Skip to content

Commit

Permalink
Adjusting ACLs to reflect user-group locking and handle security for …
Browse files Browse the repository at this point in the history 
…exam groups.
  • Loading branch information
@krulis-martin
krulis-martin committed Jan 8, 2024
1 parent 1a6fe15 commit aebe872
Show file tree
Hide file tree
Showing 7 changed files with 197 additions and 36 deletions.
31 changes: 28 additions & 3 deletions app/V1Module/security/Policies/AssignmentPermissionPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,21 @@ public function isPublic(Identity $identity, Assignment $assignment)

public function isVisible(Identity $identity, Assignment $assignment)
{
$user = $identity->getUserData();
if ($user === null) {
return false;
}

$now = new DateTime();
return $assignment->isPublic() &&
($assignment->getVisibleFrom() === null || $assignment->getVisibleFrom() <= $now);
$group = $assignment->getGroup();
if (!$group || ($group->isExam() && $now < $group->getExamBegin())) {
return false; // exam groups hide all assignments before the exam starts
}

$visibleFromOk = $assignment->getVisibleFrom() === null || $assignment->getVisibleFrom() <= $now;
return $assignment->isPublic() && $visibleFromOk &&
// not an exam, or it over (so the assignments are visible to all), or the student is currently doing it
(!$group->isExam() || $group->getExamEnd() < $now || $user->getGroupLock()?->getId() === $group->getId());
}

public function isInActiveGroup(Identity $identity, Assignment $assignment)
Expand All @@ -48,7 +60,6 @@ public function isInActiveGroup(Identity $identity, Assignment $assignment)
public function isAssignee(Identity $identity, Assignment $assignment)
{
$user = $identity->getUserData();

if ($user === null) {
return false;
}
Expand Down Expand Up @@ -79,4 +90,18 @@ public function isObserverOrBetter(Identity $identity, Assignment $assignment)

return $group && ($group->isObserverOf($user) || $group->isSupervisorOf($user) || $group->isAdminOf($user));
}

/**
* Current user is either not locked at all, or locked to this group (where the assignment is).
*/
public function userIsNotLockedElsewhere(Identity $identity, Assignment $assignment): bool
{
$user = $identity->getUserData();
$group = $assignment->getGroup();
if ($user === null || $group === null || $group->isArchived()) {
return false;
}

return !$user->isGroupLocked() || $user->getGroupLock()->getId() === $group->getId();
}
}
14 changes: 14 additions & 0 deletions app/V1Module/security/Policies/AssignmentSolutionPermissionPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,4 +95,18 @@ public function isInActiveGroup(Identity $identity, AssignmentSolution $solution
$group = $assignment->getGroup();
return $group && !$group->isArchived(); // active = not deleted and not archived
}

/**
* Current user is either not locked at all, or locked in the group where the solution is.
*/
public function userIsNotLockedElsewhere(Identity $identity, AssignmentSolution $solution): bool
{
$user = $identity->getUserData();
$group = $solution->getAssignment()?->getGroup();
if ($user === null || $group === null || $group->isArchived()) {
return false;
}

return !$user->isGroupLocked() || $user->getGroupLock()->getId() === $group->getId();
}
}
6 changes: 6 additions & 0 deletions app/V1Module/security/Policies/CommentPermissionPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,10 @@ public function isSupervisorInGroupOfCommentedAssignment(Identity $identity, Com
$group = $assignment->getGroup();
return $group && ($group->isSupervisorOf($user) || $group->isAdminOf($user));
}

public function userIsNotGroupLocked(Identity $identity, Comment $comment): bool
{
$user = $identity->getUserData();
return $user && !$user->isGroupLocked();
}
}
20 changes: 20 additions & 0 deletions app/V1Module/security/Policies/CommentThreadPermissionPolicy.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<?php

namespace App\Security\Policies;

use App\Model\Entity\CommentThread;
use App\Security\Identity;

class CommentThreadPermissionPolicy implements IPermissionPolicy
{
public function getAssociatedClass()
{
return CommentThread::class;
}

public function userIsNotGroupLocked(Identity $identity, CommentThread $thread): bool
{
$user = $identity->getUserData();
return $user && !$user->isGroupLocked();
}
}
37 changes: 37 additions & 0 deletions app/V1Module/security/Policies/GroupPermissionPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,46 @@ function ($key, Instance $instance) use ($group) {
);
}

public function isNotExam(Identity $identity, Group $group): bool
{
return !$group->isExam();
}

public function isExamInProgress(Identity $identity, Group $group): bool
{
$now = new DateTime();
return $group->isExam() && $group->getExamBegin() <= $now && $now <= $group->getExamEnd();
}

public function isExamOver(Identity $identity, Group $group): bool
{
$now = new DateTime();
return $group->isExam() && $group->getExamEnd() < $now;
}

/**
* Current user is locked to the selected group.
*/
public function userIsLocked(Identity $identity, Group $group): bool
{
$user = $identity->getUserData();
if ($user === null) {
return false;
}

return $user->getGroupLock()?->getId() === $group->getId();
}

/**
* Current user is either not locked at all, or locked to this group.
*/
public function userIsNotLockedElsewhere(Identity $identity, Group $group): bool
{
$user = $identity->getUserData();
if ($user === null) {
return false;
}

return !$user->isGroupLocked() || $user->getGroupLock()->getId() === $group->getId();
}
}
1 change: 1 addition & 0 deletions app/config/config.neon
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,7 @@ acl:
user: App\Security\Policies\UserPermissionPolicy
assignment: App\Security\Policies\AssignmentPermissionPolicy
comment: App\Security\Policies\CommentPermissionPolicy
thread: App\Security\Policies\CommentThreadPermissionPolicy
exercise: App\Security\Policies\ExercisePermissionPolicy
referenceExerciseSolution: App\Security\Policies\ReferenceExerciseSolutionPermissionPolicy
assignmentSolution: App\Security\Policies\AssignmentSolutionPermissionPolicy
Expand Down
Loading

0 comments on commit aebe872

Please sign in to comment.