Restructured config keys for roles.

omeka · Dec 9, 2024 · 5d516c7 · 5d516c7
1 parent a6da490
commit 5d516c7
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 35 deletions.
diff --git a/application/config/module.config.php b/application/config/module.config.php
@@ -4,28 +4,42 @@
 use \Omeka\Permissions\Acl;
 
 return [
-    'acl' => [
-        // Roles are defined as keys to allow inheritance of roles and rights.
-        'roles' => [
-            Acl::ROLE_GLOBAL_ADMIN => [],
-            Acl::ROLE_SITE_ADMIN => [],
-            Acl::ROLE_EDITOR => [],
-            Acl::ROLE_REVIEWER => [],
-            Acl::ROLE_AUTHOR => [],
-            Acl::ROLE_RESEARCHER => [],
-        ],
-        // Roles that are "admins" and restricted for editing.
-        'admin_roles' => [
-            Acl::ROLE_GLOBAL_ADMIN => Acl::ROLE_GLOBAL_ADMIN,
-            Acl::ROLE_SITE_ADMIN => Acl::ROLE_SITE_ADMIN,
-        ],
-        'labels' => [
-            Acl::ROLE_GLOBAL_ADMIN => 'Global Administrator', // @translate
-            Acl::ROLE_SITE_ADMIN => 'Supervisor', // @translate
-            Acl::ROLE_EDITOR => 'Editor', // @translate
-            Acl::ROLE_REVIEWER => 'Reviewer', // @translate
-            Acl::ROLE_AUTHOR => 'Author', // @translate
-            Acl::ROLE_RESEARCHER => 'Researcher', // @translate
+    'roles' => [
+        Acl::ROLE_GLOBAL_ADMIN => [
+            'role' => Acl::ROLE_GLOBAL_ADMIN,
+            'label' => 'Global Administrator', // @translate
+            'admin' => true,
+            'parents' => [],
+        ],
+        Acl::ROLE_SITE_ADMIN => [
+            'role' => Acl::ROLE_SITE_ADMIN,
+            'label' => 'Supervisor', // @translate
+            'admin' => true,
+            'parents' => [],
+        ],
+        Acl::ROLE_EDITOR => [
+            'role' => Acl::ROLE_EDITOR,
+            'label' => 'Editor', // @translate
+            'admin' => false,
+            'parents' => [],
+        ],
+        Acl::ROLE_REVIEWER => [
+            'role' => Acl::ROLE_REVIEWER,
+            'label' => 'Reviewer', // @translate
+            'admin' => false,
+            'parents' => [],
+        ],
+        Acl::ROLE_AUTHOR => [
+            'role' => Acl::ROLE_AUTHOR,
+            'label' => 'Author', // @translate
+            'admin' => false,
+            'parents' => [],
+        ],
+        Acl::ROLE_RESEARCHER => [
+            'role' => Acl::ROLE_RESEARCHER,
+            'label' => 'Researcher', // @translate
+            'admin' => false,
+            'parents' => [],
         ],
     ],
     'password' => [

diff --git a/application/src/Permissions/Acl.php b/application/src/Permissions/Acl.php
@@ -22,7 +22,7 @@ class Acl extends LaminasAcl
     /**
      * @var array
      */
-    protected $configAcl;
+    protected $configRoles;
 
     public function setAuthenticationService(AuthenticationServiceInterface $auth)
     {
@@ -34,9 +34,9 @@ public function getAuthenticationService(): AuthenticationServiceInterface
         return $this->auth;
     }
 
-    public function setConfigAcl(array $configAcl)
+    public function setConfigRoles(array $configRoles)
     {
-        $this->configAcl = $configAcl;
+        $this->configRoles = $configRoles;
     }
 
     /**
@@ -47,9 +47,10 @@ public function setConfigAcl(array $configAcl)
      */
     public function getRoleLabels($excludeAdminRoles = false): array
     {
+        $labels = array_column($this->configRoles, 'label', 'role');
         return $excludeAdminRoles
-            ? array_diff_key($this->configAcl['labels'], $this->configAcl['admin_roles'])
-            : $this->configAcl['labels'];
+            ? array_diff_key($labels, array_filter(array_column($this->configRoles, 'admin', 'role')))
+            : $labels;
     }
 
     /**
@@ -72,7 +73,7 @@ public function userIsAllowed($resource = null, $privilege = null): bool
      */
     public function isAdminRole($role): bool
     {
-        return in_array($role, $this->configAcl['admin_roles']);
+        return !empty($this->configRoles[$role]['admin']);
     }
 
     /**
@@ -85,7 +86,7 @@ public function isAdminRole($role): bool
      */
     public function addRoleLabel($roleId, $roleLabel)
     {
-        $this->configAcl['labels'][$roleId] = $roleLabel;
+        $this->configRoles[$roleId]['label'] = $roleLabel;
     }
 
     /**
@@ -98,6 +99,6 @@ public function addRoleLabel($roleId, $roleLabel)
      */
     public function removeRoleLabel($roleId)
     {
-        unset($this->configAcl['labels'][$roleId]);
+        $this->configRoles[$roleId]['label'] = null;
     }
 }
diff --git a/application/src/Service/AclFactory.php b/application/src/Service/AclFactory.php
@@ -26,7 +26,7 @@ class AclFactory implements FactoryInterface
     /**
      * @var array
      */
-    protected $configAcl;
+    protected $configRoles;
 
     /**
      * Create the access control list.
@@ -43,8 +43,8 @@ public function __invoke(ContainerInterface $serviceLocator, $requestedName, arr
         $auth = $serviceLocator->get('Omeka\AuthenticationService');
         $acl->setAuthenticationService($auth);
 
-        $this->configAcl = $serviceLocator->get('Config')['acl'];
-        $acl->setConfigAcl($this->configAcl);
+        $this->configRoles = $serviceLocator->get('Config')['roles'];
+        $acl->setConfigRoles($this->configRoles);
 
         $this->addRoles($acl);
         $this->addResources($acl);
@@ -69,8 +69,8 @@ public function __invoke(ContainerInterface $serviceLocator, $requestedName, arr
      */
     protected function addRoles(Acl $acl)
     {
-        foreach ($this->configAcl['roles'] as $role => $parents) {
-            $acl->addRole($role, $parents ?: null);
+        foreach ($this->configRoles as $role => $roleData) {
+            $acl->addRole($role, empty($roleData['parents']) ? null : $roleData['parents']);
         }
     }