IndAss: add permissions (create/publish records)

klees · Feb 3, 2025 · 4e09522 · 4e09522
1 parent 7f23537
commit 4e09522
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 35 deletions.
diff --git a/.../IndividualAssessment/classes/AccessControl/class.ilIndividualAssessmentAccessHandler.php b/.../IndividualAssessment/classes/AccessControl/class.ilIndividualAssessmentAccessHandler.php
@@ -25,6 +25,11 @@ class ilIndividualAssessmentAccessHandler implements IndividualAssessmentAccessH
 {
     public const DEFAULT_ROLE = 'il_iass_member';
 
+    public const RBAC_OP_CREATE_RECORDS = 'create_records';
+    public const ORGU_OP_CREATE_RECORDS = 'ou_create_records';
+    public const RBAC_OP_PUBLISH_RECORDS = 'publish_records';
+    public const ORGU_OP_PUBLISH_RECORDS = 'ou_publish_records';
+
     protected ilObjIndividualAssessment $iass;
     protected ilAccessHandler $handler;
     protected ilRbacAdmin $admin;
@@ -50,7 +55,7 @@ public function __construct(
      */
     public function checkRBACAccessToObj(string $operation): bool
     {
-        if($this->simulateMember()) {
+        if ($this->simulateMember()) {
             return $this->checkMemberRoleForPermission($operation);
         } else {
             return $this->isSystemAdmin() ||
@@ -72,6 +77,7 @@ public function checkRBACOrPositionAccessToObj(string $operation)
             );
         }
 
+        /*
         if ($operation == "write_learning_progress") {
             return $this->handler->checkRbacOrPositionPermissionAccess(
                 // This feels super odd, but this is actually ok because we do not have
@@ -82,6 +88,7 @@ public function checkRBACOrPositionAccessToObj(string $operation)
                 $this->iass->getRefId()
             );
         }
+        */
 
         throw new \LogicException("Unknown rbac/position-operation: $operation");
     }
@@ -100,13 +107,13 @@ protected function checkMemberRoleForPermission(string $operation): bool
             $this->review->getParentRoleIds($ref_id),
             static fn(array $role): bool => str_starts_with($role['title'], 'il_crs_member_')
         );
-        if($roles === []) {
+        if ($roles === []) {
             return false;
         }
         $role = array_shift($roles);
         $active_ops = $this->review->getActiveOperationsOfRole($ref_id, $role['rol_id']);
-        foreach($active_ops as $op) {
-            if($this->review->getOperation($op)['operation'] === $operation) {
+        foreach ($active_ops as $op) {
+            if ($this->review->getOperation($op)['operation'] === $operation) {
                 return true;
             }
         }
@@ -189,19 +196,22 @@ public function mayViewAllUsers(): bool
 
     public function mayGradeAnyUser(): bool
     {
-        return $this->checkRBACOrPositionAccessToObj('write_learning_progress');
+        //return $this->checkRBACOrPositionAccessToObj('write_learning_progress');
+        return $this->handler->checkRbacOrPositionPermissionAccess(
+            self::RBAC_OP_CREATE_RECORDS,
+            self::ORGU_OP_CREATE_RECORDS,
+            $this->iass->getRefId()
+        );
+
     }
 
     public function mayGradeUser(int $user_id): bool
     {
         return
             (count(
                 $this->handler->filterUserIdsByRbacOrPositionOfCurrentUser(
-                    // This feels super odd, but this is actually ok because we do not have
-                    // a dedicated RBAC permission to write_learning_progress.
-                    // See: https://mantis.ilias.de/view.php?id=36056#c89865
-                    "read_learning_progress",
-                    "write_learning_progress",
+                    self::RBAC_OP_CREATE_RECORDS,
+                    self::ORGU_OP_CREATE_RECORDS,
                     $this->iass->getRefId(),
                     [$user_id]
                 )

diff --git a/Modules/IndividualAssessment/classes/Setup/class.ilIndividualAssessmentSetupAgent.php b/Modules/IndividualAssessment/classes/Setup/class.ilIndividualAssessmentSetupAgent.php
@@ -54,9 +54,16 @@ public function getInstallObjective(Setup\Config $config = null): Setup\Objectiv
      */
     public function getUpdateObjective(Setup\Config $config = null): Setup\Objective
     {
-        return new ilDatabaseUpdateStepsExecutedObjective(
-            new ilIndividualAssessmentRectifyMembersTableDBUpdateSteps()
+        return new Setup\ObjectiveCollection(
+            'Indivial Asessment',
+            true,
+            new ilDatabaseUpdateStepsExecutedObjective(
+                new ilIndividualAssessmentRectifyMembersTableDBUpdateSteps(),
+            ),
+            ...$this->getPermissionObjectives()
         );
+
+
     }
 
     /**
@@ -82,4 +89,36 @@ public function getMigrations(): array
     {
         return [];
     }
+
+
+    protected function getPermissionObjectives(): array
+    {
+        return [
+            new ilAccessCustomRBACOperationAddedObjective(
+                ilIndividualAssessmentAccessHandler::RBAC_OP_CREATE_RECORDS,
+                "Create Records for Users",
+                "object",
+                9010,
+                ["iass"]
+            ),
+            new \ilOrgUnitOperationRegisteredObjective(
+                ilIndividualAssessmentAccessHandler::ORGU_OP_CREATE_RECORDS,
+                'Create Records for Users',
+                ilOrgUnitOperationContext::CONTEXT_IASS
+            ),
+            new ilAccessCustomRBACOperationAddedObjective(
+                ilIndividualAssessmentAccessHandler::RBAC_OP_PUBLISH_RECORDS,
+                "Publish Records",
+                "object",
+                9020,
+                ["iass"]
+            ),
+            new \ilOrgUnitOperationRegisteredObjective(
+                ilIndividualAssessmentAccessHandler::ORGU_OP_PUBLISH_RECORDS,
+                'Publish Records',
+                ilOrgUnitOperationContext::CONTEXT_IASS
+            )
+        ];
+    }
+
 }
diff --git a/Modules/IndividualAssessment/classes/class.ilIndividualAssessmentMemberGUI.php b/Modules/IndividualAssessment/classes/class.ilIndividualAssessmentMemberGUI.php
@@ -177,7 +177,7 @@ protected function downloadFile(): void
     {
         $identifier = $this->getMember()->getGrading()->getFile();
         $resource_id = $this->irss->manage()->find($identifier);
-        if($resource_id) {
+        if ($resource_id) {
             $this->irss->consume()->download($resource_id)->run();
         }
     }
@@ -353,7 +353,7 @@ protected function getUploadResult(): HandlerResult
     protected function getRemoveResult(string $identifier): HandlerResult
     {
         $resource_id = $this->irss->manage()->find($identifier);
-        if($resource_id) {
+        if ($resource_id) {
             $this->irss->manage()->remove($resource_id, $this->stakeholder);
             $status = HandlerResult::STATUS_OK;
             $message = $this->lng->txt('iass_file_deleted');
@@ -368,7 +368,7 @@ protected function getRemoveResult(string $identifier): HandlerResult
     public function getInfoResult(string $identifier): ?FileInfoResult
     {
         $resource_id = $this->irss->manage()->find($identifier);
-        if(! $resource_id) {
+        if (! $resource_id) {
             return null;
         }
         $resource = $this->irss->manage()->getResource($resource_id);
@@ -388,7 +388,7 @@ public function getInfoForExistingFiles(array $file_ids): array
         $file_ids = array_filter($file_ids, fn($id) => $id !== "");
         return array_map(function ($id) {
             $resource_id = $this->irss->manage()->find($identifier);
-            if(! $resource_id) {
+            if (! $resource_id) {
                 return null;
             }
             $resource = $this->irss->manage()->getResource($resource_id);
@@ -510,7 +510,7 @@ protected function userMayGrade(): bool
     {
         return
             $this->getAccessHandler()->isSystemAdmin() ||
-            (!$this->targetWasEditedByOtherUser($this->getMember()) && $this->getAccessHandler()->mayGradeUser($this->getMember()->id()))
+            ($this->getAccessHandler()->mayGradeUser($this->getMember()->id()))
         ;
     }
 
@@ -524,14 +524,6 @@ protected function userMayAmend(): bool
         return $this->getAccessHandler()->mayAmendAllUsers();
     }
 
-    protected function targetWasEditedByOtherUser(ilIndividualAssessmentMember $member): bool
-    {
-        return
-            (int) $member->examinerId() !== $this->user->getId() &&
-            0 !== (int) $member->examinerId()
-        ;
-    }
-
     protected function isFinalized(): bool
     {
         return $this->getMember()->finalized();

diff --git a/lang/ilias_de.lang b/lang/ilias_de.lang
@@ -10407,7 +10407,7 @@ iass#:#iass_amend_saved#:#Geänderte Prüfungsdaten wurden gespeichert.
 iass#:#iass_assessment_not_completed#:#Noch nicht abgeschlossen
 iass#:#iass_cancel#:#Abbrechen
 iass#:#iass_changed_by#:#Nachträglich geändert
-iass#:#iass_confirm_finalize#:#Abschließen
+iass#:#iass_confirm_finalize#:#Abschließen und veröffentlichen
 iass#:#iass_consultation_hours#:#Sprechstunden
 iass#:#iass_contact#:#Name
 iass#:#iass_contact_info#:#Kontaktinformationen
@@ -10431,7 +10431,7 @@ iass#:#iass_filter_failed#:#Nur nicht bestanden
 iass#:#iass_filter_finalized#:#Nur bestandene
 iass#:#iass_filter_not_finalized#:#Nur nicht abgeschlossene
 iass#:#iass_filter_not_started#:#Nur nicht bewertete
-iass#:#iass_finalize#:#Abschließen
+iass#:#iass_finalize#:#Abschließen und veröffentlichen
 iass#:#iass_finalize_info#:#Die Individuelle Bewertung wird abgeschlossen.
 iass#:#iass_finalize_user_qst#:#Soll die Bewertung des Teilnehmers wirklich final abgeschlossen werden? Änderungen an der Bewertung sind hinterher nicht mehr möglich.
 iass#:#iass_further_field_headline#:#Detaillierte Informationen
@@ -10442,8 +10442,8 @@ iass#:#iass_internal_note_info#:#Dieser Text ist nur für Personen sichtbar, die
 iass#:#iass_location#:#Ort
 iass#:#iass_mails#:#E-Mail
 iass#:#iass_may_not_finalize#:#Prüfung kann noch nicht abschließend bewertet werden. Bitte geben Sie eine Bewertung ab.
-iass#:#iass_membership_finalized#:#Bewertung abgeschlossen.
-iass#:#iass_membership_saved#:#Bewertung wurde gespeichert aber noch nicht final abgeschlossen.
+iass#:#iass_membership_finalized#:#Bewertung veröffentlicht.
+iass#:#iass_membership_saved#:#Bewertung wurde gespeichert aber noch nicht veröffentlicht.
 iass#:#iass_mess_notification_completed#:#Sie haben die Prüfung „%s“ bestanden. Beachten Sie bitte auch die folgende Notiz zur Prüfung.
 iass#:#iass_mess_notification_failed#:#Sie haben die Prüfung „%s“ leider nicht bestanden. Beachten Sie bitte auch die folgende Notiz zur Prüfung.
 iass#:#iass_notify#:#Ergebnis dem Teilnehmer zugänglich machen
@@ -12938,6 +12938,8 @@ orgu#:#org_op_edit_individual_plan#:#Individuellen Plan bearbeiten
 orgu#:#org_op_edit_submissions_grades#:#Abgaben von anderen Benutzern bearbeiten
 orgu#:#org_op_manage_members#:#Mitglieder bearbeiten
 orgu#:#org_op_manage_participants#:#Teilnehmer verwalten
+orgu#:#org_op_ou_create_records#:#Bewertungen vornehmen
+orgu#:#org_op_ou_publish_records#:#Bewertungen veröffentlichen und abschließen
 orgu#:#org_op_read_employee_talk#:#Auf Gespräche lesend zugreifen
 orgu#:#org_op_read_learning_progress#:#Lernfortschritt von anderen Benutzern einsehen
 orgu#:#org_op_score_participants#:#Teilnehmer bewerten
@@ -14194,6 +14196,7 @@ rbac#:#nwss_edit_permission#:#Rechteeinstellungen in der News- und Webfeeds-Admi
 rbac#:#nwss_read#:#Lesezugriff auf News- und Webfeeds-Administration
 rbac#:#nwss_visible#:#News- und Webfeeds-Administration ist sichtbar
 rbac#:#nwss_write#:#Einstellungen in der News- und Webfeeds-Administration bearbeiten
+rbac#:#obj_records#:#Bewertungen vornehmen
 rbac#:#obj_skee#:#Kompetenzbaum
 rbac#:#org_op_access_results#:#Zugriff auf Ergebnisse untergeordneter Benutzer
 rbac#:#org_op_edit_submissions_grades#:#Abgaben von anderen Benutzern bearbeiten
@@ -14278,6 +14281,7 @@ rbac#:#ps_export_member_data#:#Export von Mitgliederdaten in Gruppen und Kursen
 rbac#:#ps_read#:#Lesezugriff auf Datenschutz- und Sicherheitseinstellungen
 rbac#:#ps_visible#:#Datenschutz- und Sicherheitseinstellungen sind sichtbar
 rbac#:#ps_write#:#Bearbeiten der Datenschutz- und Sicherheitseinstellungen erlauben
+rbac#:#publish_records#:#Bewertungen veröffentlichen und abschließen
 rbac#:#push_desktop_items#:#Inhalte empfehlen
 rbac#:#qpl_copy#:#Fragenpool kopieren
 rbac#:#qpl_delete#:#Fragenpool löschen oder verschieben

diff --git a/lang/ilias_en.lang b/lang/ilias_en.lang
@@ -10407,7 +10407,7 @@ iass#:#iass_amend_saved#:#Amended record has been saved.
 iass#:#iass_assessment_not_completed#:#Not completed yet
 iass#:#iass_cancel#:#Cancel
 iass#:#iass_changed_by#:#Changed after finalization
-iass#:#iass_confirm_finalize#:#Finalize
+iass#:#iass_confirm_finalize#:#Publish and freeze
 iass#:#iass_consultation_hours#:#Consultation hours
 iass#:#iass_contact#:#Name
 iass#:#iass_contact_info#:#Contact information
@@ -10431,9 +10431,9 @@ iass#:#iass_filter_failed#:#Failed only
 iass#:#iass_filter_finalized#:#Completed only
 iass#:#iass_filter_not_finalized#:#Drafts only
 iass#:#iass_filter_not_started#:#Not started only
-iass#:#iass_finalize#:#Finalize
-iass#:#iass_finalize_info#:#Individual Assessment will be finalized.
-iass#:#iass_finalize_user_qst#:#Should the participant's status really be finalised? No changes possible thereafter.
+iass#:#iass_finalize#:#Publish and freeze
+iass#:#iass_finalize_info#:#Individual Assessment will be published and frozen.
+iass#:#iass_finalize_user_qst#:#Should the participant's status really be published? No changes possible thereafter.
 iass#:#iass_further_field_headline#:#Detailed Information
 iass#:#iass_graded_by#:#Graded by
 iass#:#iass_info_emails_expl#:#You may provide several addresses separated by comma.
@@ -10442,8 +10442,8 @@ iass#:#iass_internal_note_info#:#Internal notes are only visible for tutors but
 iass#:#iass_location#:#Location
 iass#:#iass_mails#:#E-Mail
 iass#:#iass_may_not_finalize#:#Examinee may not be finalised. Please grade the user first.
-iass#:#iass_membership_finalized#:#Record finalised
-iass#:#iass_membership_saved#:#Record saved, not yet finalised
+iass#:#iass_membership_finalized#:#Record published and frozen
+iass#:#iass_membership_saved#:#Record saved, not yet published
 iass#:#iass_mess_notification_completed#:#You passed the assessment <i>%s</i>. Please check the following grading record for details:
 iass#:#iass_mess_notification_failed#:#You failed the assessment <i>%s</i>. Please check the following grading record for details:
 iass#:#iass_notify#:#Make Result available to Participant
@@ -12938,6 +12938,8 @@ orgu#:#org_op_edit_individual_plan#:#Edit Individual Plan
 orgu#:#org_op_edit_submissions_grades#:#Edit submissions of other users
 orgu#:#org_op_manage_members#:#Manage Members
 orgu#:#org_op_manage_participants#:#Manage Participants
+orgu#:#org_op_ou_create_records#:#Create Records for Users
+orgu#:#org_op_ou_publish_records#:#Publish and freeze Records
 orgu#:#org_op_read_employee_talk#:#Read access talk appointments
 orgu#:#org_op_read_learning_progress#:#View learning progress of other users
 orgu#:#org_op_score_participants#:#Score Participants
@@ -14194,6 +14196,7 @@ rbac#:#nwss_edit_permission#:#User can change permission settings in News and We
 rbac#:#nwss_read#:#User has read access to ews and Web Feeds administration
 rbac#:#nwss_visible#:#News and Web Feeds administration is visible
 rbac#:#nwss_write#:#User can edit settings in News and Web Feeds administration
+rbac#:#obj_records#:#Create Records for Users
 rbac#:#obj_skee#:#Competence Tree
 rbac#:#org_op_access_results#:#Access Results of Subordinated Users
 rbac#:#org_op_edit_submissions_grades#:#Edit submissions of other users
@@ -14278,6 +14281,7 @@ rbac#:#ps_export_member_data#:#User can export member data in courses and groups
 rbac#:#ps_read#:#User has read access to Privacy/Security administration
 rbac#:#ps_visible#:#Privacy/Security administration is visible
 rbac#:#ps_write#:#User can edit settings in Privacy/Security administration
+rbac#:#publish_records#:#Publish and freeze Records
 rbac#:#push_desktop_items#:#Recommend Content
 rbac#:#qpl_copy#:#User can copy question pool for tests
 rbac#:#qpl_delete#:#User can move or delete question pool