Return-Path: <commits-return-16001-archive-asf-public=cust-asf.ponee.io@airavata.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 451E6200C1C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 15 Feb 2017 15:38:38 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 42E9C160B5E; Wed, 15 Feb 2017 14:38:38 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id EB080160B78
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 15 Feb 2017 15:38:36 +0100 (CET)
Received: (qmail 60150 invoked by uid 500); 15 Feb 2017 14:38:36 -0000
Mailing-List: contact commits-help@airavata.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@airavata.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@airavata.apache.org>
List-Post: <mailto:commits@airavata.apache.org>
List-Id: <commits.airavata.apache.org>
Reply-To: dev@airavata.apache.org
Delivered-To: mailing list commits@airavata.apache.org
Received: (qmail 59988 invoked by uid 99); 15 Feb 2017 14:38:35 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Feb 2017 14:38:35 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id B63CCE04B2; Wed, 15 Feb 2017 14:38:35 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: machristie@apache.org
To: commits@airavata.apache.org
Date: Wed, 15 Feb 2017 14:38:40 -0000
Message-Id: <6692ca8d365d43819fbe8ea1202d2819@git.apache.org>
In-Reply-To: <c61b22c7b91e4820af1cbd37c6374728@git.apache.org>
References: <c61b22c7b91e4820af1cbd37c6374728@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [06/12] airavata-php-gateway git commit: AIRAVATA-2312 Adds
 'initial-role-name' to pga_config.php
archived-at: Wed, 15 Feb 2017 14:38:38 -0000

AIRAVATA-2312 Adds 'initial-role-name' to pga_config.php

'initial-role-name' defaults to 'user-pending' but can be customized to
automatically assign new users to the given role. The main use case for
this is to set 'initial-role-name' to 'gateway-user' to provide new
users access to the gateway without needing admin intervention.


Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/9765c1e2
Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/9765c1e2
Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/9765c1e2

Branch: refs/heads/dreg-gateway
Commit: 9765c1e250992c9ee870243081795e6aa2312948
Parents: 773e542
Author: Marcus Christie <machrist@iu.edu>
Authored: Thu Feb 9 11:17:49 2017 -0500
Committer: Marcus Christie <machrist@iu.edu>
Committed: Thu Feb 9 11:17:49 2017 -0500

----------------------------------------------------------------------
 app/config/pga_config.php.template    |  8 ++++++
 app/controllers/AccountController.php |  9 +++---
 app/controllers/AdminController.php   | 44 ++++++++++++++++++++++--------
 app/libraries/CommonUtilities.php     |  4 +++
 4 files changed, 50 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/config/pga_config.php.template
----------------------------------------------------------------------
diff --git a/app/config/pga_config.php.template b/app/config/pga_config.php.template
index ac378f6..8370364 100644
--- a/app/config/pga_config.php.template
+++ b/app/config/pga_config.php.template
@@ -24,6 +24,14 @@ return array(
         'user-role-name' => 'Internal/everyone',
 
         /**
+         * Initial user role. This is the initial user role assigned to a new
+         * user. Set this to one of the three roles above to automatically
+         * grant new users that role, or set to some other role ('user-pending')
+         * to require admin approval before users have access.
+         */
+        'initial-role-name' => 'user-pending',
+
+        /**
          * Tenant Domain
          */
         'tenant-domain' => 'master.airavata',

http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/controllers/AccountController.php
----------------------------------------------------------------------
diff --git a/app/controllers/AccountController.php b/app/controllers/AccountController.php
index 1490ee1..a9ac6b4 100644
--- a/app/controllers/AccountController.php
+++ b/app/controllers/AccountController.php
@@ -56,14 +56,15 @@ class AccountController extends BaseController
             WSIS::registerUserAccount($username, $password, $email, $first_name, $last_name, $organization, $address, $country, $telephone, $mobile, $im, $url,
                 Config::get('pga_config.wsis')['tenant-domain']);
 
-            /*add user to role - user-pending */
+            /*add user to the initial role */
 
+            $initialRoleName = CommonUtilities::getInitialRoleName();
             $allRoles = WSIS::getAllRoles();
-            if(! in_array( "user-pending", $allRoles)){
-                WSIS::addRole( "user-pending");
+            if(! in_array( $initialRoleName, $allRoles)){
+                WSIS::addRole( $initialRoleName);
             }
 
-            $userRoles["new"] = "user-pending";
+            $userRoles["new"] = $initialRoleName;
 
             if(  Config::get('pga_config.portal')['super-admin-portal'] == true ){
 

http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/controllers/AdminController.php
----------------------------------------------------------------------
diff --git a/app/controllers/AdminController.php b/app/controllers/AdminController.php
index 1ecce03..6dd27bd 100644
--- a/app/controllers/AdminController.php
+++ b/app/controllers/AdminController.php
@@ -236,22 +236,44 @@ class AdminController extends BaseController {
             $recipients = array($userProfile["email"]);
             $this->sendAccessGrantedEmailToTheUser(Input::get("username"), $recipients);
 
-            // remove the pending role when access is granted, unless
-            // the admin is trying to add the user to the pending role
-            if(in_array("user-pending", $newCurrentRoles) && !in_array("user-pending", $roles["new"])) {
-                $userRoles["new"] = array();
-                $userRoles["deleted"] = "user-pending";
-                WSIS::updateUserRoles( $username, $userRoles);
-            } else if(in_array("user-pending", $newCurrentRoles) && in_array("user-pending", $roles["new"])) {
-                // When user-pending role added remove all roles except for user-pending and Internal/everyone
-                $userRoles["new"] = array();
-                $userRoles["deleted"] = array_diff($newCurrentRoles, array("user-pending", "Internal/everyone"));
-                WSIS::updateUserRoles( $username, $userRoles);
+            // remove the initial role when the initial role isn't a privileged
+            // role and the admin has now assigned the user to a privileged
+            // role, unless the admin is trying to add the user back to the
+            // initial role
+            if (!$this->isInitialRoleOneOfPrivilegedRoles()) {
+
+                $initialRoleName = CommonUtilities::getInitialRoleName();
+                if(in_array($initialRoleName, $newCurrentRoles) && !in_array($initialRoleName, $roles["new"])) {
+                    $userRoles["new"] = array();
+                    $userRoles["deleted"] = $initialRoleName;
+                    WSIS::updateUserRoles( $username, $userRoles);
+                } else if(in_array($initialRoleName, $newCurrentRoles) && in_array($initialRoleName, $roles["new"])) {
+                    // When initial role added remove all roles except for initial role and Internal/everyone
+                    $userRoles["new"] = array();
+                    $userRoles["deleted"] = array_diff($newCurrentRoles, array($initialRoleName, "Internal/everyone"));
+                    WSIS::updateUserRoles( $username, $userRoles);
+                }
             }
         }
         return Redirect::to("admin/dashboard/roles")->with( "message", "Roles has been added.");
     }
 
+    /*
+     * Return true if the initial-role-name is one of the three privileged
+     * roles. This is used to figure out whether the initial-role-name is a
+     * 'user-pending' kind of role (returns false), or whether the initial role
+     * is a privileged role (returns true) and no admin intervention is
+     * necessary.
+     */
+    private function isInitialRoleOneOfPrivilegedRoles() {
+
+        $initialRoleName = CommonUtilities::getInitialRoleName();
+        $adminRoleName = Config::get("pga_config.wsis")["admin-role-name"];
+        $adminReadOnlyRoleName = Config::get("pga_config.wsis")["read-only-admin-role-name"];
+        $userRoleName = Config::get("pga_config.wsis")["user-role-name"];
+        return in_array($initialRoleName, array($adminRoleName, $adminReadOnlyRoleName, $userRoleName));
+    }
+
     public function removeRoleFromUser(){
         $roles["deleted"] = array(Input::all()["roleName"]);
         $roles["new"] = array();

http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9765c1e2/app/libraries/CommonUtilities.php
----------------------------------------------------------------------
diff --git a/app/libraries/CommonUtilities.php b/app/libraries/CommonUtilities.php
index 585016f..53f790e 100644
--- a/app/libraries/CommonUtilities.php
+++ b/app/libraries/CommonUtilities.php
@@ -438,5 +438,9 @@ class CommonUtilities
             return false;
         }
     }
+
+    public static function getInitialRoleName() {
+        return Config::get('pga_config.wsis.initial-role-name', 'user-pending');
+    }
 }