PermsHelper::canSaveMap() - Code Metrics - Inspection of "Folders tree compact view" - bedita/manager - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — master (#1275)

by Dante

created 2025-08-07 13:39 UTC

PermsHelper::canSaveMap() A

↳ Parent: PermsHelper

Complexity

Conditions	2
Paths	2

Size

Total Lines	9
Code Lines	5

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	2
eloc	5
nc	2
nop	0
dl	0
loc	9
rs	10
c	0
b	0
f	0

<?php
/**
 * BEdita, API-first content management framework
 * Copyright 2021 ChannelWeb Srl, Chialab Srl
 *
 * This file is part of BEdita: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published
 * by the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * See LICENSE.LGPL or <http://gnu.org/licenses/lgpl-3.0.html> for more details.
 */
namespace App\View\Helper;

use BEdita\WebTools\ApiClientProvider;
use Cake\Utility\Hash;
use Cake\View\Helper;

/**
 * Helper class to handle permissions on modules.
 */
class PermsHelper extends Helper
{
    /**
     * API methods allowed in current module
     *
     * @var array
     */
    protected $current = [];

    /**
     * API methods allowed in all modules
     *
     * @var array
     */
    protected $allowed = [];

    /**
     * Permissions on folders enabled flag
     *
     * @var bool
     */
    protected $permissionsOnFolders = false;

    /**
     * {@inheritDoc}
     *
     * Init API and WebAPP base URL
     *
     * @return  void
     */
    public function initialize(array $config): void
    {
        $modules = (array)$this->_View->get('modules');
        // using foreach instead of Hash::combine
        // to avoid RuntimeError "Hash::combine() needs an equal number of keys + values"
        foreach ($modules as $name => $module) {
            if (Hash::check($module, 'hints.allow')) {
                $this->allowed[$name] = Hash::get($module, 'hints.allow');
            }
        }
        $currentModule = (array)$this->_View->get('currentModule');
        $this->current = (array)Hash::get($currentModule, 'hints.allow');
        $schema = (array)$this->_View->get('foldersSchema');
        $this->permissionsOnFolders = in_array('Permissions', (array)Hash::get($schema, 'associations'));
    }

    /**
     * Check lock/unlock permission.
     *
     * @return bool
     */
    public function canLock(): bool
    {
        return $this->userIsAdmin();
    }

    /**
     * Check create permission.
     *
     * @param string|null $module Module name
     * @return bool
     */
    public function canCreate(?string $module = null): bool
    {
        return $this->isAllowed('POST', $module) && $this->userIsAllowed($module);
    }

    /**
     * Return modules that can be created by the authenticated user.
     *
     * @return array
     */
    public function canCreateModules(): array
    {
        $modules = array_keys((array)$this->_View->get('modules'));

        return array_values(
            array_filter(
                $modules,
                function ($module) {
                    return $this->canCreate($module);
                }
            )
        );
    }

    /**
     * Check delete permission.
     *
     * @param array $object The object
     * @return bool
     */
    public function canDelete(array $object): bool
    {
        $locked = (bool)Hash::get($object, 'meta.locked', false);
        if ($locked === false) {
            $locked = $this->isLockedByParents((string)Hash::get($object, 'id'));
        }
        $module = (string)Hash::get($object, 'type');

        return !$locked && $this->isAllowed('DELETE', $module) && $this->userIsAllowed($module);
    }

    /**
     * Check save permission.
     *
     * @param string|null $module Module name
     * @return bool
     */
    public function canSave(?string $module = null): bool
    {
        return $this->userIsAdmin() || ($this->isAllowed('PATCH', $module) && $this->userIsAllowed($module));
    }

    /**
     * Map of modules and their save permissions for the authenticated user.
     *
     * @return array
     */
    public function canSaveMap(): array
    {
        $modules = array_keys((array)$this->_View->get('modules'));
        $map = [];
        foreach ($modules as $module) {
            $map[$module] = $this->canSave($module);
        }

        return $map;
    }

    /**
     * Check read permission.
     *
     * @param string|null $module Module name
     * @return bool
     */
    public function canRead(?string $module = null): bool
    {
        return $this->isAllowed('GET', $module);
    }

    /**
     * Check if a method is allowed on a module.
     *
     * @param string $method Method to check
     * @param string|null $module Module name, if missing or null current module is used.
     * @return bool
     */
    protected function isAllowed(string $method, ?string $module = null): bool
    {
        if (empty($module)) {
            if (empty($this->current)) {
                return true;
            }

            return in_array($method, $this->current);
        }

        $allowed = (array)Hash::get($this->allowed, $module);

        return in_array($method, $allowed);
    }

    /**
     * Access string (can be 'read', 'write', 'hidden') per role and module.
     *
     * @param array $accessControl The access control array
     * @param string $roleName The role name
     * @param string $moduleName The module name
     * @return string
     */
    public function access(array $accessControl, string $roleName, string $moduleName): string
    {
        $roleAccesses = Hash::get($accessControl, $roleName, []);
        if (empty($roleAccesses)) {
            return 'write';
        }
        $hiddenModules = Hash::get($roleAccesses, 'hidden', []);
        if (in_array($moduleName, $hiddenModules)) {
            return 'hidden';
        }
        $readonlyModules = Hash::get($roleAccesses, 'readonly', []);

        return in_array($moduleName, $readonlyModules) ? 'read' : 'write';
    }

    /**
     * Return true if authenticated user has role admin
     *
     * @return bool
     */
    public function userIsAdmin(): bool
    {
        return in_array('admin', $this->userRoles());
    }

    /**
     * Check permissions for user if object is a folder.
     *
     * @param string|null $module The module, if passed.
     * @return bool
     */
    public function userIsAllowed(?string $module): bool
    {
        $objectType = !empty($module) ? $module : $this->_View->get('objectType');
        if ($this->permissionsOnFolders === false || $objectType !== 'folders' || $this->userIsAdmin()) {
            return true;
        }

        $object = $this->_View->get('object');
        $permsRoles = (array)Hash::get((array)$object, 'meta.perms.roles');
        if (empty($permsRoles)) {
            return true;
        }

        return !empty(array_intersect($permsRoles, $this->userRoles()));
    }

    /**
     * Return authenticated user roles
     *
     * @return array
     */
    public function userRoles(): array
    {
        /** @var \Authentication\Identity|null $identity */
        $identity = $this->_View->get('user');

        return empty($identity) ? [] : (array)$identity->get('roles');
    }

    /**
     * Return true if object is locked by parents.
     * When user is admin, return false.
     * When user is not admin, return true if at least one parent is locked for user.
     * Return false otherwise
     *
     * @param string $id The object id
     * @return bool
     */
    public function isLockedByParents(string $id): bool
    {
        if ($this->permissionsOnFolders === false || $this->userIsAdmin()) {
            return false;
        }
        $apiClient = ApiClientProvider::getApiClient();
        $response = (array)$apiClient->get(sprintf('/objects/%s?include=parents', $id));
        $included = (array)Hash::get($response, 'included', []);
        if (empty($included)) {
            return false;
        }
        $roles = $this->userRoles();
        foreach ($included as $data) {
            $metaPermsRoles = (array)Hash::get($data, 'meta.perms.roles');
            if (empty($metaPermsRoles)) {
                continue;
            }
            if (count(array_intersect($roles, $metaPermsRoles)) === 0) {
                return true;
            }
        }

        return false;
    }
}


1			<?php
2			/**
3			* BEdita, API-first content management framework
4			* Copyright 2021 ChannelWeb Srl, Chialab Srl
5			*
6			* This file is part of BEdita: you can redistribute it and/or modify
7			* it under the terms of the GNU Lesser General Public License as published
8			* by the Free Software Foundation, either version 3 of the License, or
9			* (at your option) any later version.
10			*
11			* See LICENSE.LGPL or <http://gnu.org/licenses/lgpl-3.0.html> for more details.
12			*/
13			namespace App\View\Helper;
14
15			use BEdita\WebTools\ApiClientProvider;
16			use Cake\Utility\Hash;
17			use Cake\View\Helper;
18
19			/**
20			* Helper class to handle permissions on modules.
21			*/
22			class PermsHelper extends Helper
23			{
24			/**
25			* API methods allowed in current module
26			*
27			* @var array
28			*/
29			protected $current = [];
30
31			/**
32			* API methods allowed in all modules
33			*
34			* @var array
35			*/
36			protected $allowed = [];
37
38			/**
39			* Permissions on folders enabled flag
40			*
41			* @var bool
42			*/
43			protected $permissionsOnFolders = false;
44
45			/**
46			* {@inheritDoc}
47			*
48			* Init API and WebAPP base URL
49			*
50			* @return void
51			*/
52			public function initialize(array $config): void
53			{
54			$modules = (array)$this->_View->get('modules');
55			// using foreach instead of Hash::combine
56			// to avoid RuntimeError "Hash::combine() needs an equal number of keys + values"
57			foreach ($modules as $name => $module) {
58			if (Hash::check($module, 'hints.allow')) {
59			$this->allowed[$name] = Hash::get($module, 'hints.allow');
60			}
61			}
62			$currentModule = (array)$this->_View->get('currentModule');
63			$this->current = (array)Hash::get($currentModule, 'hints.allow');
64			$schema = (array)$this->_View->get('foldersSchema');
65			$this->permissionsOnFolders = in_array('Permissions', (array)Hash::get($schema, 'associations'));
66			}
67
68			/**
69			* Check lock/unlock permission.
70			*
71			* @return bool
72			*/
73			public function canLock(): bool
74			{
75			return $this->userIsAdmin();
76			}
77
78			/**
79			* Check create permission.
80			*
81			* @param string\|null $module Module name
82			* @return bool
83			*/
84			public function canCreate(?string $module = null): bool
85			{
86			return $this->isAllowed('POST', $module) && $this->userIsAllowed($module);
87			}
88
89			/**
90			* Return modules that can be created by the authenticated user.
91			*
92			* @return array
93			*/
94			public function canCreateModules(): array
95			{
96			$modules = array_keys((array)$this->_View->get('modules'));
97
98			return array_values(
99			array_filter(
100			$modules,
101			function ($module) {
102			return $this->canCreate($module);
103			}
104			)
105			);
106			}
107
108			/**
109			* Check delete permission.
110			*
111			* @param array $object The object
112			* @return bool
113			*/
114			public function canDelete(array $object): bool
115			{
116			$locked = (bool)Hash::get($object, 'meta.locked', false);
117			if ($locked === false) {
118			$locked = $this->isLockedByParents((string)Hash::get($object, 'id'));
119			}
120			$module = (string)Hash::get($object, 'type');
121
122			return !$locked && $this->isAllowed('DELETE', $module) && $this->userIsAllowed($module);
123			}
124
125			/**
126			* Check save permission.
127			*
128			* @param string\|null $module Module name
129			* @return bool
130			*/
131			public function canSave(?string $module = null): bool
132			{
133			return $this->userIsAdmin() \|\| ($this->isAllowed('PATCH', $module) && $this->userIsAllowed($module));
134			}
135
136			/**
137			* Map of modules and their save permissions for the authenticated user.
138			*
139			* @return array
140			*/
141			public function canSaveMap(): array
142			{
143			$modules = array_keys((array)$this->_View->get('modules'));
144			$map = [];
145			foreach ($modules as $module) {
146			$map[$module] = $this->canSave($module);
147			}
148
149			return $map;
150			}
151
152			/**
153			* Check read permission.
154			*
155			* @param string\|null $module Module name
156			* @return bool
157			*/
158			public function canRead(?string $module = null): bool
159			{
160			return $this->isAllowed('GET', $module);
161			}
162
163			/**
164			* Check if a method is allowed on a module.
165			*
166			* @param string $method Method to check
167			* @param string\|null $module Module name, if missing or null current module is used.
168			* @return bool
169			*/
170			protected function isAllowed(string $method, ?string $module = null): bool
171			{
172			if (empty($module)) {
173			if (empty($this->current)) {
174			return true;
175			}
176
177			return in_array($method, $this->current);
178			}
179
180			$allowed = (array)Hash::get($this->allowed, $module);
181
182			return in_array($method, $allowed);
183			}
184
185			/**
186			* Access string (can be 'read', 'write', 'hidden') per role and module.
187			*
188			* @param array $accessControl The access control array
189			* @param string $roleName The role name
190			* @param string $moduleName The module name
191			* @return string
192			*/
193			public function access(array $accessControl, string $roleName, string $moduleName): string
194			{
195			$roleAccesses = Hash::get($accessControl, $roleName, []);
196			if (empty($roleAccesses)) {
197			return 'write';
198			}
199			$hiddenModules = Hash::get($roleAccesses, 'hidden', []);
200			if (in_array($moduleName, $hiddenModules)) {
201			return 'hidden';
202			}
203			$readonlyModules = Hash::get($roleAccesses, 'readonly', []);
204
205			return in_array($moduleName, $readonlyModules) ? 'read' : 'write';
206			}
207
208			/**
209			* Return true if authenticated user has role admin
210			*
211			* @return bool
212			*/
213			public function userIsAdmin(): bool
214			{
215			return in_array('admin', $this->userRoles());
216			}
217
218			/**
219			* Check permissions for user if object is a folder.
220			*
221			* @param string\|null $module The module, if passed.
222			* @return bool
223			*/
224			public function userIsAllowed(?string $module): bool
225			{
226			$objectType = !empty($module) ? $module : $this->_View->get('objectType');
227			if ($this->permissionsOnFolders === false \|\| $objectType !== 'folders' \|\| $this->userIsAdmin()) {
228			return true;
229			}
230
231			$object = $this->_View->get('object');
232			$permsRoles = (array)Hash::get((array)$object, 'meta.perms.roles');
233			if (empty($permsRoles)) {
234			return true;
235			}
236
237			return !empty(array_intersect($permsRoles, $this->userRoles()));
238			}
239
240			/**
241			* Return authenticated user roles
242			*
243			* @return array
244			*/
245			public function userRoles(): array
246			{
247			/** @var \Authentication\Identity\|null $identity */
248			$identity = $this->_View->get('user');
249
250			return empty($identity) ? [] : (array)$identity->get('roles');
251			}
252
253			/**
254			* Return true if object is locked by parents.
255			* When user is admin, return false.
256			* When user is not admin, return true if at least one parent is locked for user.
257			* Return false otherwise
258			*
259			* @param string $id The object id
260			* @return bool
261			*/
262			public function isLockedByParents(string $id): bool
263			{
264			if ($this->permissionsOnFolders === false \|\| $this->userIsAdmin()) {
265			return false;
266			}
267			$apiClient = ApiClientProvider::getApiClient();
268			$response = (array)$apiClient->get(sprintf('/objects/%s?include=parents', $id));
269			$included = (array)Hash::get($response, 'included', []);
270			if (empty($included)) {
271			return false;
272			}
273			$roles = $this->userRoles();
274			foreach ($included as $data) {
275			$metaPermsRoles = (array)Hash::get($data, 'meta.perms.roles');
276			if (empty($metaPermsRoles)) {
277			continue;
278			}
279			if (count(array_intersect($roles, $metaPermsRoles)) === 0) {
280			return true;
281			}
282			}
283
284			return false;
285			}
286			}
287

bedita / manager

Pull Request — master (#1275)

PermsHelper::canSaveMap() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like