Added permissions to control access to info providers and oauth tokens

config/permissions.yaml

@@ -139,6 +139,13 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
       ic_logos:
         label: "perm.tools.ic_logos"
 
+  info_providers:
+    label: "perm.part.info_providers"
+    operations:
+      create_parts:
+        label: "perm.part.info_providers.create_parts"
+        alsoSet: ['parts.create']
+
   groups:
     label: "perm.groups"
     group: "system"
@@ -242,6 +249,8 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
         alsoSet: 'show_logs'
       server_infos:
         label: "perm.server_infos"
+      manage_oauth_tokens:
+        label: "Manage OAuth tokens"
 
   attachments:
     label: "perm.part.attachments"

src/Controller/InfoProviderController.php

@@ -51,6 +51,8 @@ class InfoProviderController extends  AbstractController
     #[Route('/providers', name: 'info_providers_list')]
     public function listProviders(): Response
     {
+        $this->denyAccessUnlessGranted('@info_providers.create_parts');
+
         return $this->render('info_providers/providers_list/providers_list.html.twig', [
             'active_providers' => $this->providerRegistry->getActiveProviders(),
             'disabled_providers' => $this->providerRegistry->getDisabledProviders(),
@@ -60,6 +62,8 @@ class InfoProviderController extends  AbstractController
     #[Route('/search', name: 'info_providers_search')]
     public function search(Request $request): Response
     {
+        $this->denyAccessUnlessGranted('@info_providers.create_parts');
+
         $form = $this->createForm(PartSearchType::class);
         $form->handleRequest($request);
 
@@ -82,6 +86,7 @@ class InfoProviderController extends  AbstractController
     public function createPart(Request $request, EntityManagerInterface $em, TranslatorInterface $translator,
         AttachmentSubmitHandler $attachmentSubmitHandler, string $providerKey, string $providerId): Response
     {
+        $this->denyAccessUnlessGranted('@info_providers.create_parts');
 
         $new_part = $this->infoRetriever->createPart($providerKey, $providerId);
 

src/Controller/OAuthClientController.php

@@ -43,6 +43,8 @@ class OAuthClientController extends AbstractController
     #[Route('/{name}/connect', name: 'oauth_client_connect')]
     public function connect(string $name): Response
     {
+        $this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
+
         return $this->clientRegistry
             ->getClient($name) // key used in config/packages/knpu_oauth2_client.yaml
             ->redirect();
@@ -51,6 +53,8 @@ class OAuthClientController extends AbstractController
     #[Route('/{name}/check', name: 'oauth_client_check')]
     public function check(string $name, Request $request): Response
     {
+        $this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
+
         $client = $this->clientRegistry->getClient($name);
 
         $access_token = $client->getAccessToken();

src/Entity/UserSystem/PermissionData.php

@@ -43,7 +43,7 @@ final class PermissionData implements \JsonSerializable
     /**
      * The current schema version of the permission data
      */
-    public const CURRENT_SCHEMA_VERSION = 2;
+    public const CURRENT_SCHEMA_VERSION = 3;
 
     /**
      * Creates a new Permission Data Instance using the given data.

src/Services/Trees/ToolsTreeBuilder.php

@@ -133,6 +133,13 @@ class ToolsTreeBuilder
             ))->setIcon('fa-treeview fa-fw fa-solid fa-file-import');
         }
 
+        if ($this->security->isGranted('@info_providers.create_parts')) {
+            $nodes[] = (new TreeViewNode(
+                $this->translator->trans('info_providers.search.title'),
+                $this->urlGenerator->generate('info_providers_search')
+            ))->setIcon('fa-treeview fa-fw fa-solid fa-cloud-arrow-down');
+        }
+
         return $nodes;
     }
 

src/Services/UserSystem/PermissionPresetsHelper.php

@@ -105,6 +105,9 @@ class PermissionPresetsHelper
         $this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'suppliers', PermissionData::ALLOW);
         $this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'projects', PermissionData::ALLOW);
 
+        //Allow to manage Oauth tokens
+        $this->permissionResolver->setPermission($perm_holder, 'system', 'manage_oauth_tokens', PermissionData::ALLOW);
+
     }
 
     private function editor(HasPermissionsInterface $permHolder): HasPermissionsInterface
@@ -139,6 +142,9 @@ class PermissionPresetsHelper
         //Various other permissions
         $this->permissionResolver->setPermission($permHolder, 'tools', 'lastActivity', PermissionData::ALLOW);
 
+        //Allow to create parts from information providers
+        $this->permissionResolver->setPermission($permHolder, 'info_providers', 'create_parts', PermissionData::ALLOW);
+
 
         return $permHolder;
     }

src/Services/UserSystem/PermissionSchemaUpdater.php

@@ -138,4 +138,13 @@ class PermissionSchemaUpdater
             $holder->getPermissions()->removePermission('devices');
         }
     }
+
+    private function upgradeSchemaToVersion3(HasPermissionsInterface $holder): void //@phpstan-ignore-line This is called via reflection
+    {
+        //If the info_providers permissions are not defined yet, set it if the user can create parts
+        if (!$holder->getPermissions()->isAnyOperationOfPermissionSet('info_providers')) {
+            $user_can_create_parts = $holder->getPermissions()->getPermissionValue('parts', 'create');
+            $holder->getPermissions()->setPermissionValue('info_providers', 'create_parts', $user_can_create_parts);
+        }
+    }
 }

tests/Services/UserSystem/PermissionSchemaUpdaterTest.php

@@ -110,4 +110,17 @@ class PermissionSchemaUpdaterTest extends WebTestCase
         self::assertEquals(PermissionData::INHERIT, $user->getPermissions()->getPermissionValue('projects', 'edit'));
         self::assertEquals(PermissionData::DISALLOW, $user->getPermissions()->getPermissionValue('projects', 'delete'));
     }
+
+    public function testUpgradeSchemaToVersion3(): void
+    {
+        $perm_data = new PermissionData();
+        $perm_data->setSchemaVersion(2);
+        $perm_data->setPermissionValue('parts', 'create', PermissionData::ALLOW);
+        $user = new TestPermissionHolder($perm_data);
+
+        //After the upgrade the user should be allowed to create parts from info providers
+        self::assertTrue($this->service->upgradeSchema($user, 3));
+
+        self::assertEquals(PermissionData::ALLOW, $user->getPermissions()->getPermissionValue('info_providers', 'create_parts'));
+    }
 }

translations/messages.en.xlf

@@ -11543,5 +11543,23 @@ Please note, that you can not impersonate a disabled user. If you try you will g
         <target>Create parts from info provider</target>
       </segment>
     </unit>
+    <unit id="8w3P1gW" name="oauth_client.flash.connection_successful">
+      <segment>
+        <source>oauth_client.flash.connection_successful</source>
+        <target>Connected to OAuth application successfully!</target>
+      </segment>
+    </unit>
+    <unit id="9ULD.eH" name="perm.part.info_providers">
+      <segment>
+        <source>perm.part.info_providers</source>
+        <target>Info providers</target>
+      </segment>
+    </unit>
+    <unit id="En713bs" name="perm.part.info_providers.create_parts">
+      <segment>
+        <source>perm.part.info_providers.create_parts</source>
+        <target>Create parts from info provider</target>
+      </segment>
+    </unit>
   </file>
 </xliff>