From aba1d480126acab87a57fd578d850dc86cbab06b Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Mon, 27 Nov 2023 14:16:38 +1100 Subject: [PATCH 01/11] granted permissions to approvers to create and edit department and sites only --- config/install/user.role.approver.yml | 5 +++++ tide_core.install | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/config/install/user.role.approver.yml b/config/install/user.role.approver.yml index 02d1f24b9..c5d3a6d45 100644 --- a/config/install/user.role.approver.yml +++ b/config/install/user.role.approver.yml @@ -18,6 +18,7 @@ dependencies: - system - tide_core - toolbar + - taxonomy id: approver label: Approver weight: 3 @@ -34,10 +35,14 @@ permissions: - 'administer url aliases' - 'break content lock' - 'create media' + - 'create terms in department' + - 'create terms in sites' - 'create url aliases' - 'delete all revisions' - 'delete any media' - 'delete media' + - 'edit terms in department' + - 'edit terms in sites' - 'import tablefield' - 'rebuild tablefield' - 'revert all revisions' diff --git a/tide_core.install b/tide_core.install index b7a72bcc1..328d61283 100644 --- a/tide_core.install +++ b/tide_core.install @@ -92,3 +92,21 @@ function tide_core_update_10002() { $approver->grantPermission('tide node bulk update'); $approver->save(); } + +/** + * Approver should not have access to administer taxonomy. + */ +function tide_core_update_10003() { + $role = 'approver'; + $permissions = ['administer taxonomy']; + user_role_revoke_permissions(Role::load($role)->id(), $permissions); +} + +/** + * Approver role should have permissions to create and edit terms in department and sites. + */ +function tide_core_update_10004() { + $approver = Role::load('approver'); + $approver->grantPermission('create terms in department', 'create terms in sites', 'edit terms in department', 'edit terms in sites'); + $approver->save(); +} From 3d5066cbae2a50c093762b8e071f4495b099d2c2 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Mon, 27 Nov 2023 15:00:33 +1100 Subject: [PATCH 02/11] added behat tests --- config/install/user.role.approver.yml | 2 -- tests/behat/features/access.feature | 6 ++++++ tide_core.install | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/config/install/user.role.approver.yml b/config/install/user.role.approver.yml index c5d3a6d45..b56d988a9 100644 --- a/config/install/user.role.approver.yml +++ b/config/install/user.role.approver.yml @@ -36,13 +36,11 @@ permissions: - 'break content lock' - 'create media' - 'create terms in department' - - 'create terms in sites' - 'create url aliases' - 'delete all revisions' - 'delete any media' - 'delete media' - 'edit terms in department' - - 'edit terms in sites' - 'import tablefield' - 'rebuild tablefield' - 'revert all revisions' diff --git a/tests/behat/features/access.feature b/tests/behat/features/access.feature index d5a2e9766..0f91767e1 100644 --- a/tests/behat/features/access.feature +++ b/tests/behat/features/access.feature @@ -69,3 +69,9 @@ Feature: Access permissions Given I am logged in as a user with the "Site Auditor" role When I go to "/admin/reports/audit-trail" Then I should get a 200 HTTP response + + @api + Scenario: Approver role should not have access to redirects. + Given I am logged in as a user with the "approver" role + When I go to "admin/structure/taxonomy/add" + Then I should get a 404 HTTP response diff --git a/tide_core.install b/tide_core.install index 328d61283..e93807ba4 100644 --- a/tide_core.install +++ b/tide_core.install @@ -107,6 +107,6 @@ function tide_core_update_10003() { */ function tide_core_update_10004() { $approver = Role::load('approver'); - $approver->grantPermission('create terms in department', 'create terms in sites', 'edit terms in department', 'edit terms in sites'); + $approver->grantPermission('create terms in department', 'edit terms in department'); $approver->save(); } From ae47bd9458dba98356b4df52e9c1a5605649f48c Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Mon, 27 Nov 2023 15:10:51 +1100 Subject: [PATCH 03/11] fixed lint --- tide_core.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tide_core.install b/tide_core.install index e93807ba4..85b250706 100644 --- a/tide_core.install +++ b/tide_core.install @@ -103,7 +103,7 @@ function tide_core_update_10003() { } /** - * Approver role should have permissions to create and edit terms in department and sites. + * Approver should have permissions to create/edit terms in department and sites. */ function tide_core_update_10004() { $approver = Role::load('approver'); From 6a453559916aec71330d670d6a759c0728377ab6 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Mon, 27 Nov 2023 15:51:12 +1100 Subject: [PATCH 04/11] fixed lint --- tide_core.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tide_core.install b/tide_core.install index 85b250706..77493abd4 100644 --- a/tide_core.install +++ b/tide_core.install @@ -103,7 +103,7 @@ function tide_core_update_10003() { } /** - * Approver should have permissions to create/edit terms in department and sites. + * Approver should have permission to create/edit terms in department and sites. */ function tide_core_update_10004() { $approver = Role::load('approver'); From cc67a8af7e46f2f18cf7feb649cba5e3820d8972 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Tue, 28 Nov 2023 12:38:58 +1100 Subject: [PATCH 05/11] added conditional --- tide_core.install | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tide_core.install b/tide_core.install index 77493abd4..6f9da4d77 100644 --- a/tide_core.install +++ b/tide_core.install @@ -99,7 +99,7 @@ function tide_core_update_10002() { function tide_core_update_10003() { $role = 'approver'; $permissions = ['administer taxonomy']; - user_role_revoke_permissions(Role::load($role)->id(), $permissions); + user_role_revoke_permissions($role, $permissions); } /** @@ -107,6 +107,8 @@ function tide_core_update_10003() { */ function tide_core_update_10004() { $approver = Role::load('approver'); - $approver->grantPermission('create terms in department', 'edit terms in department'); - $approver->save(); + if ($approver) { + $approver->grantPermission('create terms in department', 'edit terms in department'); + $approver->save(); + } } From 01d7ca65c0199b0e8e0212a3d74b4e726cd9c3a3 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Tue, 28 Nov 2023 12:42:37 +1100 Subject: [PATCH 06/11] fixed comment --- tide_core.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tide_core.install b/tide_core.install index 6f9da4d77..dbe6d8465 100644 --- a/tide_core.install +++ b/tide_core.install @@ -103,7 +103,7 @@ function tide_core_update_10003() { } /** - * Approver should have permission to create/edit terms in department and sites. + * Approver should have permission to create/edit terms in department. */ function tide_core_update_10004() { $approver = Role::load('approver'); From cf11ecc43e18fb3f58712f515b2d59434c4467a3 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Wed, 29 Nov 2023 16:42:24 +1100 Subject: [PATCH 07/11] used array for permissions --- tide_core.install | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tide_core.install b/tide_core.install index dbe6d8465..b29ffe4dc 100644 --- a/tide_core.install +++ b/tide_core.install @@ -107,8 +107,14 @@ function tide_core_update_10003() { */ function tide_core_update_10004() { $approver = Role::load('approver'); + $permissions = [ + 'create terms in department', + 'edit terms in department' + ]; if ($approver) { - $approver->grantPermission('create terms in department', 'edit terms in department'); + foreach ($permissions as $permission) { + $approver->grantPermission($permission); + } $approver->save(); } } From 24a0e2aabf5c6e54a677ffde06aaae6d9c1450d8 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Wed, 29 Nov 2023 17:01:43 +1100 Subject: [PATCH 08/11] fixed lint --- tide_core.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tide_core.install b/tide_core.install index b29ffe4dc..0cb9755e7 100644 --- a/tide_core.install +++ b/tide_core.install @@ -109,7 +109,7 @@ function tide_core_update_10004() { $approver = Role::load('approver'); $permissions = [ 'create terms in department', - 'edit terms in department' + 'edit terms in department', ]; if ($approver) { foreach ($permissions as $permission) { From 58103cc64425bd19533f2afd87e902eae572beb9 Mon Sep 17 00:00:00 2001 From: Yeni Atencio <47239456+yeniatencio@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:05:13 +1100 Subject: [PATCH 09/11] Update tide_core.install --- tide_core.install | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tide_core.install b/tide_core.install index 0cb9755e7..b9fc1747c 100644 --- a/tide_core.install +++ b/tide_core.install @@ -98,8 +98,14 @@ function tide_core_update_10002() { */ function tide_core_update_10003() { $role = 'approver'; - $permissions = ['administer taxonomy']; - user_role_revoke_permissions($role, $permissions); + $permissions = [ + 'administer taxonomy', + 'edit terms in topic', + 'delete terms in topic', + ]; + if ($role) { + user_role_revoke_permissions($role, $permissions); + } } /** From c1d4dad957504496ac318a3262d77960bc8ab6b4 Mon Sep 17 00:00:00 2001 From: Yeni Atencio Date: Mon, 15 Jan 2024 16:58:19 +1100 Subject: [PATCH 10/11] remove permission --- config/install/user.role.approver.yml | 3 --- tide_core.install | 17 ----------------- 2 files changed, 20 deletions(-) diff --git a/config/install/user.role.approver.yml b/config/install/user.role.approver.yml index b56d988a9..02d1f24b9 100644 --- a/config/install/user.role.approver.yml +++ b/config/install/user.role.approver.yml @@ -18,7 +18,6 @@ dependencies: - system - tide_core - toolbar - - taxonomy id: approver label: Approver weight: 3 @@ -35,12 +34,10 @@ permissions: - 'administer url aliases' - 'break content lock' - 'create media' - - 'create terms in department' - 'create url aliases' - 'delete all revisions' - 'delete any media' - 'delete media' - - 'edit terms in department' - 'import tablefield' - 'rebuild tablefield' - 'revert all revisions' diff --git a/tide_core.install b/tide_core.install index b9fc1747c..28750c842 100644 --- a/tide_core.install +++ b/tide_core.install @@ -107,20 +107,3 @@ function tide_core_update_10003() { user_role_revoke_permissions($role, $permissions); } } - -/** - * Approver should have permission to create/edit terms in department. - */ -function tide_core_update_10004() { - $approver = Role::load('approver'); - $permissions = [ - 'create terms in department', - 'edit terms in department', - ]; - if ($approver) { - foreach ($permissions as $permission) { - $approver->grantPermission($permission); - } - $approver->save(); - } -} From e54d8654817e08c16a6903948bfbb7fd13fd04a6 Mon Sep 17 00:00:00 2001 From: Yeni Atencio <47239456+yeniatencio@users.noreply.github.com> Date: Wed, 14 Feb 2024 09:20:36 +1100 Subject: [PATCH 11/11] Fixed lint --- tide_core.install | 1 + 1 file changed, 1 insertion(+) diff --git a/tide_core.install b/tide_core.install index 63a64709b..8444e2355 100644 --- a/tide_core.install +++ b/tide_core.install @@ -124,6 +124,7 @@ function tide_core_update_10003() { $config->save(); } } + /** * Approver should not have access to administer taxonomy. */