diff --git a/config/permissions.yaml b/config/permissions.yaml
index 6cb798f5..d00e1e77 100644
--- a/config/permissions.yaml
+++ b/config/permissions.yaml
@@ -139,6 +139,13 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
ic_logos:
label: "perm.tools.ic_logos"
+ info_providers:
+ label: "perm.part.info_providers"
+ operations:
+ create_parts:
+ label: "perm.part.info_providers.create_parts"
+ alsoSet: ['parts.create']
+
groups:
label: "perm.groups"
group: "system"
@@ -242,6 +249,8 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
alsoSet: 'show_logs'
server_infos:
label: "perm.server_infos"
+ manage_oauth_tokens:
+ label: "Manage OAuth tokens"
attachments:
label: "perm.part.attachments"
diff --git a/src/Controller/InfoProviderController.php b/src/Controller/InfoProviderController.php
index dbcd6a2a..3828a74e 100644
--- a/src/Controller/InfoProviderController.php
+++ b/src/Controller/InfoProviderController.php
@@ -51,6 +51,8 @@ class InfoProviderController extends AbstractController
#[Route('/providers', name: 'info_providers_list')]
public function listProviders(): Response
{
+ $this->denyAccessUnlessGranted('@info_providers.create_parts');
+
return $this->render('info_providers/providers_list/providers_list.html.twig', [
'active_providers' => $this->providerRegistry->getActiveProviders(),
'disabled_providers' => $this->providerRegistry->getDisabledProviders(),
@@ -60,6 +62,8 @@ class InfoProviderController extends AbstractController
#[Route('/search', name: 'info_providers_search')]
public function search(Request $request): Response
{
+ $this->denyAccessUnlessGranted('@info_providers.create_parts');
+
$form = $this->createForm(PartSearchType::class);
$form->handleRequest($request);
@@ -82,6 +86,7 @@ class InfoProviderController extends AbstractController
public function createPart(Request $request, EntityManagerInterface $em, TranslatorInterface $translator,
AttachmentSubmitHandler $attachmentSubmitHandler, string $providerKey, string $providerId): Response
{
+ $this->denyAccessUnlessGranted('@info_providers.create_parts');
$new_part = $this->infoRetriever->createPart($providerKey, $providerId);
diff --git a/src/Controller/OAuthClientController.php b/src/Controller/OAuthClientController.php
index 0b80a324..71d8ec1d 100644
--- a/src/Controller/OAuthClientController.php
+++ b/src/Controller/OAuthClientController.php
@@ -43,6 +43,8 @@ class OAuthClientController extends AbstractController
#[Route('/{name}/connect', name: 'oauth_client_connect')]
public function connect(string $name): Response
{
+ $this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
+
return $this->clientRegistry
->getClient($name) // key used in config/packages/knpu_oauth2_client.yaml
->redirect();
@@ -51,6 +53,8 @@ class OAuthClientController extends AbstractController
#[Route('/{name}/check', name: 'oauth_client_check')]
public function check(string $name, Request $request): Response
{
+ $this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
+
$client = $this->clientRegistry->getClient($name);
$access_token = $client->getAccessToken();
diff --git a/src/Entity/UserSystem/PermissionData.php b/src/Entity/UserSystem/PermissionData.php
index 01bb2416..38f4b774 100644
--- a/src/Entity/UserSystem/PermissionData.php
+++ b/src/Entity/UserSystem/PermissionData.php
@@ -43,7 +43,7 @@ final class PermissionData implements \JsonSerializable
/**
* The current schema version of the permission data
*/
- public const CURRENT_SCHEMA_VERSION = 2;
+ public const CURRENT_SCHEMA_VERSION = 3;
/**
* Creates a new Permission Data Instance using the given data.
diff --git a/src/Services/Trees/ToolsTreeBuilder.php b/src/Services/Trees/ToolsTreeBuilder.php
index d1c01063..b0fafb4f 100644
--- a/src/Services/Trees/ToolsTreeBuilder.php
+++ b/src/Services/Trees/ToolsTreeBuilder.php
@@ -133,6 +133,13 @@ class ToolsTreeBuilder
))->setIcon('fa-treeview fa-fw fa-solid fa-file-import');
}
+ if ($this->security->isGranted('@info_providers.create_parts')) {
+ $nodes[] = (new TreeViewNode(
+ $this->translator->trans('info_providers.search.title'),
+ $this->urlGenerator->generate('info_providers_search')
+ ))->setIcon('fa-treeview fa-fw fa-solid fa-cloud-arrow-down');
+ }
+
return $nodes;
}
diff --git a/src/Services/UserSystem/PermissionPresetsHelper.php b/src/Services/UserSystem/PermissionPresetsHelper.php
index 15a29b13..ea2391f7 100644
--- a/src/Services/UserSystem/PermissionPresetsHelper.php
+++ b/src/Services/UserSystem/PermissionPresetsHelper.php
@@ -105,6 +105,9 @@ class PermissionPresetsHelper
$this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'suppliers', PermissionData::ALLOW);
$this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'projects', PermissionData::ALLOW);
+ //Allow to manage Oauth tokens
+ $this->permissionResolver->setPermission($perm_holder, 'system', 'manage_oauth_tokens', PermissionData::ALLOW);
+
}
private function editor(HasPermissionsInterface $permHolder): HasPermissionsInterface
@@ -139,6 +142,9 @@ class PermissionPresetsHelper
//Various other permissions
$this->permissionResolver->setPermission($permHolder, 'tools', 'lastActivity', PermissionData::ALLOW);
+ //Allow to create parts from information providers
+ $this->permissionResolver->setPermission($permHolder, 'info_providers', 'create_parts', PermissionData::ALLOW);
+
return $permHolder;
}
diff --git a/src/Services/UserSystem/PermissionSchemaUpdater.php b/src/Services/UserSystem/PermissionSchemaUpdater.php
index 5fb08182..e716bcc9 100644
--- a/src/Services/UserSystem/PermissionSchemaUpdater.php
+++ b/src/Services/UserSystem/PermissionSchemaUpdater.php
@@ -138,4 +138,13 @@ class PermissionSchemaUpdater
$holder->getPermissions()->removePermission('devices');
}
}
+
+ private function upgradeSchemaToVersion3(HasPermissionsInterface $holder): void //@phpstan-ignore-line This is called via reflection
+ {
+ //If the info_providers permissions are not defined yet, set it if the user can create parts
+ if (!$holder->getPermissions()->isAnyOperationOfPermissionSet('info_providers')) {
+ $user_can_create_parts = $holder->getPermissions()->getPermissionValue('parts', 'create');
+ $holder->getPermissions()->setPermissionValue('info_providers', 'create_parts', $user_can_create_parts);
+ }
+ }
}
diff --git a/tests/Services/UserSystem/PermissionSchemaUpdaterTest.php b/tests/Services/UserSystem/PermissionSchemaUpdaterTest.php
index 1acadd14..b1a0e150 100644
--- a/tests/Services/UserSystem/PermissionSchemaUpdaterTest.php
+++ b/tests/Services/UserSystem/PermissionSchemaUpdaterTest.php
@@ -110,4 +110,17 @@ class PermissionSchemaUpdaterTest extends WebTestCase
self::assertEquals(PermissionData::INHERIT, $user->getPermissions()->getPermissionValue('projects', 'edit'));
self::assertEquals(PermissionData::DISALLOW, $user->getPermissions()->getPermissionValue('projects', 'delete'));
}
+
+ public function testUpgradeSchemaToVersion3(): void
+ {
+ $perm_data = new PermissionData();
+ $perm_data->setSchemaVersion(2);
+ $perm_data->setPermissionValue('parts', 'create', PermissionData::ALLOW);
+ $user = new TestPermissionHolder($perm_data);
+
+ //After the upgrade the user should be allowed to create parts from info providers
+ self::assertTrue($this->service->upgradeSchema($user, 3));
+
+ self::assertEquals(PermissionData::ALLOW, $user->getPermissions()->getPermissionValue('info_providers', 'create_parts'));
+ }
}
diff --git a/translations/messages.en.xlf b/translations/messages.en.xlf
index e252abf8..7415c546 100644
--- a/translations/messages.en.xlf
+++ b/translations/messages.en.xlf
@@ -11543,5 +11543,23 @@ Please note, that you can not impersonate a disabled user. If you try you will g
Create parts from info provider
+
+
+ oauth_client.flash.connection_successful
+ Connected to OAuth application successfully!
+
+
+
+
+ perm.part.info_providers
+ Info providers
+
+
+
+
+ perm.part.info_providers.create_parts
+ Create parts from info provider
+
+