3 namespace BookStack\Auth\Permissions;
5 use BookStack\Actions\ActivityType;
6 use BookStack\Auth\Role;
7 use BookStack\Exceptions\PermissionsException;
8 use BookStack\Facades\Activity;
10 use Illuminate\Database\Eloquent\Collection;
14 protected JointPermissionBuilder $permissionBuilder;
15 protected $systemRoles = ['admin', 'public'];
18 * PermissionsRepo constructor.
20 public function __construct(JointPermissionBuilder $permissionBuilder)
22 $this->permissionBuilder = $permissionBuilder;
26 * Get all the user roles from the system.
28 public function getAllRoles(): Collection
30 return Role::query()->get();
34 * Get all the roles except for the provided one.
36 public function getAllRolesExcept(Role $role): Collection
38 return Role::query()->where('id', '!=', $role->id)->get();
42 * Get a role via its ID.
44 public function getRoleById($id): Role
46 return Role::query()->findOrFail($id);
50 * Save a new role into the system.
52 public function saveNewRole(array $roleData): Role
54 $role = new Role($roleData);
55 $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true';
58 $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
59 $this->assignRolePermissions($role, $permissions);
60 $this->permissionBuilder->rebuildForRole($role);
62 Activity::add(ActivityType::ROLE_CREATE, $role);
68 * Updates an existing role.
69 * Ensure Admin role always have core permissions.
71 public function updateRole($roleId, array $roleData)
73 $role = $this->getRoleById($roleId);
75 $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
76 if ($role->system_name === 'admin') {
77 $permissions = array_merge($permissions, [
80 'restrictions-manage-all',
81 'restrictions-manage-own',
86 $this->assignRolePermissions($role, $permissions);
88 $role->fill($roleData);
89 $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true';
91 $this->permissionBuilder->rebuildForRole($role);
93 Activity::add(ActivityType::ROLE_UPDATE, $role);
97 * Assign a list of permission names to a role.
99 protected function assignRolePermissions(Role $role, array $permissionNameArray = [])
102 $permissionNameArray = array_values($permissionNameArray);
104 if ($permissionNameArray) {
105 $permissions = RolePermission::query()
106 ->whereIn('name', $permissionNameArray)
111 $role->permissions()->sync($permissions);
115 * Delete a role from the system.
116 * Check it's not an admin role or set as default before deleting.
117 * If an migration Role ID is specified the users assign to the current role
118 * will be added to the role of the specified id.
120 * @throws PermissionsException
123 public function deleteRole($roleId, $migrateRoleId)
125 $role = $this->getRoleById($roleId);
127 // Prevent deleting admin role or default registration role.
128 if ($role->system_name && in_array($role->system_name, $this->systemRoles)) {
129 throw new PermissionsException(trans('errors.role_system_cannot_be_deleted'));
130 } elseif ($role->id === intval(setting('registration-role'))) {
131 throw new PermissionsException(trans('errors.role_registration_default_cannot_delete'));
134 if ($migrateRoleId) {
135 $newRole = Role::query()->find($migrateRoleId);
137 $users = $role->users()->pluck('id')->toArray();
138 $newRole->users()->sync($users);
142 $role->entityPermissions()->delete();
143 $role->jointPermissions()->delete();
144 Activity::add(ActivityType::ROLE_DELETE, $role);
projects / bookstack / blob