Merge pull request #28 from kdambekalns/feature/edit-roles

kdambekalns · web-flow · commit 028720f4f0ed · 2021-03-22T15:27:10.000+01:00
FEATURE: Allow to edit roles assigned to users
diff --git a/Classes/Controller/ModuleController.php b/Classes/Controller/ModuleController.php
@@ -19,6 +19,8 @@
 use Neos\Flow\Persistence\Exception\IllegalObjectTypeException;
 use Neos\Flow\Security\Account;
 use Neos\Flow\Security\AccountRepository;
+use Neos\Flow\Security\Policy\PolicyService;
+use Neos\Flow\Security\Policy\Role;
 use Neos\Neos\Controller\Module\AbstractModuleController;
 use Neos\Neos\Domain\Exception as NeosDomainException;
 use Neos\Neos\Domain\Model\User;
@@ -35,6 +37,12 @@ class ModuleController extends AbstractModuleController
      */
     protected $userService;
 
+    /**
+     * @Flow\Inject
+     * @var PolicyService
+     */
+    protected $policyService;
+
     /**
      * @Flow\Inject
      * @var AccountRepository
@@ -96,14 +104,13 @@ public function showAction(User $user): void
     /**
      * Renders a form for creating a new user
      *
-     * @param User $user
      * @return void
      */
-    public function newAction(User $user = null): void
+    public function newAction(): void
     {
         $this->view->assignMultiple([
             'currentUser' => $this->currentUser,
-            'user' => $user
+            'availableRoles' => $this->getFrontendUserRoles()
         ]);
     }
 
@@ -113,24 +120,31 @@ public function newAction(User $user = null): void
      * @param string $username The user name (ie. account identifier) of the new user
      * @param array $password Expects an array in the format array('<password>', '<password confirmation>')
      * @param User $user The user to create
-     * @param \DateTime $expirationDate
+     * @param \DateTime|null $expirationDate
+     * @param array $roleIdentifiers Identifiers of roles to assign to account
      * @return void
      * @Flow\Validate(argumentName="username", type="\Neos\Flow\Validation\Validator\NotEmptyValidator")
      * @Flow\Validate(argumentName="username", type="\Neos\Neos\Validation\Validator\UserDoesNotExistValidator")
      * @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=0, "minimum"=1, "maximum"=255 })
      */
-    public function createAction($username, array $password, User $user, ?\DateTime $expirationDate): void
+    public function createAction(string $username, array $password, User $user, ?\DateTime $expirationDate, array $roleIdentifiers = []): void
     {
-        $user = $this->userService->addUser($username, $password[0], $user, [self::$roleIdentifier], self::$authenticationProviderName);
+        // make sure self::$roleIdentifier is always added
+        $roleIdentifiersToSet = array_unique(array_merge($roleIdentifiers, [self::$roleIdentifier]));
+        if ($this->onlyFrontendRoles($roleIdentifiersToSet)) {
+            $user = $this->userService->addUser($username, $password[0], $user, $roleIdentifiersToSet, self::$authenticationProviderName);
 
-        if ($expirationDate !== null) {
-            /** @var Account $account */
-            $account = $user->getAccounts()->first();
-            $expirationDate->setTime(0, 0, 0);
-            $account->setExpirationDate($expirationDate);
-        }
+            if ($expirationDate !== null) {
+                /** @var Account $account */
+                $account = $user->getAccounts()->first();
+                $expirationDate->setTime(0, 0);
+                $account->setExpirationDate($expirationDate);
+            }
 
-        $this->addFlashMessage('The user "%s" has been created.', 'User created', Message::SEVERITY_OK, [htmlspecialchars($username)], 1416225561);
+            $this->addFlashMessage('The user "%s" has been created.', 'User created', Message::SEVERITY_OK, [htmlspecialchars($username)], 1416225561);
+        } else {
+            $this->throwStatus(403, 'Not allowed to assign the given roles');
+        }
         $this->redirect('index');
     }
 
@@ -209,7 +223,8 @@ public function editAccountAction(Account $account): void
             $this->view->assignMultiple([
                 'account' => $account,
                 'user' => $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName()),
-                'expirationDate' => $account->getExpirationDate()
+                'expirationDate' => $account->getExpirationDate(),
+                'availableRoles' => $this->getFrontendUserRoles()
             ]);
         } else {
             $this->throwStatus(403, 'Not allowed to edit that account');
@@ -220,25 +235,37 @@ public function editAccountAction(Account $account): void
      * Update a given account
      *
      * @param Account $account The account to update
+     * @param array $roleIdentifiers Identifiers of roles to assign to account
      * @param array $password Expects an array in the format array('<password>', '<password confirmation>')
      * @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 })
      * @return void
      * @throws NeosDomainException
      * @throws IllegalObjectTypeException
      * @throws UnsupportedRequestTypeException
      */
-    public function updateAccountAction(Account $account, array $password = []): void
+    public function updateAccountAction(Account $account, array $roleIdentifiers = [], array $password = []): void
     {
         if ($this->checkAccount($account)) {
-            $user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName());
-            $password = array_shift($password);
-            if (trim((string)$password) !== '') {
-                $this->userService->setUserPassword($user, $password);
-            }
-            $this->accountRepository->update($account);
+            // make sure self::$roleIdentifier is always added
+            $roleIdentifiersToSet = array_unique(array_merge($roleIdentifiers, [self::$roleIdentifier]));
+
+            if ($this->onlyFrontendRoles($roleIdentifiersToSet)) {
+                // add any non-FE roles from the current roles to keep them unchanged
+                $roleIdentifiersToSet = $this->addExistingNonFrontendUserRoles($roleIdentifiersToSet, $account);
 
-            $this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK);
-            $this->redirect('edit', null, null, ['user' => $user]);
+                $this->userService->setRolesForAccount($account, $roleIdentifiersToSet);
+                $user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName());
+                $password = array_shift($password);
+                if (trim((string)$password) !== '') {
+                    $this->userService->setUserPassword($user, $password);
+                }
+                $this->accountRepository->update($account);
+
+                $this->addFlashMessage('The account has been updated.', 'Account updated');
+                $this->redirect('edit', null, null, ['user' => $user]);
+            } else {
+                $this->throwStatus(403, 'Not allowed to assign the given roles');
+            }
         } else {
             $this->throwStatus(403, 'Not allowed to update that account');
         }
@@ -293,4 +320,77 @@ protected function checkAccount(Account $account): bool
 
         return false;
     }
+
+    /**
+     * Returns all roles that are (indirect) heirs of self::$roleIdentifier
+     *
+     * @return Role[] indexed by role identifier
+     */
+    protected function getFrontendUserRoles(): array
+    {
+        $availableRoles = $this->policyService->getRoles();
+        return array_filter($availableRoles, static function (Role $role) {
+            return $role->getIdentifier() === self::$roleIdentifier || array_key_exists(self::$roleIdentifier, $role->getAllParentRoles());
+        });
+    }
+
+    /**
+     * Returns an array with all roles of a user's accounts, including parent roles, the "Everybody" role and the
+     * "AuthenticatedUser" role, assuming that the user is logged in.
+     *
+     * @param Account $account
+     * @return Role[] indexed by role identifier
+     */
+    private function getAllRolesForAccount(Account $account): array
+    {
+        $roles = [];
+        $accountRoles = $account->getRoles();
+        foreach ($accountRoles as $currentRole) {
+            if (!in_array($currentRole, $roles, true)) {
+                $roles[$currentRole->getIdentifier()] = $currentRole;
+            }
+            foreach ($currentRole->getAllParentRoles() as $currentParentRole) {
+                if (!in_array($currentParentRole, $roles, true)) {
+                    $roles[$currentParentRole->getIdentifier()] = $currentParentRole;
+                }
+            }
+        }
+
+        return $roles;
+    }
+
+    /**
+     * Returns whether it is allowed to add/remove the changed roles.
+     *
+     * - Roles not being "FE user roles" can never be set
+     *
+     * @param array $roleIdentifiersToSet
+     * @return bool
+     */
+    private function onlyFrontendRoles(array $roleIdentifiersToSet): bool
+    {
+        $frontendUserRoleIdentifiers = array_keys($this->getFrontendUserRoles());
+
+        return array_diff($roleIdentifiersToSet, $frontendUserRoleIdentifiers) === [];
+    }
+
+    /**
+     * Add any non-FE roles from the current $account roles to $roleIdentifiersToSet
+     *
+     * @param array $roleIdentifiersToSet
+     * @param Account $account
+     * @return array
+     */
+    protected function addExistingNonFrontendUserRoles(array $roleIdentifiersToSet, Account $account): array
+    {
+        return array_unique(array_merge(
+            $roleIdentifiersToSet,
+            array_keys(array_filter(
+                $this->getAllRolesForAccount($account),
+                static function (Role $role) {
+                    return !$role->isAbstract() && !($role->getIdentifier() === self::$roleIdentifier || array_key_exists(self::$roleIdentifier, $role->getAllParentRoles()));
+                }
+            ))
+        ));
+    }
 }
diff --git a/Resources/Private/Templates/Module/EditAccount.html b/Resources/Private/Templates/Module/EditAccount.html
@@ -43,6 +43,18 @@ <h2>{neos:backend.translate(source: 'Modules', package: 'Neos.Neos', id: 'users.
                             <f:render partial="Module/Shared/FieldValidationResults" arguments="{fieldname: 'expirationDate'}"/>
                         </div>
                     </div>
+
+                    <div class="neos-control-group">
+                        <label class="neos-control-label">{neos:backend.translate(id: 'users.roles', source: 'Modules', package: 'Neos.Neos')}</label>
+                        <f:for each="{availableRoles}" as="role" iteration="rolesIteration">
+                            <div class="neos-controls">
+                                <label for="roles-{rolesIteration.cycle}" class="neos-checkbox" title="{role.packageKey}" data-neos-toggle="tooltip" data-placement="right">
+                                    <f:form.checkbox name="roleIdentifiers" multiple="true" value="{role.identifier}" id="roles-{rolesIteration.cycle}" checked="{f:security.ifHasRole(role: role, account: account, then: true, else: false)}"  disabled="{role.identifier} == 'Flowpack.Neos.FrontendLogin:User'}"/><span></span>
+                                    {role.name}
+                                </label>
+                            </div>
+                        </f:for>
+                    </div>
                 </fieldset>
             </div>
 
diff --git a/Resources/Private/Templates/Module/New.html b/Resources/Private/Templates/Module/New.html
@@ -42,6 +42,18 @@ <h2>{neos:backend.translate(id: 'user.new.subtitle', value: 'Create a new user',
                         <f:render partial="Module/Shared/FieldValidationResults" arguments="{fieldname: 'expirationDate'}"/>
                     </div>
                 </div>
+
+                <div class="neos-control-group">
+                    <label class="neos-control-label">{neos:backend.translate(id: 'users.roles', source: 'Modules', package: 'Neos.Neos')}</label>
+                    <f:for each="{availableRoles}" as="role" iteration="rolesIteration">
+                        <div class="neos-controls">
+                            <label for="roles-{rolesIteration.cycle}" class="neos-checkbox" title="{role.packageKey}" data-neos-toggle="tooltip" data-placement="right">
+                                <f:form.checkbox name="roleIdentifiers" multiple="true" value="{role.identifier}" id="roles-{rolesIteration.cycle}" checked="{f:if(condition: '{role.identifier} == \'Flowpack.Neos.FrontendLogin:User\'', then: true, else: false)}" disabled="{role.identifier} == 'Flowpack.Neos.FrontendLogin:User'}"/><span></span>
+                                {role.name}
+                            </label>
+                        </div>
+                    </f:for>
+                </div>
             </fieldset>
 
             <fieldset class="neos-span5 neos-offset1">
