CHIEFSOFT\ameye
89 lines
3.2 KiB
PHP
89 lines
3.2 KiB
PHP
<?php
|
|
/**
|
|
* @file classes/security/authorization/PluginAccessPolicy.php
|
|
*
|
|
* Copyright (c) 2014-2021 Simon Fraser University
|
|
* Copyright (c) 2000-2021 John Willinsky
|
|
* Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
|
|
*
|
|
* @class PluginAccessPolicy
|
|
*
|
|
* @ingroup security_authorization
|
|
*
|
|
* @brief Class to control access to plugins.
|
|
*/
|
|
|
|
namespace PKP\security\authorization;
|
|
|
|
use PKP\core\PKPRequest;
|
|
use PKP\security\authorization\internal\PluginLevelRequiredPolicy;
|
|
use PKP\security\authorization\internal\PluginRequiredPolicy;
|
|
use PKP\security\Role;
|
|
|
|
class PluginAccessPolicy extends PolicySet
|
|
{
|
|
public const ACCESS_MODE_MANAGE = 1;
|
|
public const ACCESS_MODE_ADMIN = 2;
|
|
|
|
/**
|
|
* Constructor
|
|
*
|
|
* @param PKPRequest $request
|
|
* @param array $args request arguments
|
|
* @param array $roleAssignments
|
|
* @param int $accessMode
|
|
*/
|
|
public function __construct($request, &$args, $roleAssignments, $accessMode = self::ACCESS_MODE_ADMIN)
|
|
{
|
|
parent::__construct();
|
|
|
|
// A valid plugin is required.
|
|
$this->addPolicy(new PluginRequiredPolicy($request));
|
|
|
|
// Managers and site admin have access to plugins. We'll have to define
|
|
// differentiated policies for those roles in a policy set.
|
|
$pluginAccessPolicy = new PolicySet(PolicySet::COMBINING_PERMIT_OVERRIDES);
|
|
$pluginAccessPolicy->setEffectIfNoPolicyApplies(AuthorizationPolicy::AUTHORIZATION_DENY);
|
|
|
|
//
|
|
// Managerial role
|
|
//
|
|
if (isset($roleAssignments[Role::ROLE_ID_MANAGER])) {
|
|
if ($accessMode & self::ACCESS_MODE_MANAGE) {
|
|
// Managers have edit settings access mode...
|
|
$managerPluginAccessPolicy = new PolicySet(PolicySet::COMBINING_DENY_OVERRIDES);
|
|
$managerPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, Role::ROLE_ID_MANAGER, $roleAssignments[Role::ROLE_ID_MANAGER]));
|
|
|
|
// ...only to context-level plugins.
|
|
$managerPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, true));
|
|
|
|
$pluginAccessPolicy->addPolicy($managerPluginAccessPolicy);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Site administrator role
|
|
//
|
|
if (isset($roleAssignments[Role::ROLE_ID_SITE_ADMIN])) {
|
|
// Site admin have access to all plugins...
|
|
$siteAdminPluginAccessPolicy = new PolicySet(PolicySet::COMBINING_DENY_OVERRIDES);
|
|
$siteAdminPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, Role::ROLE_ID_SITE_ADMIN, $roleAssignments[Role::ROLE_ID_SITE_ADMIN]));
|
|
|
|
if ($accessMode & self::ACCESS_MODE_MANAGE) {
|
|
// ...of site level only.
|
|
$siteAdminPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, false));
|
|
}
|
|
|
|
$pluginAccessPolicy->addPolicy($siteAdminPluginAccessPolicy);
|
|
}
|
|
|
|
$this->addPolicy($pluginAccessPolicy);
|
|
}
|
|
}
|
|
|
|
if (!PKP_STRICT_MODE) {
|
|
class_alias('\PKP\security\authorization\PluginAccessPolicy', '\PluginAccessPolicy');
|
|
define('ACCESS_MODE_MANAGE', PluginAccessPolicy::ACCESS_MODE_MANAGE);
|
|
define('ACCESS_MODE_ADMIN', PluginAccessPolicy::ACCESS_MODE_ADMIN);
|
|
}
|