Merge pull request #4452 from ushahidi/feat/permissions

feat: add "Delete Posts" and "Delete Own Posts" permissions

migrations/20220720100637_add_delete_posts_permission.php

@@ -0,0 +1,34 @@
+<?php
+
+use Phinx\Migration\AbstractMigration;
+
+class AddDeletePostsPermission extends AbstractMigration
+{
+ /**
+ * Run the migrations.
+ *
+ * @return void
+ */
+ public function up()
+ {
+ $this->execute("INSERT INTO permissions (name, description)
+ VALUES ('Delete Posts', 'Delete Posts')");
+
+ $this->execute("INSERT INTO roles_permissions(`role`,`permission`) 
+ SELECT `role`,'Delete Posts' FROM roles_permissions WHERE `permission` = 'Manage Posts'
+ ");
+ }
+
+ /**
+ * Reverse the migrations.
+ *
+ * @return void
+ */
+ public function down()
+ {
+
+ $this->execute("DELETE FROM permissions WHERE name = 'Delete Posts'");
+
+ $this->execute("DELETE FROM roles_permissions WHERE permission = 'Delete Posts'");
+ }
+}

migrations/20220721100747__add_delete_own_posts_permission.php

@@ -0,0 +1,33 @@
+<?php
+
+use Phinx\Migration\AbstractMigration;
+
+class AddDeleteOwnPostsPermission extends AbstractMigration
+{
+ /**
+ * Run the migrations.
+ *
+ * @return void
+ */
+ public function up()
+ {
+ $this->execute("INSERT INTO permissions (name, description)
+ VALUES ('Delete Their Own Posts', 'Delete Their Own Posts')");
+
+ $this->execute("INSERT INTO roles_permissions(`role`,`permission`) 
+ SELECT `role`,'Delete Their Own Posts' FROM roles_permissions WHERE `permission` = 'Edit their own posts'
+ ");
+ }
+
+ /**
+ * Reverse the migrations.
+ *
+ * @return void
+ */
+ public function down()
+ {
+ $this->execute("DELETE FROM permissions WHERE name = 'Delete Their Own Posts'");
+
+ $this->execute("DELETE FROM roles_permissions WHERE permission = 'Delete Their Own Posts'");
+ }
+}

src/Contracts/Permission.php

@@ -23,4 +23,6 @@ interface Permission
  const MANAGE_SETTINGS = 'Manage Settings';
  const MANAGE_USERS = 'Manage Users';
  const EDIT_OWN_POSTS = 'Edit their own posts';
+ const DELETE_POSTS = 'Delete Posts';
+ const DELETE_OWN_POSTS = 'Delete Their Own Posts';
 }

src/Core/Tools/Authorizer/PostAuthorizer.php

@@ -80,7 +80,11 @@ public function isAllowed(Entity $entity, $privilege)
  }
 
  // First check whether there is a role with the right permissions
- if ($this->acl->hasPermission($user, Permission::MANAGE_POSTS)) {
+ if (($privilege !== "delete") && ($this->acl->hasPermission($user, Permission::MANAGE_POSTS))) {
+ return true;
+ }
+
+ if (($privilege === "delete") && ($this->acl->hasPermission($user, Permission::DELETE_POSTS))) {
  return true;
  }
 
@@ -139,13 +143,21 @@ public function isAllowed(Entity $entity, $privilege)
  }
 
  // If the user is the owner of this post & they have edit own posts permission
- // they are allowed to edit or delete the post. They can't change the post status or
+ // they are allowed to edit the post. They can't change the post status or
  // ownership but those are already checked above
  if ($this->isUserOwner($entity, $user)
- && in_array($privilege, ['update', 'delete', 'lock'])
+ && in_array($privilege, ['update', 'lock'])
  && $this->acl->hasPermission($user, Permission::EDIT_OWN_POSTS)) {
  return true;
  }
+
+ // If the user is the owner of this post & they have delete own posts permission
+ // they are allowed to edit or delete the post.
+ if ($this->isUserOwner($entity, $user)
+ &&($privilege === "delete")
+ && $this->acl->hasPermission($user, Permission::DELETE_OWN_POSTS)) {
+ return true;
+ }
 
  // If the user is the owner of this post they can always view the post
  if ($this->isUserOwner($entity, $user)

tests/datasets/ushahidi/Base.yml

@@ -2631,6 +2631,12 @@ permissions:
  name: Edit their own posts
  -
  name: Manage Collections and Saved Searches
+ -
+ name: Delete Posts
+ -
+ name: Delete Their Own Posts
+
+
 roles_permissions:
  -
  role: manager
@@ -2662,6 +2668,19 @@ roles_permissions:
  -
  role: importer
  permission: Edit their own posts
+ -
+ role: user
+ permission: Delete Their Own Posts
+ -
+ role: manager
+ permission: Delete Their Own Posts
+ -
+ role: importer
+ permission: Delete Their Own Posts
+ -
+ role: manager
+ permission: Delete Posts
+
 targeted_survey_state:
  -
  post_id: 452

tests/integration/permissions.feature

@@ -7,7 +7,7 @@ Feature: Testing the Permissions API
  Then the response is JSON
  And the response has a "count" property
  And the type of the "count" property is "numeric"
- And the "count" property equals "6"
+ And the "count" property equals "8"
  Then the guzzle status code should be 200
 
  Scenario: List a single permission

v5/Policies/PostPolicy.php

@@ -140,7 +140,11 @@ public function isAllowed($entity, $privilege)
  }
 
  // First check whether there is a role with the right permissions
- if ($authorizer->acl->hasPermission($user, Permission::MANAGE_POSTS)) {
+ if (($privilege != "delete") && $authorizer->acl->hasPermission($user, Permission::MANAGE_POSTS)) {
+ return true;
+ }
+
+ if (($privilege === "delete") && ($authorizer->acl->hasPermission($user, Permission::DELETE_POSTS))) {
  return true;
  }
 
@@ -199,14 +203,22 @@ public function isAllowed($entity, $privilege)
  }
 
  // If the user is the owner of this post & they have edit own posts permission
- // they are allowed to edit or delete the post. They can't change the post status or
+ // they are allowed to edit the post. They can't change the post status or
  // ownership but those are already checked above
  if ($this->isUserOwner($entity, $user)
- && in_array($privilege, ['update', 'delete', 'lock'])
+ && in_array($privilege, ['update', 'lock'])
  && $authorizer->acl->hasPermission($user, Permission::EDIT_OWN_POSTS)) {
  return true;
  }
 
+ // If the user is the owner of this post & they have delete own posts permission
+ // they are allowed to edit or delete the post.
+ if ($this->isUserOwner($entity, $user)
+ &&($privilege === "delete")
+ && $authorizer->acl->hasPermission($user, Permission::DELETE_OWN_POSTS)) {
+ return true;
+ }
+
  // If the user is the owner of this post they can always view the post
  if ($this->isUserOwner($entity, $user)
  && in_array($privilege, ['read'])) {