3 namespace BookStack\Auth\Permissions;
5 use BookStack\Actions\ActivityType;
6 use BookStack\Auth\Role;
7 use BookStack\Exceptions\PermissionsException;
8 use BookStack\Facades\Activity;
10 use Illuminate\Database\Eloquent\Collection;
14 protected $permission;
16 protected $permissionService;
18 protected $systemRoles = ['admin', 'public'];
21 * PermissionsRepo constructor.
23 public function __construct(RolePermission $permission, Role $role, PermissionService $permissionService)
25 $this->permission = $permission;
27 $this->permissionService = $permissionService;
31 * Get all the user roles from the system.
33 public function getAllRoles(): Collection
35 return $this->role->all();
39 * Get all the roles except for the provided one.
41 public function getAllRolesExcept(Role $role): Collection
43 return $this->role->where('id', '!=', $role->id)->get();
47 * Get a role via its ID.
49 public function getRoleById($id): Role
51 return $this->role->newQuery()->findOrFail($id);
55 * Save a new role into the system.
57 public function saveNewRole(array $roleData): Role
59 $role = $this->role->newInstance($roleData);
60 $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true';
63 $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
64 $this->assignRolePermissions($role, $permissions);
65 $this->permissionService->buildJointPermissionForRole($role);
66 Activity::add(ActivityType::ROLE_CREATE, $role);
72 * Updates an existing role.
73 * Ensure Admin role always have core permissions.
75 public function updateRole($roleId, array $roleData)
77 /** @var Role $role */
78 $role = $this->role->newQuery()->findOrFail($roleId);
80 $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
81 if ($role->system_name === 'admin') {
82 $permissions = array_merge($permissions, [
85 'restrictions-manage-all',
86 'restrictions-manage-own',
91 $this->assignRolePermissions($role, $permissions);
93 $role->fill($roleData);
94 $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true';
96 $this->permissionService->buildJointPermissionForRole($role);
97 Activity::add(ActivityType::ROLE_UPDATE, $role);
101 * Assign an list of permission names to an role.
103 protected function assignRolePermissions(Role $role, array $permissionNameArray = [])
106 $permissionNameArray = array_values($permissionNameArray);
108 if ($permissionNameArray) {
109 $permissions = $this->permission->newQuery()
110 ->whereIn('name', $permissionNameArray)
115 $role->permissions()->sync($permissions);
119 * Delete a role from the system.
120 * Check it's not an admin role or set as default before deleting.
121 * If an migration Role ID is specified the users assign to the current role
122 * will be added to the role of the specified id.
124 * @throws PermissionsException
127 public function deleteRole($roleId, $migrateRoleId)
129 /** @var Role $role */
130 $role = $this->role->newQuery()->findOrFail($roleId);
132 // Prevent deleting admin role or default registration role.
133 if ($role->system_name && in_array($role->system_name, $this->systemRoles)) {
134 throw new PermissionsException(trans('errors.role_system_cannot_be_deleted'));
135 } elseif ($role->id === intval(setting('registration-role'))) {
136 throw new PermissionsException(trans('errors.role_registration_default_cannot_delete'));
139 if ($migrateRoleId) {
140 $newRole = $this->role->newQuery()->find($migrateRoleId);
142 $users = $role->users()->pluck('id')->toArray();
143 $newRole->users()->sync($users);
147 $this->permissionService->deleteJointPermissionsForRole($role);
148 Activity::add(ActivityType::ROLE_DELETE, $role);
projects / bookstack / blob