You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The UnityPerms class will be defined in resources/lib/UnityPerms.php. It will be responsible for determining whether a user is authorized to perform an action on another.
The class should have a constructor that accepts the $USER and $SQL var.
You will then create a method for each permission, which returns true if the user $uid has permission to perform the action on $operated_on in the group$group. For example, the following is sequential for the unity.approve_user permission:
checkApproveUser($uid, $operated_on, $group)
Return false if $uid is not in $group
Get the assigned role that $uid has in $group
Return true if the assigned role has the permission unity.admin or unity.admin_no_grant
Return false if the assigned role doesn't have the unity.approve_user permission
Return false if $operated_on's assigned role's priority is higher than or equal to $uid's assigned role priority
Otherwise return true
You will then create similar methods for:
unity.approve_user - Allows user to approve a user within a group
unity.deny_user - Allows user to deny a user within a group
unity.grant_role - Allows user to grant any role with a lower priority than theirs
unity.revoke_role - Allows user to revoke any role with a lower priority than theirs
These permission exist but do not need methods like above since they are blanket permissions:
unity.admin_no_grant - Allows for every permission within a group, but you cannot make others admins
unity.admin - Allows for every permission within a group, including assigning this permission
This issue will involve creating helper methods in UnitySQL for the queries, as well as creating the UnityPerms class, which is new. It could be helpful to include helper private methods in UnityPerms for getting the assigned role of a user within a group, or any other repeated code that happens in the checkXYZ methods defined above. Also note that the assign role and revoke role check methods will require an additional parameter $role to check whether the role they are trying to assign is able to be assigned.
The text was updated successfully, but these errors were encountered:
The UnityPerms class will be defined in
resources/lib/UnityPerms.php. It will be responsible for determining whether a user is authorized to perform an action on another.The class should have a constructor that accepts the
$USERand$SQLvar.You will then create a method for each permission, which returns true if the user
$uidhas permission to perform the action on$operated_onin the group$group. For example, the following is sequential for theunity.approve_userpermission:checkApproveUser($uid, $operated_on, $group)$uidis not in$group$uidhas in$groupunity.adminorunity.admin_no_grantunity.approve_userpermission$operated_on's assigned role's priority is higher than or equal to$uid's assigned role priorityYou will then create similar methods for:
unity.approve_user- Allows user to approve a user within a groupunity.deny_user- Allows user to deny a user within a groupunity.grant_role- Allows user to grant any role with a lower priority than theirsunity.revoke_role- Allows user to revoke any role with a lower priority than theirsThese permission exist but do not need methods like above since they are blanket permissions:
unity.admin_no_grant- Allows for every permission within a group, but you cannot make others adminsunity.admin- Allows for every permission within a group, including assigning this permissionThis issue will involve creating helper methods in
UnitySQLfor the queries, as well as creating theUnityPermsclass, which is new. It could be helpful to include helper private methods inUnityPermsfor getting the assigned role of a user within a group, or any other repeated code that happens in thecheckXYZmethods defined above. Also note that the assign role and revoke role check methods will require an additional parameter$roleto check whether the role they are trying to assign is able to be assigned.The text was updated successfully, but these errors were encountered: