From 13e6c0e221639be2a159107d80250c77b56ca712 Mon Sep 17 00:00:00 2001
From: Jochen Lienhard <lienhard@ub.uni-freiburg.de>
Date: Thu, 12 Mar 2015 15:00:59 -0400
Subject: [PATCH] Authorization support for tabs (including access.StaffViewTab
permission).
---
config/vufind/permissions.ini | 7 ++++++
module/VuFind/config/module.config.php | 3 +++
.../src/VuFind/RecordTab/AbstractBase.php | 25 +++++++++++++++++--
.../src/VuFind/RecordTab/StaffViewArray.php | 8 ++++++
.../src/VuFind/RecordTab/StaffViewMARC.php | 8 ++++++
.../Role/DynamicRoleProviderFactory.php | 7 ++++++
6 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/config/vufind/permissions.ini b/config/vufind/permissions.ini
index 87f703e397b..9f555da90b0 100644
--- a/config/vufind/permissions.ini
+++ b/config/vufind/permissions.ini
@@ -54,9 +54,16 @@
;
; access.AdminModule - Controls access to the admin panel (if enabled in config.ini)
; access.EITModule - Controls access to the EBSCO EIT module (if active)
+; access.StaffViewTab - Controls access to the staff view tab in record mode
; access.SummonExtendedResults - Controls visibility of protected Summon results
; Default configuration for the EIT module; see EIT.ini for some notes on this.
[default.EITModule]
role = loggedin
permission = access.EITModule
+
+; Show staff view for all users by default
+[default.StaffViewTab]
+role[] = guest
+role[] = loggedin
+permission = access.StaffViewTab
\ No newline at end of file
diff --git a/module/VuFind/config/module.config.php b/module/VuFind/config/module.config.php
index 9fa8631b69b..2a639ccad26 100644
--- a/module/VuFind/config/module.config.php
+++ b/module/VuFind/config/module.config.php
@@ -472,6 +472,9 @@ $config = [
'staffviewmarc' => 'VuFind\RecordTab\StaffViewMARC',
'toc' => 'VuFind\RecordTab\TOC',
],
+ 'initializers' => [
+ 'ZfcRbac\Initializer\AuthorizationServiceInitializer'
+ ],
],
'related' => [
'abstract_factories' => ['VuFind\Related\PluginFactory'],
diff --git a/module/VuFind/src/VuFind/RecordTab/AbstractBase.php b/module/VuFind/src/VuFind/RecordTab/AbstractBase.php
index a8867355000..11a6c60a746 100644
--- a/module/VuFind/src/VuFind/RecordTab/AbstractBase.php
+++ b/module/VuFind/src/VuFind/RecordTab/AbstractBase.php
@@ -26,6 +26,8 @@
* @link http://vufind.org/wiki/vufind2:record_tabs Wiki
*/
namespace VuFind\RecordTab;
+use ZfcRbac\Service\AuthorizationServiceAwareInterface,
+ ZfcRbac\Service\AuthorizationServiceAwareTrait;
/**
* Record tab abstract base class
@@ -36,8 +38,19 @@ namespace VuFind\RecordTab;
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
* @link http://vufind.org/wiki/vufind2:record_tabs Wiki
*/
-abstract class AbstractBase implements TabInterface
+abstract class AbstractBase implements TabInterface,
+ AuthorizationServiceAwareInterface
{
+ use AuthorizationServiceAwareTrait;
+
+ /**
+ * Permission that must be granted to access this module (null for no
+ * restriction)
+ *
+ * @var string
+ */
+ protected $accessPermission = null;
+
/**
* Record driver associated with the tab
*
@@ -59,7 +72,15 @@ abstract class AbstractBase implements TabInterface
*/
public function isActive()
{
- // Assume active by default; subclasses may add rules.
+ // If accessPermission is set, check for authorization to enable tab
+ if (!empty($this->accessPermission)) {
+ $auth = $this->getAuthorizationService();
+ if (!$auth) {
+ throw new \Exception('Authorization service missing');
+ }
+ return $auth->isGranted($this->accessPermission);
+ }
+
return true;
}
diff --git a/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php b/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php
index cf58f712718..b789be81dde 100644
--- a/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php
+++ b/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php
@@ -38,6 +38,14 @@ namespace VuFind\RecordTab;
*/
class StaffViewArray extends AbstractBase
{
+ /**
+ * Constructor
+ */
+ public function __construct()
+ {
+ $this->accessPermission = 'access.StaffViewTab';
+ }
+
/**
* Get the on-screen description for this tab.
*
diff --git a/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php b/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php
index 575980955b5..61976130daf 100644
--- a/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php
+++ b/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php
@@ -38,6 +38,14 @@ namespace VuFind\RecordTab;
*/
class StaffViewMARC extends AbstractBase
{
+ /**
+ * Constructor
+ */
+ public function __construct()
+ {
+ $this->accessPermission = 'access.StaffViewTab';
+ }
+
/**
* Get the on-screen description for this tab.
*
diff --git a/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php b/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php
index 6919369692e..bc3f99b7e91 100644
--- a/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php
+++ b/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php
@@ -135,6 +135,13 @@ class DynamicRoleProviderFactory implements FactoryInterface
$permissions['legacy.AdminModule']['permission'] = 'access.AdminModule';
}
+ // Add staff view setting it they are absent:
+ if (!$this->permissionDefined($permissions, 'access.StaffViewTab')) {
+ $permissions['legacy.StaffViewTab']['role'] = ['guest', 'loggedin'];
+ $permissions['legacy.StaffViewTab']['permission']
+ = 'access.StaffViewTab';
+ }
+
// Add EIT settings if they are absent:
if (!$this->permissionDefined($permissions, 'access.EITModule')) {
$permissions['legacy.EITModule'] = [
--
GitLab