You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2017/02/15 14:38:40 UTC
[06/12] airavata-php-gateway git commit: AIRAVATA-2312 Adds
'initial-role-name' to pga_config.php
AIRAVATA-2312 Adds 'initial-role-name' to pga_config.php
'initial-role-name' defaults to 'user-pending' but can be customized to
automatically assign new users to the given role. The main use case for
this is to set 'initial-role-name' to 'gateway-user' to provide new
users access to the gateway without needing admin intervention.
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/9765c1e2
Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/9765c1e2
Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/9765c1e2
Branch: refs/heads/dreg-gateway
Commit: 9765c1e250992c9ee870243081795e6aa2312948
Parents: 773e542
Author: Marcus Christie <ma...@iu.edu>
Authored: Thu Feb 9 11:17:49 2017 -0500
Committer: Marcus Christie <ma...@iu.edu>
Committed: Thu Feb 9 11:17:49 2017 -0500
----------------------------------------------------------------------
app/config/pga_config.php.template | 8 ++++++
app/controllers/AccountController.php | 9 +++---
app/controllers/AdminController.php | 44 ++++++++++++++++++++++--------
app/libraries/CommonUtilities.php | 4 +++
4 files changed, 50 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/config/pga_config.php.template
----------------------------------------------------------------------
diff --git a/app/config/pga_config.php.template b/app/config/pga_config.php.template
index ac378f6..8370364 100644
--- a/app/config/pga_config.php.template
+++ b/app/config/pga_config.php.template
@@ -24,6 +24,14 @@ return array(
'user-role-name' => 'Internal/everyone',
/**
+ * Initial user role. This is the initial user role assigned to a new
+ * user. Set this to one of the three roles above to automatically
+ * grant new users that role, or set to some other role ('user-pending')
+ * to require admin approval before users have access.
+ */
+ 'initial-role-name' => 'user-pending',
+
+ /**
* Tenant Domain
*/
'tenant-domain' => 'master.airavata',
http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/controllers/AccountController.php
----------------------------------------------------------------------
diff --git a/app/controllers/AccountController.php b/app/controllers/AccountController.php
index 1490ee1..a9ac6b4 100644
--- a/app/controllers/AccountController.php
+++ b/app/controllers/AccountController.php
@@ -56,14 +56,15 @@ class AccountController extends BaseController
WSIS::registerUserAccount($username, $password, $email, $first_name, $last_name, $organization, $address, $country, $telephone, $mobile, $im, $url,
Config::get('pga_config.wsis')['tenant-domain']);
- /*add user to role - user-pending */
+ /*add user to the initial role */
+ $initialRoleName = CommonUtilities::getInitialRoleName();
$allRoles = WSIS::getAllRoles();
- if(! in_array( "user-pending", $allRoles)){
- WSIS::addRole( "user-pending");
+ if(! in_array( $initialRoleName, $allRoles)){
+ WSIS::addRole( $initialRoleName);
}
- $userRoles["new"] = "user-pending";
+ $userRoles["new"] = $initialRoleName;
if( Config::get('pga_config.portal')['super-admin-portal'] == true ){
http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/controllers/AdminController.php
----------------------------------------------------------------------
diff --git a/app/controllers/AdminController.php b/app/controllers/AdminController.php
index 1ecce03..6dd27bd 100644
--- a/app/controllers/AdminController.php
+++ b/app/controllers/AdminController.php
@@ -236,22 +236,44 @@ class AdminController extends BaseController {
$recipients = array($userProfile["email"]);
$this->sendAccessGrantedEmailToTheUser(Input::get("username"), $recipients);
- // remove the pending role when access is granted, unless
- // the admin is trying to add the user to the pending role
- if(in_array("user-pending", $newCurrentRoles) && !in_array("user-pending", $roles["new"])) {
- $userRoles["new"] = array();
- $userRoles["deleted"] = "user-pending";
- WSIS::updateUserRoles( $username, $userRoles);
- } else if(in_array("user-pending", $newCurrentRoles) && in_array("user-pending", $roles["new"])) {
- // When user-pending role added remove all roles except for user-pending and Internal/everyone
- $userRoles["new"] = array();
- $userRoles["deleted"] = array_diff($newCurrentRoles, array("user-pending", "Internal/everyone"));
- WSIS::updateUserRoles( $username, $userRoles);
+ // remove the initial role when the initial role isn't a privileged
+ // role and the admin has now assigned the user to a privileged
+ // role, unless the admin is trying to add the user back to the
+ // initial role
+ if (!$this->isInitialRoleOneOfPrivilegedRoles()) {
+
+ $initialRoleName = CommonUtilities::getInitialRoleName();
+ if(in_array($initialRoleName, $newCurrentRoles) && !in_array($initialRoleName, $roles["new"])) {
+ $userRoles["new"] = array();
+ $userRoles["deleted"] = $initialRoleName;
+ WSIS::updateUserRoles( $username, $userRoles);
+ } else if(in_array($initialRoleName, $newCurrentRoles) && in_array($initialRoleName, $roles["new"])) {
+ // When initial role added remove all roles except for initial role and Internal/everyone
+ $userRoles["new"] = array();
+ $userRoles["deleted"] = array_diff($newCurrentRoles, array($initialRoleName, "Internal/everyone"));
+ WSIS::updateUserRoles( $username, $userRoles);
+ }
}
}
return Redirect::to("admin/dashboard/roles")->with( "message", "Roles has been added.");
}
+ /*
+ * Return true if the initial-role-name is one of the three privileged
+ * roles. This is used to figure out whether the initial-role-name is a
+ * 'user-pending' kind of role (returns false), or whether the initial role
+ * is a privileged role (returns true) and no admin intervention is
+ * necessary.
+ */
+ private function isInitialRoleOneOfPrivilegedRoles() {
+
+ $initialRoleName = CommonUtilities::getInitialRoleName();
+ $adminRoleName = Config::get("pga_config.wsis")["admin-role-name"];
+ $adminReadOnlyRoleName = Config::get("pga_config.wsis")["read-only-admin-role-name"];
+ $userRoleName = Config::get("pga_config.wsis")["user-role-name"];
+ return in_array($initialRoleName, array($adminRoleName, $adminReadOnlyRoleName, $userRoleName));
+ }
+
public function removeRoleFromUser(){
$roles["deleted"] = array(Input::all()["roleName"]);
$roles["new"] = array();
http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/libraries/CommonUtilities.php
----------------------------------------------------------------------
diff --git a/app/libraries/CommonUtilities.php b/app/libraries/CommonUtilities.php
index 585016f..53f790e 100644
--- a/app/libraries/CommonUtilities.php
+++ b/app/libraries/CommonUtilities.php
@@ -438,5 +438,9 @@ class CommonUtilities
return false;
}
}
+
+ public static function getInitialRoleName() {
+ return Config::get('pga_config.wsis.initial-role-name', 'user-pending');
+ }
}