Client Permissions

Added routes for managing client permissions.
Only ilias system administrators are allowed to change permissions.

Customizing/global/plugins/Services/UIComponent/UserInterfaceHook/REST/RESTController/core/clients/models/Clients.php

@@ -95,15 +95,15 @@ public function addPermission($api_key, $route_pattern, $verb)
      * @param $perm_id
      * @return mixed
      */
-    public function removePermission($perm_id)
+    public function deletePermission($perm_id)
     {
         $sql = Libs\RESTLib::safeSQL('DELETE FROM ui_uihk_rest_perm WHERE id = %d', $perm_id);
         $numAffRows = self::$sqlDB->manipulate($sql);
         return $numAffRows;
     }
 
     /**
-     * Returns a permission (route-pattern + verb) given a unique permission id.
+     * Returns a permission statement (i.e. route-pattern + verb) given a unique permission id.
      * @param $perm_id
      * @return array
      */
@@ -118,6 +118,24 @@ public function getPermissionByPermId($perm_id)
         return array();
     }
 
+    /**
+     * Returns all permissions for a rest client specified by its api-key.
+     * @param $api_key
+     * @return array
+     * @throws Exceptions\MissingApiKey
+     */
+    public function getPermissionsForApiKey($api_key)
+    {
+        $api_key_id = $this->getApiIdFromKey($api_key);
+        $sql = Libs\RESTLib::safeSQL("SELECT * FROM ui_uihk_rest_perm WHERE api_id = %d", $api_key_id);
+        $query = self::$sqlDB->query($sql);
+        $aPermissions = array();
+        while($row = self::$sqlDB->fetchAssoc($query)) {
+            $aPermissions[] = $row;
+        }
+        return $aPermissions;
+    }
+
     /**
      * Given a api_key ID and an array of user id numbers, this function writes the mapping to the table 'ui_uihk_rest_keymap'.
      * Note: Old entries will be deleted.
@@ -198,8 +216,9 @@ public function getClients()
             // fetch allowd users for api-key
             $sqlCSV = Libs\RESTLib::safeSQL('SELECT user_id FROM ui_uihk_rest_keymap WHERE api_id = %d', $id);
             $queryCSV = self::$sqlDB->query($sqlCSV);
-            while($rowCSV = self::$sqlDB->fetchAssoc($queryCSV))
+            while($rowCSV = self::$sqlDB->fetchAssoc($queryCSV)) {
                 $csv[] = $rowCSV['user_id'];
+            }
             $rowKeys['access_user_csv'] = $csv;
 
             // Add entry to result

Customizing/global/plugins/Services/UIComponent/UserInterfaceHook/REST/RESTController/core/clients/routes/ClientPermissions.php

@@ -0,0 +1,160 @@
+<?php
+/**
+ * ILIAS REST Plugin for the ILIAS LMS
+ *
+ * Authors: D.Schaefer, T.Hufschmidt <(schaefer|hufschmidt)@hrz.uni-marburg.de>
+ * Since 2014
+ */
+namespace RESTController\core\clients;
+
+// This allows us to use shortcuts instead of full quantifier
+use \RESTController\libs as Libs;
+use \RESTController\libs\Exceptions as LibExceptions;
+use \RESTController\core\clients\Exceptions as ClientExceptions;
+use \RESTController\core\auth as Auth;
+// Requires <$app = \RESTController\RESTController::getInstance()>
+
+/**
+ * Route clientpermissions
+ * Description:
+ *  Creates a new client permission with the route and verb parameter pair.
+ *  Also returns the new permission id (perm-id).
+ * Method: POST
+ * Auth: authenticateTokenOnly
+ * Parameters:
+ *  {
+ *    api_key: "<API-Key for new client>",
+ *
+ *  }
+ * Response:
+ *  {
+ *    [id: <Internal id (perm-id)>, route, verb],
+ *    status: "<Success or Failure>"
+ *  }
+ */
+ $app->get('/clientpermissions', '\RESTController\libs\OAuth2Middleware::TokenAuth', function () use ($app) {
+    // Fetch authorized user
+    $auth = new Auth\Util();
+    $user = $auth->getAccessToken()->getUserName();
+
+    // Check if user has admin role
+    if (!Libs\RESTLib::isAdminByUserName($user)) {
+        $app->halt(401, Libs\RESTLib::MSG_NO_ADMIN, Libs\RESTLib::ID_NO_ADMIN);
+    }
+
+     $request = $app->request;
+     // Try/Catch all required inputs
+     try {
+         $api_key = $request->params('api_key', null, true);
+     } catch(LibExceptions\MissingParameter $e) {
+         $app->halt(422, $e->getFormatedMessage(), $e::ID);
+     }
+
+    // Use the model class to fetch data
+    $model = new Clients();
+    $data = $model->getPermissionsForApiKey($api_key);
+
+    // Prepare data
+    $result = array();
+    $result['permissions'] = $data;
+
+    // Send data
+    $app->success($result);
+});
+
+
+/**
+ * Route: /clientpermissions
+ * Description:
+ *  Creates a new permission statement.
+ *  Also returns the new permission id (perm-id).
+ * Method: POST
+ * Auth: authenticateTokenOnly
+ * Parameters:
+ *  {
+ *    api_key: "<API-Key of a client>",
+ *    pattern: "Name of the route",
+ *    verb: "Action, e.g. GET, PUT,..."
+ *
+ *  }
+ * Response:
+ *  {
+ *    id: <Internal id (perm-id) of new permission statement>,
+ *    status: "<Success or Failure>"
+ *  }
+ */
+$app->post('/clientpermissions/', '\RESTController\libs\OAuth2Middleware::TokenAuth', function () use ($app) {
+    // Fetch authorized user
+    $auth = new Auth\Util();
+    $user = $auth->getAccessToken()->getUserName();
+
+    // Check if authorized user has admin role
+    if (!Libs\RESTLib::isAdminByUserName($user)) {
+        $app->halt(401, Libs\RESTLib::MSG_NO_ADMIN, Libs\RESTLib::ID_NO_ADMIN);
+    }
+
+
+    // Shortcut for request object
+    $request = $app->request();
+
+    $app->log->debug('in post clientpermissions');
+    $app->log->debug(print_r($request->getBody(),true));
+
+    // Try/Catch all required inputs
+    try {
+        $api_key = $request->params('api_key', null, true);
+    } catch(LibExceptions\MissingParameter $e) {
+        $app->halt(422, $e->getFormatedMessage(), $e::ID);
+    }
+
+    // Get optional inputs
+    $pattern = $request->params('pattern', '');
+    $verb = $request->params('verb', '');
+
+
+    // Supply data to model which processes it further
+    $model = new Clients();
+    $new_id = $model->addPermission($api_key, $pattern, $verb);
+
+    // Send affirmation status
+    $result = array();
+    $result['id'] = $new_id;
+    $app->success($result);
+});
+
+
+/**
+ * Route: /clientpermissions/:id
+ *  :id - Internal permission id (perm-id) the should be removed
+ * Description:
+ *  Deletes a permission statement given by :id (perm-id).
+ * Method: DELETE
+ * Auth: authenticateTokenOnly
+ * Parameters:
+ * Response:
+ *  {
+ *    status: "<Success or Failure>"
+ *  }
+ */
+$app->delete('/clientpermissions/:id', '\RESTController\libs\OAuth2Middleware::TokenAuth',  function ($id) use ($app) {
+    // Fetch authorized user
+    $auth = new Auth\Util();
+    $user = $auth->getAccessToken()->getUserName();
+
+    // Check if authorized user has admin role
+    if (!Libs\RESTLib::isAdminByUserName($user)) {
+        $app->halt(401, Libs\RESTLib::MSG_NO_ADMIN, Libs\RESTLib::ID_NO_ADMIN);
+    }
+
+    try {
+        // Use the model class to update databse
+        $model = new Clients();
+        $aff_rows = $model->deletePermission($id);
+
+        // Send affirmation status
+        $result = array('NumItemsDeleted'=>$aff_rows);
+        $app->success($result);
+    } catch(ClientExceptions\DeleteFailed $e) {
+        $app->halt(500, $e->getMessage(), $e::ID);
+    }
+});

Customizing/global/plugins/Services/UIComponent/UserInterfaceHook/REST/sql/dbupdate.php

@@ -353,6 +353,21 @@ function gen_uuid() {
         "pattern" => array("text", '/routes'),
         "verb" => array("text", 'GET')
     ));
+    $ilDB->insert("ui_uihk_rest_perm", array(
+        "api_id" => array("integer", 1),
+        "pattern" => array("text", '/clientpermissions'),
+        "verb" => array("text", 'GET')
+    ));
+    $ilDB->insert("ui_uihk_rest_perm", array(
+        "api_id" => array("integer", 1),
+        "pattern" => array("text", '/clientpermissions/:id'),
+        "verb" => array("text", 'DELETE')
+    ));
+    $ilDB->insert("ui_uihk_rest_perm", array(
+        "api_id" => array("integer", 1),
+        "pattern" => array("text", '/clientpermissions/'),
+        "verb" => array("text", 'POST')
+    ));
 
     $ilLog->write('Plugin REST -> Database updated to #9');
 ?>