
+    /** @var bool $canEdit Whether user can change a Resource Group ACL entry for a given User Group */
+    public $canEdit = false;
+    /** @var bool $canRemove Whether user can remove a Resource Group ACL entry for a given User Group */
+    public $canRemove = false;
+
     /**
      * @return bool
      */
@@ -65,6 +72,16 @@ public function initialize()
         if ($this->getProperty('sort') == 'role_display') {
             $this->setProperty('sort', 'authority');
         }
+        /*
+            Currently, all actions essentially relate to editing a User Group.
+            Nonetheless, we maintain each separately to remain consistent with how permissions
+            are relayed throughout the MODX app
+        */
+        $canChange = $this->modx->hasPermission('usergroup_edit') && $this->modx->hasPermission('usergroup_save');
+        $this->canCreate = $canChange;
+        $this->canEdit = $canChange;
+        $this->canRemove = $canChange;
+
         return $initialized;
     }
 
@@ -143,36 +160,35 @@ public function useSecondaryGroupCondition(string $sortBy, string $groupBy, stri
      */
     public function prepareRow(xPDOObject $object)
     {
-        $objectArray = $object->toArray();
-        if (empty($objectArray['name'])) {
-            $objectArray['name'] = '(' . $this->modx->lexicon('none') . ')';
+        $permissions = [
+            'create' => $this->canCreate,
+            'update' => $this->canEdit,
+            'delete' => $this->canRemove
+        ];
+
+        $aclData = $object->toArray();
+        if (empty($aclData['name'])) {
+            $aclData['name'] = '(' . $this->modx->lexicon('none') . ')';
         }
 
         /* get permissions list */
-        $data = $objectArray['policy_data'];
-        unset($objectArray['policy_data']);
+        $aclData['policyPermissions'] = [];
+        $data = $aclData['policy_data'];
+        unset($aclData['policy_data']);
         $data = $this->modx->fromJSON($data);
         if (!empty($data)) {
-            foreach ($data as $permission => $enabled) {
-                if (!$enabled) {
-                    continue;
-                }
-                $permissions[] = $permission;
-            }
-            $objectArray['permissions'] = implode(', ', $permissions);
+            $aclData['policyPermissions'] = array_keys($data, 1);
         }
-
-        $cls = '';
         if (
-            ($objectArray['target'] === 'web' || $objectArray['target'] == 'mgr')
-            && $objectArray['policy_name'] === 'Administrator'
+            in_array($aclData['target'], ['web', 'mgr'])
+            && $aclData['policy_name'] === 'Administrator'
             && ($this->userGroup && $this->userGroup->get('name') === 'Administrator')
         ) {
-        } else {
-            $cls .= 'pedit premove';
+            $permissions['edit'] = false;
+            $permissions['delete'] = false;
         }
-        $objectArray['cls'] = $cls;
+        $aclData['permissions'] = $permissions;
 
-        return $objectArray;
+        return $aclData;
     }
 }