AIRAVATA-2312 Adds 'initial-role-name' to pga_config.php 'initial-role-name' defaults to 'user-pending' but can be customized to automatically assign new users to the given role. The main use case for this is to set 'initial-role-name' to 'gateway-user' to provide new users access to the gateway without needing admin intervention.
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/9765c1e2 Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/9765c1e2 Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/9765c1e2 Branch: refs/heads/dreg-gateway Commit: 9765c1e250992c9ee870243081795e6aa2312948 Parents: 773e542 Author: Marcus Christie <machr...@iu.edu> Authored: Thu Feb 9 11:17:49 2017 -0500 Committer: Marcus Christie <machr...@iu.edu> Committed: Thu Feb 9 11:17:49 2017 -0500 ---------------------------------------------------------------------- app/config/pga_config.php.template | 8 ++++++ app/controllers/AccountController.php | 9 +++--- app/controllers/AdminController.php | 44 ++++++++++++++++++++++-------- app/libraries/CommonUtilities.php | 4 +++ 4 files changed, 50 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/config/pga_config.php.template ---------------------------------------------------------------------- diff --git a/app/config/pga_config.php.template b/app/config/pga_config.php.template index ac378f6..8370364 100644 --- a/app/config/pga_config.php.template +++ b/app/config/pga_config.php.template @@ -24,6 +24,14 @@ return array( 'user-role-name' => 'Internal/everyone', /** + * Initial user role. This is the initial user role assigned to a new + * user. Set this to one of the three roles above to automatically + * grant new users that role, or set to some other role ('user-pending') + * to require admin approval before users have access. + */ + 'initial-role-name' => 'user-pending', + + /** * Tenant Domain */ 'tenant-domain' => 'master.airavata', http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/controllers/AccountController.php ---------------------------------------------------------------------- diff --git a/app/controllers/AccountController.php b/app/controllers/AccountController.php index 1490ee1..a9ac6b4 100644 --- a/app/controllers/AccountController.php +++ b/app/controllers/AccountController.php @@ -56,14 +56,15 @@ class AccountController extends BaseController WSIS::registerUserAccount($username, $password, $email, $first_name, $last_name, $organization, $address, $country, $telephone, $mobile, $im, $url, Config::get('pga_config.wsis')['tenant-domain']); - /*add user to role - user-pending */ + /*add user to the initial role */ + $initialRoleName = CommonUtilities::getInitialRoleName(); $allRoles = WSIS::getAllRoles(); - if(! in_array( "user-pending", $allRoles)){ - WSIS::addRole( "user-pending"); + if(! in_array( $initialRoleName, $allRoles)){ + WSIS::addRole( $initialRoleName); } - $userRoles["new"] = "user-pending"; + $userRoles["new"] = $initialRoleName; if( Config::get('pga_config.portal')['super-admin-portal'] == true ){ http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/controllers/AdminController.php ---------------------------------------------------------------------- diff --git a/app/controllers/AdminController.php b/app/controllers/AdminController.php index 1ecce03..6dd27bd 100644 --- a/app/controllers/AdminController.php +++ b/app/controllers/AdminController.php @@ -236,22 +236,44 @@ class AdminController extends BaseController { $recipients = array($userProfile["email"]); $this->sendAccessGrantedEmailToTheUser(Input::get("username"), $recipients); - // remove the pending role when access is granted, unless - // the admin is trying to add the user to the pending role - if(in_array("user-pending", $newCurrentRoles) && !in_array("user-pending", $roles["new"])) { - $userRoles["new"] = array(); - $userRoles["deleted"] = "user-pending"; - WSIS::updateUserRoles( $username, $userRoles); - } else if(in_array("user-pending", $newCurrentRoles) && in_array("user-pending", $roles["new"])) { - // When user-pending role added remove all roles except for user-pending and Internal/everyone - $userRoles["new"] = array(); - $userRoles["deleted"] = array_diff($newCurrentRoles, array("user-pending", "Internal/everyone")); - WSIS::updateUserRoles( $username, $userRoles); + // remove the initial role when the initial role isn't a privileged + // role and the admin has now assigned the user to a privileged + // role, unless the admin is trying to add the user back to the + // initial role + if (!$this->isInitialRoleOneOfPrivilegedRoles()) { + + $initialRoleName = CommonUtilities::getInitialRoleName(); + if(in_array($initialRoleName, $newCurrentRoles) && !in_array($initialRoleName, $roles["new"])) { + $userRoles["new"] = array(); + $userRoles["deleted"] = $initialRoleName; + WSIS::updateUserRoles( $username, $userRoles); + } else if(in_array($initialRoleName, $newCurrentRoles) && in_array($initialRoleName, $roles["new"])) { + // When initial role added remove all roles except for initial role and Internal/everyone + $userRoles["new"] = array(); + $userRoles["deleted"] = array_diff($newCurrentRoles, array($initialRoleName, "Internal/everyone")); + WSIS::updateUserRoles( $username, $userRoles); + } } } return Redirect::to("admin/dashboard/roles")->with( "message", "Roles has been added."); } + /* + * Return true if the initial-role-name is one of the three privileged + * roles. This is used to figure out whether the initial-role-name is a + * 'user-pending' kind of role (returns false), or whether the initial role + * is a privileged role (returns true) and no admin intervention is + * necessary. + */ + private function isInitialRoleOneOfPrivilegedRoles() { + + $initialRoleName = CommonUtilities::getInitialRoleName(); + $adminRoleName = Config::get("pga_config.wsis")["admin-role-name"]; + $adminReadOnlyRoleName = Config::get("pga_config.wsis")["read-only-admin-role-name"]; + $userRoleName = Config::get("pga_config.wsis")["user-role-name"]; + return in_array($initialRoleName, array($adminRoleName, $adminReadOnlyRoleName, $userRoleName)); + } + public function removeRoleFromUser(){ $roles["deleted"] = array(Input::all()["roleName"]); $roles["new"] = array(); http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/libraries/CommonUtilities.php ---------------------------------------------------------------------- diff --git a/app/libraries/CommonUtilities.php b/app/libraries/CommonUtilities.php index 585016f..53f790e 100644 --- a/app/libraries/CommonUtilities.php +++ b/app/libraries/CommonUtilities.php @@ -438,5 +438,9 @@ class CommonUtilities return false; } } + + public static function getInitialRoleName() { + return Config::get('pga_config.wsis.initial-role-name', 'user-pending'); + } }
