GraphQL and Rest role permissions

Author: givanz

admin/controller/admin/role.php

@@ -25,27 +25,75 @@
 use function Vvveb\__;
 use Vvveb\Controller\Base;
 use Vvveb\Sql\RoleSQL;
+use Vvveb\System\Cache;
 use Vvveb\System\User\Role as RoleList;
 
 class Role extends Base {
 	protected $type = 'role';
 
+	protected $app = 'admin';
+
+	protected $apps = [
+		'admin'   => ['permissions' => ['controllers']],
+		'rest'    => ['permissions' => ['routes', 'controllers']],
+		'graphql' => ['permissions' => ['controllers', 'models']],
+	];
+
+	function init() {
+		$this->app = $this->request->get['app'] ?? 'admin';
+
+		if (! isset($this->apps[$this->app])) {
+			//$this->view->errors[] = __('Invalid app!');
+			return $this->notFound(__('Invalid app!'));
+		}
+
+		parent::init();
+	}
+
 	function index() {
 		$role_id = $this->request->get['role_id'] ?? false;
 
-		$tree = [];
-		RoleList::mkmap(DIR_APP . 'controller', $tree);
-		$this->view->tree = $tree['controller'];
+		$cache = Cache::getInstance();
+		$tree  = $cache->cache(APP, $this->app . '-permissions',function () {
+			$tree = [];
+			//$this->view->tree = RoleList::controllers($this->app);
+			foreach ($this->apps[$this->app]['permissions'] as $method) {
+				$data = RoleList::$method($this->app);
+
+				if ($data) {
+					$tree += RoleList::$method($this->app);
+				}
+				////$this->view->tree = $tree['controller'];
+			}
 
-		$controllers              = RoleList::getControllerList();
-		$this->view->controllers  = $controllers;
-		$this->view->capabilities = RoleList::getCapabilitiesList();
+			return $tree;
+		}, 259200);
+
+		$this->view->tree = $tree;
+
+		//\Vvveb\dd($this->view->tree);
+
+		//$this->view->controllers  = RoleList::getControllerList($this->app);
+		$this->view->capabilities = RoleList::getCapabilitiesList($this->app);
+		$this->view->apps         = $this->apps;
+		$this->view->app          = $this->app;
 
 		$role             = new RoleSQL();
 		$this->view->role = $role->get(['role_id' => $role_id]);
 
 		if ($this->view->role) {
-			$this->view->role['permissions']                 = json_decode($this->view->role['permissions'], true);
+			$permissions = json_decode($this->view->role['permissions'], true);
+
+			if (isset($permissions[$this->app])) {
+				$permissions = $permissions[$this->app];
+			} else {
+				//backward compatibility for admin app
+				if ($this->app !== 'admin') {
+					$permissions = [];
+				}
+			}
+
+			$this->view->role['permissions']                 = $permissions;
 			$this->view->role['permissions']['deny']         = $this->view->role['permissions']['deny'] ?? [];
 			$this->view->role['permissions']['allow']        = $this->view->role['permissions']['allow'] ?? [];
 			$this->view->role['permissions']['capabilities'] = $this->view->role['permissions']['capabilities'] ?? [];
@@ -57,11 +105,24 @@ function save() {
 		$allow        = $this->request->post['allow'] ?? [];
 		$deny         = $this->request->post['deny'] ?? [];
 		$capabilities = $this->request->post['capabilities'] ?? [];
-		$permissions  = ['deny' => $deny, 'allow' => $allow, 'capabilities' => $capabilities];
+		$permissions  = [$this->app => ['deny' => $deny, 'allow' => $allow, 'capabilities' => $capabilities]];
 
 		$role_id = $this->request->get['role_id'] ?? false;
 
-		$role = new RoleSQL();
+		$role               = new RoleSQL();
+		$this->view->role   = $role->get(['role_id' => $role_id]);
+		$currentPermissions = json_decode($this->view->role['permissions'], true);
+
+		if ($currentPermissions) {
+			//backward compatibility
+			if (isset($currentPermissions['allow'])) {
+				$currentPermissions['admin']  = $currentPermissions;
+				unset($currentPermissions['allow'], $currentPermissions['deny'], $currentPermissions['capabilities']);
+			}
+
+			$currentPermissions[$this->app] = $permissions[$this->app];
+			$permissions                    = $currentPermissions;
+		}
 
 		if ($role_id) {
 			$result = $role->edit(['role_id' => $role_id, 'role' => $data + ['permissions' => json_encode($permissions)]]);

admin/controller/admin/roles.php

@@ -22,24 +22,16 @@
 
 namespace Vvveb\Controller\Admin;
 
-use Vvveb\Controller\Base;
+use Vvveb\Controller\Listing;
 
-class Roles extends Base {
-	private function save() {
-	}
+class Roles extends Listing {
+	protected $type = 'role';
 
-	function index() {
-		$view     = $this->view;
-		$roles    = new \Vvveb\Sql\RoleSQL();
+	protected $controller = 'role';
 
-		$options    =  [
-			'type'         => 'admin', //$this->type,
-		] + $this->global;
+	protected $listController = 'roles';
 
-		$results = $roles->getAll($options);
+	protected $list = 'role';
 
-		$view->roles    = $results['role'];
-		$view->count    = $results['count'];
-		$view->limit    = $options['limit'];
-	}
+	protected $module = 'admin';
 }

admin/template/admin/role.tpl

@@ -85,13 +85,24 @@ if ($tree) {
 		foreach($parent as $id => $permission) {
 			$uniq        = Vvveb\System\Functions\Str::random(5);
 			$hasChildren = is_array($permission) && count($permission);
+			$rule        = $path . ($path && $id != 'index' ? '/' : '') . ($id != 'index' ? $id : '') . ($hasChildren ? '/*' : '');
 		?>		
 			//catch all data attributes
 			@permission [data-v-permission-*] = $permission['@@__data-v-permission-(*)__@@']
 			@permission [data-v-name] = $id
-			@permission input[type="hidden"] = <?php echo  ($path ? $path  . '/' : $path) . $id;?>
+			@permission [data-v-rule] = $rule
+			@permission [data-v-name]|addClass = <?php 
+				if ($this->app == 'rest' && !$hasChildren) {
+					if ($id == 'get') echo 'badge bg-success';
+					if ($id == 'post') echo 'badge bg-primary';
+					if ($id == 'put') echo 'badge bg-warning';
+					if ($id == 'patch') echo 'badge bg-info';
+					if ($id == 'delete') echo 'badge bg-danger';
+				}
+			?>
+			@permission input[type="hidden"] = <?php echo $rule;?>
 			@permission input[type="checkbox"]|id = $uniq
-			@permission|class = <?php if ($hasChildren) echo 'folder'; else 'file';?>
+			@permission|class = <?php if ($hasChildren) echo 'folder'; else echo 'file';?>
 
 
 		@permission|append = <?php 
@@ -127,3 +138,22 @@ if(isset($this->capabilities) && is_array($this->capabilities)) {
 	@capability|after = <?php 
 	} 
 }?>
+
+
+@app = [data-v-apps] [data-v-app]
+@app|deleteAllButFirstChild
+
+@app|before = <?php
+if(isset($this->apps) && is_array($this->apps)) {
+	foreach ($this->apps as $app => $options) {?>
+    
+	
+	@app [data-v-app-url]|innerText = $app
+	@app a[data-v-app-url]|href = <?php echo Vvveb\url('', ['app' => $app]);?>
+	@app [data-v-app-url]|addClass = <?php 
+		if ($this->app == $app) echo 'active';
+	?>
+
+	@app|after = <?php 
+	} 
+}?>

admin/template/admin/roles.tpl

@@ -1,17 +1,2 @@
-import(common.tpl)
-import(pagination.tpl)
+import(listing.tpl, {"type":"role", "list": "roles"})
 
-[data-v-roles] [data-v-role]|deleteAllButFirstChild
-
-[data-v-roles]  [data-v-role]|before = <?php
-if(isset($this->roles) && is_array($this->roles)) {
-	//$pagination = $this->roles[$_roles_idx]['pagination'];
-	foreach ($this->roles as $index => $role) {?>
-    
-    [data-v-roles] [data-v-role] [data-v-role-url]|href = <?php echo Vvveb\url(['module' => 'admin/role', 'role_id' => $role['role_id']]);?>
-	
-	[data-v-roles] [data-v-role] [data-v-*]|innerText = $role['@@__data-v-(*)__@@']
-
-	[data-v-roles]  [data-v-role]|after = <?php 
-	} 
-}?>

system/user/admin.php

@@ -22,10 +22,9 @@
 
 namespace Vvveb\System\User;
 
+use function Vvveb\session as sess;
 use Vvveb\Sql\AdminSQL;
 use Vvveb\System\PageCache;
-use function Vvveb\session as sess;
-
 
 class Admin extends Auth {
 	private static $namespace = 'admin';
@@ -61,9 +60,9 @@ public static function add($data) {
 		return $admin->add([self :: $namespace => $data]);
 	}
 
-	public static function hasCapability($capability) {
+	public static function hasCapability($capability, $app = APP) {
 		$admin        = sess(self :: $namespace, false);
-		$capabilities = $admin['permissions']['capabilities'] ?? [];
+		$capabilities = $admin['permissions'][$app]['capabilities'] ?? $admin['permissions']['capabilities'] ?? [];
 
 		return in_array($capability, $capabilities);
 	}
@@ -81,9 +80,14 @@ public static function hasSiteAccess($site_id) {
 		return in_array($site_id, $site_access);
 	}
 
-	public static function hasPermission($permission) {
+	public static function hasPermission($permission, $app = APP) {
 		$admin       = sess(self :: $namespace, false);
-		$permissions = $admin['permissions'] ?: [];
+
+		if (! $admin) {
+			return false;
+		}
+
+		$permissions = ($admin['permissions'][$app] ?? $admin['permissions']) ?: [];
 		$allow       = $permissions['allow'] ?? [];
 		$deny        = $permissions['deny'] ?? [];