assign role roles
This commit is contained in:
@@ -7,6 +7,7 @@ use MintyPHP\Repository\Org\UserDepartmentRepositoryInterface;
|
||||
use MintyPHP\Repository\Support\DatabaseSessionRepository;
|
||||
use MintyPHP\Repository\Tenant\UserTenantRepositoryInterface;
|
||||
use MintyPHP\Repository\User\UserWriteRepositoryInterface;
|
||||
use MintyPHP\Service\Access\AssignableRoleService;
|
||||
use MintyPHP\Service\Access\PermissionService;
|
||||
|
||||
class UserAssignmentService
|
||||
@@ -18,7 +19,8 @@ class UserAssignmentService
|
||||
private readonly UserDepartmentRepositoryInterface $userDepartmentRepository,
|
||||
private readonly UserDirectoryGateway $directoryGateway,
|
||||
private readonly PermissionService $permissionService,
|
||||
private readonly DatabaseSessionRepository $databaseSessionRepository
|
||||
private readonly DatabaseSessionRepository $databaseSessionRepository,
|
||||
private readonly AssignableRoleService $assignableRoleService
|
||||
) {
|
||||
}
|
||||
|
||||
@@ -172,7 +174,7 @@ class UserAssignmentService
|
||||
return $result;
|
||||
}
|
||||
|
||||
public function syncRoles(int $userId, array $roleIds, bool $bumpAuthz = true): bool
|
||||
public function syncRoles(int $userId, array $roleIds, bool $bumpAuthz = true, int $actorUserId = 0): bool
|
||||
{
|
||||
$ids = array_values(array_unique(array_map('intval', $roleIds)));
|
||||
$ids = array_values(array_filter($ids, static fn ($id) => $id > 0));
|
||||
@@ -181,6 +183,14 @@ class UserAssignmentService
|
||||
$validMap = array_fill_keys($validIds, true);
|
||||
$ids = array_values(array_filter($ids, static fn ($id) => isset($validMap[$id])));
|
||||
}
|
||||
|
||||
// Enforce assignable-roles: the actor can only touch roles within their assignable set.
|
||||
// Roles outside the set are "frozen" and remain as-is on the target user.
|
||||
if ($actorUserId > 0) {
|
||||
$currentRoleIds = $this->userRoleRepository->listRoleIdsByUserId($userId);
|
||||
$ids = $this->assignableRoleService->computeEffectiveRoleIds($actorUserId, $ids, $currentRoleIds);
|
||||
}
|
||||
|
||||
$result = $this->userRoleRepository->replaceForUser($userId, $ids);
|
||||
$this->permissionService->clearUserCache($userId);
|
||||
if ($result && $bumpAuthz) {
|
||||
@@ -228,7 +238,7 @@ class UserAssignmentService
|
||||
$this->userWriteRepository->bumpAuthzVersion($userId);
|
||||
}
|
||||
|
||||
public function syncAllAssignments(int $userId, array $tenantIds, array $roleIds, array $departmentIds): bool
|
||||
public function syncAllAssignments(int $userId, array $tenantIds, array $roleIds, array $departmentIds, int $actorUserId = 0): bool
|
||||
{
|
||||
if ($userId <= 0) {
|
||||
return false;
|
||||
@@ -241,7 +251,7 @@ class UserAssignmentService
|
||||
|
||||
// bumpAuthz=false on each sync — bump once at the end to avoid redundant DB writes.
|
||||
$ok = $this->syncTenants($userId, $tenantIds, false)
|
||||
&& $this->syncRoles($userId, $roleIds, false)
|
||||
&& $this->syncRoles($userId, $roleIds, false, $actorUserId)
|
||||
&& $this->syncDepartments($userId, $departmentIds, false);
|
||||
if (!$ok) {
|
||||
$this->rollbackQuietly();
|
||||
|
||||
Reference in New Issue
Block a user