first commit

2024-06-08 17:09:23 -04:00
commit df3a033196
17887 changed files with 8637778 additions and 0 deletions
@@ -0,0 +1,88 @@
+<?php
+/**
+ * @file classes/security/authorization/PluginAccessPolicy.php
+ *
+ * Copyright (c) 2014-2021 Simon Fraser University
+ * Copyright (c) 2000-2021 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ * @class PluginAccessPolicy
+ *
+ * @ingroup security_authorization
+ *
+ * @brief Class to control access to plugins.
+ */
+
+namespace PKP\security\authorization;
+
+use PKP\core\PKPRequest;
+use PKP\security\authorization\internal\PluginLevelRequiredPolicy;
+use PKP\security\authorization\internal\PluginRequiredPolicy;
+use PKP\security\Role;
+
+class PluginAccessPolicy extends PolicySet
+{
+    public const ACCESS_MODE_MANAGE = 1;
+    public const ACCESS_MODE_ADMIN = 2;
+
+    /**
+     * Constructor
+     *
+     * @param PKPRequest $request
+     * @param array $args request arguments
+     * @param array $roleAssignments
+     * @param int $accessMode
+     */
+    public function __construct($request, &$args, $roleAssignments, $accessMode = self::ACCESS_MODE_ADMIN)
+    {
+        parent::__construct();
+
+        // A valid plugin is required.
+        $this->addPolicy(new PluginRequiredPolicy($request));
+
+        // Managers and site admin have access to plugins. We'll have to define
+        // differentiated policies for those roles in a policy set.
+        $pluginAccessPolicy = new PolicySet(PolicySet::COMBINING_PERMIT_OVERRIDES);
+        $pluginAccessPolicy->setEffectIfNoPolicyApplies(AuthorizationPolicy::AUTHORIZATION_DENY);
+
+        //
+        // Managerial role
+        //
+        if (isset($roleAssignments[Role::ROLE_ID_MANAGER])) {
+            if ($accessMode & self::ACCESS_MODE_MANAGE) {
+                // Managers have edit settings access mode...
+                $managerPluginAccessPolicy = new PolicySet(PolicySet::COMBINING_DENY_OVERRIDES);
+                $managerPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, Role::ROLE_ID_MANAGER, $roleAssignments[Role::ROLE_ID_MANAGER]));
+
+                // ...only to context-level plugins.
+                $managerPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, true));
+
+                $pluginAccessPolicy->addPolicy($managerPluginAccessPolicy);
+            }
+        }
+
+        //
+        // Site administrator role
+        //
+        if (isset($roleAssignments[Role::ROLE_ID_SITE_ADMIN])) {
+            // Site admin have access to all plugins...
+            $siteAdminPluginAccessPolicy = new PolicySet(PolicySet::COMBINING_DENY_OVERRIDES);
+            $siteAdminPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, Role::ROLE_ID_SITE_ADMIN, $roleAssignments[Role::ROLE_ID_SITE_ADMIN]));
+
+            if ($accessMode & self::ACCESS_MODE_MANAGE) {
+                // ...of site level only.
+                $siteAdminPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, false));
+            }
+
+            $pluginAccessPolicy->addPolicy($siteAdminPluginAccessPolicy);
+        }
+
+        $this->addPolicy($pluginAccessPolicy);
+    }
+}
+
+if (!PKP_STRICT_MODE) {
+    class_alias('\PKP\security\authorization\PluginAccessPolicy', '\PluginAccessPolicy');
+    define('ACCESS_MODE_MANAGE', PluginAccessPolicy::ACCESS_MODE_MANAGE);
+    define('ACCESS_MODE_ADMIN', PluginAccessPolicy::ACCESS_MODE_ADMIN);
+}