Dev: Auth plugin and Permission (#859)

Fixed issue #12869: Auth plugin must have a Permission settings accessible via GUI
New feature : getGlobalBasePermissions event to create new global Permission
Dev: and use it for AuthLDAP and AuthDB
Dev: Fixed issue #12893 initial admin seems to be allowed to log in via LDAP
Dev: did we need disable login for superadmin via LDAP/WebServer ?
Dev: plugin can be extended now (since Permission list can be extended)

application/core/plugins/AuthLDAP/AuthLDAP.php

@@ -121,6 +121,8 @@ public function init() {
          * Here you should handle subscribing to the events your plugin will handle
          */
         $this->subscribe('beforeActivate');
+        $this->subscribe('getGlobalBasePermissions');
+        $this->subscribe('beforeHasPermission');
         $this->subscribe('createNewUser');
         $this->subscribe('beforeLogin');
         $this->subscribe('newLoginForm');
@@ -142,6 +144,40 @@ public function beforeActivate()
         }
     }
 
+    /**
+     * Add AuthLDAP Permission to global Permission
+     * @return void
+     */
+    public function getGlobalBasePermissions() {
+        $this->getEvent()->append('globalBasePermissions',array(
+            'auth_ldap' => array(
+                'create' => false,
+                'update' => false,
+                'delete' => false,
+                'import' => false,
+                'export' => false,
+                'title' => gT("Use LDAP authentication"),
+                'description' => gT("Use LDAP authentication"),
+                'img' => 'usergroup'
+            ),
+        ));
+    }
+
+    /**
+     * Validation of AuthPermission (for super-admin only)
+     * @return void
+     */
+    public function beforeHasPermission() {
+        $oEvent = $this->getEvent();
+        if($oEvent->get('sEntityName') != 'global' || $oEvent->get('sPermission') !='auth_ldap' || $oEvent->get('sCRUD') !='read') {
+            return;
+        }
+        $iUserId = Permission::getUserId($oEvent->get('iUserID'));
+        if($iUserId == 1) {
+            $oEvent->set('bPermission',(bool)$this->get('allowInitialUser'));
+        }
+    }
+
     /**
      * Create a LDAP user
      *

application/core/plugins/Authwebserver/Authwebserver.php

@@ -28,10 +28,30 @@ public function init() {
         /**
          * Here you should handle subscribing to the events your plugin will handle
          */
+        $this->subscribe('getGlobalBasePermissions');
         $this->subscribe('beforeLogin');
         $this->subscribe('newUserSession');
     }
 
+    /**
+     * Add AuthLDAP Permission to global Permission
+     * @return void
+     */
+    public function getGlobalBasePermissions() {
+        $this->getEvent()->append('globalBasePermissions',array(
+            'auth_webserver' => array(
+                'create' => false,
+                'update' => false,
+                'delete' => false,
+                'import' => false,
+                'export' => false,
+                'title' => gT("Use web server authentication"),
+                'description' => gT("Use web server authentication"),
+                'img' => 'usergroup'
+            ),
+        ));
+    }
+
     public function beforeLogin()
     {       
         // normal login through webserver authentication    
@@ -68,7 +88,7 @@ public function beforeLogin()
             }
         }
     }
-    
+
     public function newUserSession()
     {
         // Do nothing if this user is not Authwebserver type

application/models/Permission.php

@@ -30,6 +30,9 @@
  */
 class Permission extends LSActiveRecord
 {
+    /* @var array[]|null The global base Permission LimeSurvey installation */
+    protected static $aGlobalBasePermissions;
+
     /** @inheritdoc */
     public function tableName()
     {
@@ -179,6 +182,9 @@ public static function getSurveyBasePermissions()
      */
     public static function getGlobalBasePermissions()
     {
+        if(self::$aGlobalBasePermissions) {
+            return self::$aGlobalBasePermissions;
+        }
         $defaults = array(
             'create' => true,
             'read' => true,
@@ -253,31 +259,33 @@ public static function getGlobalBasePermissions()
             'description' => gT("Use internal database authentication"),
             'img' => 'usergroup'
         );
-        $aPermissions['auth_ldap'] = array(
-            'create' => false,
-            'update' => false,
-            'delete' => false,
-            'import' => false,
-            'export' => false,
-            'title' => gT("Use LDAP authentication"),
-            'description' => gT("Use LDAP authentication"),
-            'img' => 'usergroup'
-        );
-        $aPermissions['auth_webserver'] = array(
-            'create' => false,
-            'update' => false,
-            'delete' => false,
-            'import' => false,
-            'export' => false,
-            'title' => gT("Use web server authentication"),
-            'description' => gT("Use web server authentication"),
-            'img' => 'usergroup'
-        );
+
+        /**
+         * New event to allow plugin to add own global permission
+         * Using $event->append('globalBasePermissions', $newGlobalBasePermissions);
+         * $newGlobalBasePermissions=[
+         *  permissionName=>[
+         *       'create' : create (optionnal)
+         *       'read' : read (optionnal)
+         *       'update' : update (optionnal)
+         *       'delete' : delete (optionnal)
+         *       'import' : import (optionnal)
+         *       'export' : export (optionnal)
+         *       'title' : translated title/name
+         *       'description' : translated description
+         *       'img': icon name class
+         *  ]
+         */
+        $event = new \LimeSurvey\PluginManager\PluginEvent('getGlobalBasePermissions');
+        $result = App()->getPluginManager()->dispatchEvent($event);
+        $aPluginPermissions =(array) $result->get('globalBasePermissions');
+        $aPermissions=array_merge($aPermissions,$aPluginPermissions);
 
         foreach ($aPermissions as &$permission) {
             $permission = array_merge($defaults, $permission);
         }
-        return $aPermissions;
+        self::$aGlobalBasePermissions = $aPermissions;
+        return self::$aGlobalBasePermissions;
     }
 
     /**
@@ -570,10 +578,9 @@ public function hasPermission($iEntityID, $sEntityName, $sPermission, $sCRUD='re
 
         /* Always return false for guests */
         // TODO: should not be necessary
-        if(!$this->getUserId($iUserID)) {
+        $iUserID=self::getUserId($iUserID);
+        if(!$iUserID) {
             return false;
-        } else {
-            $iUserID=$this->getUserId($iUserID);
         }
 
         /* Always return true if you are the owner : this can be done in core plugin ? */
@@ -700,7 +707,7 @@ private static function comparePermissionTitle($aApermission,$aBpermission)
      * @return int user id
      * @throws Exception
      */
-    protected function getUserId($iUserID=null)
+    public static function getUserId($iUserID=null)
     {
         if (is_null($iUserID)) {
             if(Yii::app() instanceof CConsoleApplication) {

application/views/admin/user/setuserpermissions.php

@@ -34,14 +34,6 @@
 
                 <!-- Permissions -->
                 <?php foreach($aBasePermissions as $sPermissionKey=>$aCRUDPermissions): ?>
-                    <?php
-                        if ($sPermissionKey == 'auth_ldap' && !App()->getPluginManager()->isPluginActive('AuthLDAP')
-                            || $sPermissionKey == 'auth_webserver' && !App()->getPluginManager()->isPluginActive('Authwebserver'))
-                        {
-                            continue;
-                        }
-                    ?>
-
                     <tr>
                         <!-- Icon -->
                         <td>