api/app/V1Module/security/Policies/BasePermissionPolicy.php at b924d45623245b207211d4e4e1e6ec99dbed4383 · ReCodEx/api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php

namespace App\Security\Policies;

use App\Model\Entity\GroupMembership;
use App\Model\Entity\Group;
use App\Model\Entity\User;
use App\Security\Roles;
use InvalidArgumentException;

/**
 * Base policy class that implements caching mechanisms reusable by other policies.
 */
class BasePermissionPolicy
{
    private const MEMBERSHIPS = [
        GroupMembership::TYPE_STUDENT => 1,
        GroupMembership::TYPE_OBSERVER => 2,
        GroupMembership::TYPE_SUPERVISOR => 3,
        GroupMembership::TYPE_ADMIN => 4,
    ];

    private static array $membershipCache = [];

    protected function getMembershipLevel(User $user, Group $group): int
    {
        $gid = $group->getId();
        if (!array_key_exists($gid, self::$membershipCache)) {
            self::$membershipCache[$gid] = 0; // Not a member

            if ($user->getRole() === Roles::STUDENT_ROLE) {
                if ($group->isStudentOf($user)) {
                    self::$membershipCache[$gid] = self::MEMBERSHIPS[GroupMembership::TYPE_STUDENT];
                }
            } else {
                if ($group->isAdminOf($user)) {
                    self::$membershipCache[$gid] = self::MEMBERSHIPS[GroupMembership::TYPE_ADMIN];
                } elseif ($group->isSupervisorOf($user)) {
                    self::$membershipCache[$gid] = self::MEMBERSHIPS[GroupMembership::TYPE_SUPERVISOR];
                } elseif ($group->isObserverOf($user)) {
                    self::$membershipCache[$gid] = self::MEMBERSHIPS[GroupMembership::TYPE_OBSERVER];
                } elseif ($user->getRole() === Roles::STUDENT_ROLE && $group->isStudentOf($user)) {
                    self::$membershipCache[$gid] = self::MEMBERSHIPS[GroupMembership::TYPE_STUDENT];
                }
            }
        }

        return self::$membershipCache[$gid];
    }

    protected function checkMinimalMembership(?User $user, ?Group $group, string $membership): bool
    {
        if (!$user || !$group) {
            return false;
        }

        $minLevel = self::MEMBERSHIPS[$membership] ?? null;
        if ($minLevel === null) {
            throw new InvalidArgumentException("Unknown membership type: $membership");
        }

        $level = $this->getMembershipLevel($user, $group);
        return $level >= $minLevel;
    }
}