3 namespace BookStack\Auth\Permissions;
5 use BookStack\Actions\ActivityType;
6 use BookStack\Auth\Role;
7 use BookStack\Exceptions\PermissionsException;
8 use BookStack\Facades\Activity;
10 use Illuminate\Database\Eloquent\Collection;
14 protected JointPermissionBuilder $permissionBuilder;
15 protected $systemRoles = ['admin', 'public'];
18 * PermissionsRepo constructor.
20 public function __construct(JointPermissionBuilder $permissionBuilder)
22 $this->permissionBuilder = $permissionBuilder;
26 * Get all the user roles from the system.
28 public function getAllRoles(): Collection
30 return Role::query()->get();
34 * Get all the roles except for the provided one.
36 public function getAllRolesExcept(Role $role): Collection
38 return Role::query()->where('id', '!=', $role->id)->get();
42 * Get a role via its ID.
44 public function getRoleById($id): Role
46 return Role::query()->findOrFail($id);
50 * Save a new role into the system.
52 public function saveNewRole(array $roleData): Role
54 $role = new Role($roleData);
55 $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true';
58 $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
59 $this->assignRolePermissions($role, $permissions);
61 Activity::add(ActivityType::ROLE_CREATE, $role);
67 * Updates an existing role.
68 * Ensure Admin role always have core permissions.
70 public function updateRole($roleId, array $roleData)
72 $role = $this->getRoleById($roleId);
74 $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
75 if ($role->system_name === 'admin') {
76 $permissions = array_merge($permissions, [
79 'restrictions-manage-all',
80 'restrictions-manage-own',
85 $this->assignRolePermissions($role, $permissions);
87 $role->fill($roleData);
88 $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true';
91 Activity::add(ActivityType::ROLE_UPDATE, $role);
95 * Assign a list of permission names to a role.
97 protected function assignRolePermissions(Role $role, array $permissionNameArray = [])
100 $permissionNameArray = array_values($permissionNameArray);
102 if ($permissionNameArray) {
103 $permissions = RolePermission::query()
104 ->whereIn('name', $permissionNameArray)
109 $role->permissions()->sync($permissions);
113 * Delete a role from the system.
114 * Check it's not an admin role or set as default before deleting.
115 * If an migration Role ID is specified the users assign to the current role
116 * will be added to the role of the specified id.
118 * @throws PermissionsException
121 public function deleteRole($roleId, $migrateRoleId)
123 $role = $this->getRoleById($roleId);
125 // Prevent deleting admin role or default registration role.
126 if ($role->system_name && in_array($role->system_name, $this->systemRoles)) {
127 throw new PermissionsException(trans('errors.role_system_cannot_be_deleted'));
128 } elseif ($role->id === intval(setting('registration-role'))) {
129 throw new PermissionsException(trans('errors.role_registration_default_cannot_delete'));
132 if ($migrateRoleId) {
133 $newRole = Role::query()->find($migrateRoleId);
135 $users = $role->users()->pluck('id')->toArray();
136 $newRole->users()->sync($users);
140 $role->entityPermissions()->delete();
141 $role->jointPermissions()->delete();
142 Activity::add(ActivityType::ROLE_DELETE, $role);
projects / bookstack / blob