Internal: Remove ADMIN vs SUPERADMIN redundancy - refs #6762

assets/vue/store/security.js

@@ -17,7 +17,10 @@ export default {
       return state.isAuthenticated
     },
     isAdmin(state, getters) {
-      return getters.isAuthenticated && (getters.hasRole("ROLE_SUPER_ADMIN") || getters.hasRole("ROLE_ADMIN"))
+      return (
+        getters.isAuthenticated &&
+        (getters.hasRole("ROLE_ADMIN") || getters.hasRole("ROLE_GLOBAL_ADMIN"))
+      )
     },
     isCourseAdmin(state, getters) {
       if (getters.isAdmin) {
@@ -34,8 +37,7 @@ export default {
       if (!getters.isAuthenticated) {
         return false
       }
-
-      if (getters.hasRole("ROLE_SUPER_ADMIN") || getters.hasRole("ROLE_ADMIN")) {
+      if (getters.hasRole("ROLE_ADMIN") || getters.hasRole("ROLE_GLOBAL_ADMIN")) {
         return true
       }
 
@@ -52,7 +54,7 @@ export default {
     },
     hasRole(state) {
       return (role) => {
-        if (state.user.roles) {
+        if (state.user && state.user.roles) {
           return state.user.roles.indexOf(role) !== -1
         }
 

assets/vue/store/securityStore.js

@@ -27,6 +27,7 @@ export const useSecurityStore = defineStore("security", () => {
    * @param {string} role
    */
   const removeRole = (role) => {
+    if (!user.value || !user.value.roles) return
     const index = user.value.roles.indexOf(role)
 
     if (index > -1) {
@@ -40,20 +41,21 @@ export const useSecurityStore = defineStore("security", () => {
 
   const isHRM = computed(() => hasRole.value("ROLE_HR"))
 
-  const isTeacher = computed(() => (isAdmin.value ? true : hasRole.value("ROLE_TEACHER")))
+  const isAdmin = computed(() => hasRole.value("ROLE_ADMIN") || hasRole.value("ROLE_GLOBAL_ADMIN"))
 
-  const isCurrentTeacher = computed(() => (isAdmin.value ? true : hasRole.value("ROLE_CURRENT_COURSE_TEACHER")))
+  const isTeacher = computed(() => isAdmin.value || hasRole.value("ROLE_TEACHER"))
 
-  const isCourseAdmin = computed(() =>
-    isAdmin.value
-      ? true
-      : hasRole.value("ROLE_CURRENT_COURSE_SESSION_TEACHER") || hasRole.value("ROLE_CURRENT_COURSE_TEACHER"),
+  const isCurrentTeacher = computed(() => isAdmin.value || hasRole.value("ROLE_CURRENT_COURSE_TEACHER"))
+
+  const isCourseAdmin = computed(
+    () =>
+      isAdmin.value ||
+      hasRole.value("ROLE_CURRENT_COURSE_SESSION_TEACHER") ||
+      hasRole.value("ROLE_CURRENT_COURSE_TEACHER"),
   )
 
   const isSessionAdmin = computed(() => hasRole.value("ROLE_SESSION_MANAGER"))
 
-  const isAdmin = computed(() => hasRole.value("ROLE_SUPER_ADMIN") || hasRole.value("ROLE_ADMIN"))
-
   async function checkSession() {
     isLoading.value = true
     try {

assets/vue/views/lp/LpList.vue

@@ -354,7 +354,7 @@ const load = async () => {
 
     let allowed = await checkIsAllowedToEdit(true, true, true, false)
     const roles = securityStore.user?.roles ?? []
-    if (!allowed && Array.isArray(roles) && (roles.includes("ROLE_ADMIN") || roles.includes("ROLE_SUPER_ADMIN"))) {
+    if (!allowed && Array.isArray(roles) && (roles.includes("ROLE_ADMIN") || roles.includes("ROLE_GLOBAL_ADMIN"))) {
       allowed = true
     }
     rawCanEdit.value = !!allowed

config/packages/security.yaml

@@ -42,18 +42,17 @@ security:
             - ROLE_CURRENT_COURSE_TEACHER
             - ROLE_CURRENT_COURSE_SESSION_TEACHER
             - ROLE_CURRENT_COURSE_GROUP_TEACHER
-        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] # Admin that can log in as another user.
-        ROLE_GLOBAL_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] # The user that installed the platform.
+            - ROLE_ALLOWED_TO_SWITCH
+        ROLE_GLOBAL_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
         ROLE_TEACHER: [ROLE_STUDENT]
         ROLE_HR: [ROLE_TEACHER, ROLE_ALLOWED_TO_SWITCH]
         ROLE_QUESTION_MANAGER: [ROLE_STUDENT]
         ROLE_SESSION_MANAGER: [ROLE_STUDENT, ROLE_ALLOWED_TO_SWITCH]
         ROLE_STUDENT_BOSS: [ROLE_STUDENT]
         ROLE_INVITEE: [ROLE_STUDENT]
-
-        ROLE_CURRENT_COURSE_STUDENT: [ROLE_CURRENT_COURSE_STUDENT] # Set in the CidReqListener
-        ROLE_CURRENT_COURSE_TEACHER: [ROLE_CURRENT_COURSE_TEACHER, ROLE_CURRENT_COURSE_STUDENT] # Set in the course listener
-        ROLE_CURRENT_COURSE_GROUP_STUDENT: [ROLE_CURRENT_COURSE_GROUP_STUDENT] # Set in the CidReqListener
+        ROLE_CURRENT_COURSE_STUDENT: [ROLE_CURRENT_COURSE_STUDENT]
+        ROLE_CURRENT_COURSE_TEACHER: [ROLE_CURRENT_COURSE_TEACHER, ROLE_CURRENT_COURSE_STUDENT]
+        ROLE_CURRENT_COURSE_GROUP_STUDENT: [ROLE_CURRENT_COURSE_GROUP_STUDENT]
         ROLE_CURRENT_COURSE_GROUP_TEACHER: [ROLE_CURRENT_COURSE_GROUP_TEACHER, ROLE_CURRENT_COURSE_GROUP_STUDENT]
         ROLE_CURRENT_COURSE_SESSION_STUDENT: [ROLE_CURRENT_COURSE_SESSION_STUDENT]
         ROLE_CURRENT_COURSE_SESSION_TEACHER: [ROLE_CURRENT_COURSE_SESSION_STUDENT, ROLE_CURRENT_COURSE_SESSION_TEACHER]
@@ -124,5 +123,5 @@ security:
 
     access_control:
         - { path: ^/login/token/check, roles: PUBLIC_ACCESS }
-        - {path: ^/login, roles: PUBLIC_ACCESS}
-        - {path: ^/api/authentication_token, roles: PUBLIC_ACCESS}
+        - { path: ^/login, roles: PUBLIC_ACCESS }
+        - { path: ^/api/authentication_token, roles: PUBLIC_ACCESS }

public/main/admin/user_list.php

@@ -264,7 +264,7 @@ function prepare_user_sql_query(bool $getCount, bool $showDeletedUsers = false):
     }
     $mappedStatuses = array_values(array_unique($mappedStatuses));
 
-    $adminVariants = ['ROLE_PLATFORM_ADMIN','PLATFORM_ADMIN','ROLE_SUPER_ADMIN','SUPER_ADMIN','ROLE_GLOBAL_ADMIN','GLOBAL_ADMIN','ROLE_ADMIN','ADMIN'];
+    $adminVariants = ['ROLE_PLATFORM_ADMIN','PLATFORM_ADMIN','ROLE_GLOBAL_ADMIN','GLOBAL_ADMIN','ROLE_ADMIN','ADMIN'];
     $needsAdminLeftJoin = (bool) array_intersect($roles, $adminVariants);
     if ($needsAdminLeftJoin) {
         $sql .= " LEFT JOIN $admin_table a ON (a.user_id = u.id) ";
@@ -467,25 +467,23 @@ function get_user_data(int $from, int $number_of_items, int $column, string $dir
             title="'.api_get_person_name($user[2], $user[3]).'" />';
 
         if (1 == $user[7] && !empty($user['exp'])) {
-            // check expiration date
             $expiration_time = api_strtotime($user['exp']);
-            // if expiration date is passed, store a special value for active field
             if ($expiration_time < $t) {
                 $user[7] = '-1';
             }
         }
 
         // forget about the expiration date field
         $users[] = [
-            $user[0], // id
+            $user[0],
             $photo,
             $user[1],
             $user[2],
             $user[3],
-            $user[4], // username
-            $user[5], // email
+            $user[4],
+            $user[5],
             $user[0],
-            $user[7], // active
+            $user[7],
             api_get_local_time($user[8]),
             api_get_local_time($user[9], null, null, true),
             $user[0],
@@ -598,7 +596,6 @@ function modify_filter($user_id, $url_params, $row): string
     $userRoles = $userEntity ? $userEntity->getRoles() : [];
 
     $isAdminByRole = in_array('ROLE_PLATFORM_ADMIN', $userRoles, true)
-        || in_array('ROLE_SUPER_ADMIN', $userRoles, true)
         || in_array('ROLE_GLOBAL_ADMIN', $userRoles, true)
         || in_array('ROLE_ADMIN', $userRoles, true);
 

public/main/inc/ajax/user_manager.ajax.php

@@ -72,8 +72,6 @@
             .$user_info['official_code'];
 
         if ($isAnonymous) {
-            // Only allow anonymous users to see user popup if the popup user
-            // is a teacher (which might be necessary to illustrate a course)
             if (COURSEMANAGER === (int) $user_info['status']) {
                 if ($user_info['status'] === COURSEMANAGER) {
                     echo $userData;
@@ -218,22 +216,21 @@
                     );
                     $body = get_lang('Dear')." ".stripslashes($recipientName).",\n\n";
                     $body .= sprintf(
-                        get_lang('Your account on %s has just been approved by one of our administrators.'),
-                        api_get_setting('siteName')
-                    )."\n";
+                            get_lang('Your account on %s has just been approved by one of our administrators.'),
+                            api_get_setting('siteName')
+                        )."\n";
                     $body .= sprintf(
-                        get_lang('You can now login at %s using the login and the password you have provided.'),
-                        api_get_path(WEB_PATH)
-                    ).",\n\n";
+                            get_lang('You can now login at %s using the login and the password you have provided.'),
+                            api_get_path(WEB_PATH)
+                        ).",\n\n";
                     $body .= get_lang('Have fun,')."\n\n";
-                    //$body.=get_lang('In case of trouble, contact us.'). "\n\n". get_lang('Sincerely');
                     $body .= api_get_person_name(
-                        api_get_setting('administratorName'),
-                        api_get_setting('administratorSurname')
-                    )."\n".
-                    get_lang('Administrator')." ".
-                    api_get_setting('siteName')."\nT. ".api_get_setting('administratorTelephone')."\n".
-                    get_lang('E-mail')." : ".api_get_setting('emailAdministrator');
+                            api_get_setting('administratorName'),
+                            api_get_setting('administratorSurname')
+                        )."\n".
+                        get_lang('Administrator')." ".
+                        api_get_setting('siteName')."\nT. ".api_get_setting('administratorTelephone')."\n".
+                        get_lang('E-mail')." : ".api_get_setting('emailAdministrator');
 
                     MessageManager::send_message_simple(
                         $user_id,
@@ -281,7 +278,7 @@
 
         $urlId = api_get_current_access_url_id();
 
-        $roleList = ['ROLE_TEACHER', 'ROLE_ADMIN', 'ROLE_SUPER_ADMIN'];
+        $roleList = ['ROLE_TEACHER', 'ROLE_ADMIN', 'ROLE_GLOBAL_ADMIN'];
 
         $users = Container::getUserRepository()->findByRoleList(
             $roleList,
@@ -312,7 +309,7 @@
 
         $urlId = api_get_current_access_url_id();
 
-        $roleList = ['ROLE_STUDENT', 'ROLE_TEACHER', 'ROLE_ADMIN', 'ROLE_SUPER_ADMIN'];
+        $roleList = ['ROLE_STUDENT', 'ROLE_TEACHER', 'ROLE_ADMIN', 'ROLE_GLOBAL_ADMIN'];
 
         $users = Container::getUserRepository()->findByRoleList(
             $roleList,

public/main/inc/lib/api.lib.php

@@ -6376,9 +6376,8 @@ function api_get_roles(): array
 
     $codes = Container::$container
         ->get(\Chamilo\CoreBundle\Helpers\PermissionHelper::class)
-        ->getUserRoles(); // list of role codes from DB
+        ->getUserRoles();
 
-    // Built-in labels fallbacks. DB codes are used as keys.
     $labels = [
         'ROLE_STUDENT'          => get_lang('Learner'),
         'STUDENT'               => get_lang('Learner'),
@@ -6398,8 +6397,6 @@ function api_get_roles(): array
         'ADMIN'                 => get_lang('Admin'),
         'ROLE_PLATFORM_ADMIN'   => get_lang('Administrator'),
         'PLATFORM_ADMIN'        => get_lang('Administrator'),
-        'ROLE_SUPER_ADMIN'      => get_lang('Super admin'),
-        'SUPER_ADMIN'           => get_lang('Super admin'),
         'ROLE_GLOBAL_ADMIN'     => get_lang('Global admin'),
         'GLOBAL_ADMIN'          => get_lang('Global admin'),
         'ROLE_ANONYMOUS'        => 'Anonymous',
@@ -6795,7 +6792,6 @@ function api_drh_can_access_all_session_content()
 function api_can_login_as($loginAsUserId, $userId = null)
 {
     $loginAsUserId = (int) $loginAsUserId;
-
     if (empty($loginAsUserId)) {
         return false;
     }
@@ -6808,9 +6804,8 @@ function api_can_login_as($loginAsUserId, $userId = null)
         return false;
     }
 
-    // Check if the user to login is an admin
+    // If target is an admin, only global admins can login to admin accounts
     if (api_is_platform_admin_by_id($loginAsUserId)) {
-        // Only super admins can login to admin accounts
         if (!api_global_admin_can_edit_admin($loginAsUserId)) {
             return false;
         }
@@ -6821,25 +6816,18 @@ function api_can_login_as($loginAsUserId, $userId = null)
     $isDrh = function () use ($loginAsUserId) {
         if (api_is_drh()) {
             if (api_drh_can_access_all_session_content()) {
-                $users = SessionManager::getAllUsersFromCoursesFromAllSessionFromStatus(
-                    'drh_all',
-                    api_get_user_id()
-                );
-                $userList = [];
+                $users   = SessionManager::getAllUsersFromCoursesFromAllSessionFromStatus('drh_all', api_get_user_id());
+                $userIds = [];
                 if (is_array($users)) {
                     foreach ($users as $user) {
-                        $userList[] = $user['id'];
+                        $userIds[] = $user['id'];
                     }
                 }
-                if (in_array($loginAsUserId, $userList)) {
-                    return true;
-                }
-            } else {
-                if (api_is_drh() &&
-                    UserManager::is_user_followed_by_drh($loginAsUserId, api_get_user_id())
-                ) {
-                    return true;
-                }
+                return in_array($loginAsUserId, $userIds);
+            }
+
+            if (UserManager::is_user_followed_by_drh($loginAsUserId, api_get_user_id())) {
+                return true;
             }
         }
 
@@ -6852,9 +6840,9 @@ function api_can_login_as($loginAsUserId, $userId = null)
         $loginAsStatusForSessionAdmins[] = COURSEMANAGER;
     }
 
-    return api_is_platform_admin() ||
-        (api_is_session_admin() && in_array($userInfo['status'], $loginAsStatusForSessionAdmins)) ||
-        $isDrh();
+    return api_is_platform_admin() // local admins can login as (except into other admins unless allowed above)
+        || (api_is_session_admin() && in_array($userInfo['status'], $loginAsStatusForSessionAdmins))
+        || $isDrh();
 }
 
 /**

public/main/inc/lib/usermanager.lib.php

@@ -5499,51 +5499,18 @@ public static function loginAsUser($userId, $checkIfUserCanLoginAs = true)
         }
 
         if ($userId) {
-            $logInfo = [
+            Event::registerLog([
                 'tool' => 'logout',
                 'tool_id' => 0,
                 'tool_id_detail' => 0,
                 'action' => '',
                 'info' => 'Change user (login as)',
-            ];
-            Event::registerLog($logInfo);
+            ]);
 
-            // Logout the current user
+            // Logout current user
             self::loginDelete(api_get_user_id());
 
             return true;
-
-            Session::erase('_user');
-            Session::erase('is_platformAdmin');
-            Session::erase('is_allowedCreateCourse');
-            Session::erase('_uid');
-
-            // Cleaning session variables
-            $_user['firstName'] = $userInfo['firstname'];
-            $_user['lastName'] = $userInfo['lastname'];
-            $_user['mail'] = $userInfo['email'];
-            $_user['official_code'] = $userInfo['official_code'];
-            $_user['picture_uri'] = $userInfo['picture_uri'];
-            $_user['user_id'] = $userId;
-            $_user['id'] = $userId;
-            $_user['status'] = $userInfo['status'];
-
-            // Filling session variables with new data
-            Session::write('_uid', $userId);
-            Session::write('_user', $userInfo);
-            Session::write('is_platformAdmin', (bool) self::is_admin($userId));
-            Session::write('is_allowedCreateCourse', 1 == $userInfo['status']);
-            // will be useful later to know if the user is actually an admin or not (example reporting)
-            Session::write('login_as', true);
-            $logInfo = [
-                'tool' => 'login',
-                'tool_id' => 0,
-                'tool_id_detail' => 0,
-                'info' => $userId,
-            ];
-            Event::registerLog($logInfo);
-
-            return true;
         }
 
         return false;