Adjusting ACLs -- allow external group manager to create sub-groups.

krulis-martin · krulis-martin · commit a72901cbe6ec · 2025-09-09T15:30:10.000+02:00
diff --git a/app/V1Module/presenters/GroupExternalAttributesPresenter.php b/app/V1Module/presenters/GroupExternalAttributesPresenter.php
@@ -94,9 +94,10 @@ public function actionDefault(string $instance, ?string $service, ?string $user)
     }
 
 
-    public function checkAdd()
+    public function checkAdd(string $groupId)
     {
-        if (!$this->groupAcl->canSetExternalAttributes()) {
+        $group = $this->groups->findOrThrow($groupId);
+        if (!$this->groupAcl->canSetExternalAttributes($group)) {
             throw new ForbiddenRequestException();
         }
     }
@@ -128,9 +129,10 @@ public function actionAdd(string $groupId)
         $this->sendSuccessResponse("OK");
     }
 
-    public function checkRemove()
+    public function checkRemove(string $groupId)
     {
-        if (!$this->groupAcl->canSetExternalAttributes()) {
+        $group = $this->groups->findOrThrow($groupId);
+        if (!$this->groupAcl->canSetExternalAttributes($group)) {
             throw new ForbiddenRequestException();
         }
     }
diff --git a/app/V1Module/security/ACL/IGroupPermissions.php b/app/V1Module/security/ACL/IGroupPermissions.php
@@ -78,5 +78,5 @@ public function canUnlockStudent(Group $group, User $student): bool;
 
     public function canViewExternalAttributes(): bool;
 
-    public function canSetExternalAttributes(): bool;
+    public function canSetExternalAttributes(Group $group): bool;
 }
diff --git a/app/config/permissions.neon b/app/config/permissions.neon
@@ -79,11 +79,28 @@ permissions:
       resource: group
       actions:
           - viewExternalAttributes
+
+    - allow: true
+      role: scope-group-external
+      resource: group
+      actions:
           - setExternalAttributes
           - addStudent
           - removeStudent
           - addMember
           - removeMember
+          - addSubgroup
+      conditions:
+          - group.isNotArchived
+
+    - allow: true
+      resource: group
+      role: scope-group-external
+      actions:
+          - addSubgroup
+      conditions:
+          - group.isNotArchived
+          - group.isNotExam
 
     - allow: true
       role: student

Original file line number	Diff line number	Diff line change
`@@ -94,9 +94,10 @@ public function actionDefault(string $instance, ?string $service, ?string $user)`
`94`	`94`	`}`
`95`	`95`
`96`	`96`
`97`		`- public function checkAdd()`
	`97`	`+ public function checkAdd(string $groupId)`
`98`	`98`	`{`
`99`		`- if (!$this->groupAcl->canSetExternalAttributes()) {`
	`99`	`+ $group = $this->groups->findOrThrow($groupId);`
	`100`	`+ if (!$this->groupAcl->canSetExternalAttributes($group)) {`
`100`	`101`	`throw new ForbiddenRequestException();`
`101`	`102`	`}`
`102`	`103`	`}`
`@@ -128,9 +129,10 @@ public function actionAdd(string $groupId)`
`128`	`129`	`$this->sendSuccessResponse("OK");`
`129`	`130`	`}`
`130`	`131`
`131`		`- public function checkRemove()`
	`132`	`+ public function checkRemove(string $groupId)`
`132`	`133`	`{`
`133`		`- if (!$this->groupAcl->canSetExternalAttributes()) {`
	`134`	`+ $group = $this->groups->findOrThrow($groupId);`
	`135`	`+ if (!$this->groupAcl->canSetExternalAttributes($group)) {`
`134`	`136`	`throw new ForbiddenRequestException();`
`135`	`137`	`}`
`136`	`138`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,5 +78,5 @@ public function canUnlockStudent(Group $group, User $student): bool;`
`78`	`78`
`79`	`79`	`public function canViewExternalAttributes(): bool;`
`80`	`80`
`81`		`- public function canSetExternalAttributes(): bool;`
	`81`	`+ public function canSetExternalAttributes(Group $group): bool;`
`82`	`82`	`}`