bookstack/app/Permissions/JointPermissionBuilder.php

<?php

namespace BookStack\Permissions;

use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\BookChild;
use BookStack\Entities\Models\Chapter;
use BookStack\Entities\Models\Entity;
use BookStack\Entities\Models\Page;
use BookStack\Entities\Queries\EntityQueries;
use BookStack\Permissions\Models\JointPermission;
use BookStack\Users\Models\Role;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Collection as EloquentCollection;
use Illuminate\Support\Facades\DB;

/**
 * Joint permissions provide a pre-query "cached" table of view permissions for all core entity
 * types for all roles in the system. This class generates out that table for different scenarios.
 */
class JointPermissionBuilder
{
    public function __construct(
        protected EntityQueries $queries,
    ) {
    }


    /**
     * Re-generate all entity permission from scratch.
     */
    public function rebuildForAll()
    {
        JointPermission::query()->truncate();

        // Get all roles (Should be the most limited dimension)
        $roles = Role::query()->with('permissions')->get()->all();

        // Chunk through all books
        $this->bookFetchQuery()->chunk(5, function (EloquentCollection $books) use ($roles) {
            $this->buildJointPermissionsForBooks($books, $roles);
        });

        // Chunk through all bookshelves
        $this->queries->shelves->start()->withTrashed()->select(['id', 'owned_by'])
            ->chunk(50, function (EloquentCollection $shelves) use ($roles) {
                $this->createManyJointPermissions($shelves->all(), $roles);
            });
    }

    /**
     * Rebuild the entity jointPermissions for a particular entity.
     */
    public function rebuildForEntity(Entity $entity)
    {
        $entities = [$entity];
        if ($entity instanceof Book) {
            $books = $this->bookFetchQuery()->where('id', '=', $entity->id)->get();
            $this->buildJointPermissionsForBooks($books, Role::query()->with('permissions')->get()->all(), true);

            return;
        }

        /** @var BookChild $entity */
        if ($entity->book) {
            $entities[] = $entity->book;
        }

        if ($entity instanceof Page && $entity->chapter_id) {
            $entities[] = $entity->chapter;
        }

        if ($entity instanceof Chapter) {
            foreach ($entity->pages as $page) {
                $entities[] = $page;
            }
        }

        $this->buildJointPermissionsForEntities($entities);
    }

    /**
     * Build the entity jointPermissions for a particular role.
     */
    public function rebuildForRole(Role $role)
    {
        $roles = [$role];
        $role->jointPermissions()->delete();
        $role->load('permissions');

        // Chunk through all books
        $this->bookFetchQuery()->chunk(10, function ($books) use ($roles) {
            $this->buildJointPermissionsForBooks($books, $roles);
        });

        // Chunk through all bookshelves
        $this->queries->shelves->start()->select(['id', 'owned_by'])
            ->chunk(100, function ($shelves) use ($roles) {
                $this->createManyJointPermissions($shelves->all(), $roles);
            });
    }

    /**
     * Get a query for fetching a book with its children.
     */
    protected function bookFetchQuery(): Builder
    {
        return $this->queries->books->start()->withTrashed()
            ->select(['id', 'owned_by'])->with([
                'chapters' => function ($query) {
                    $query->withTrashed()->select(['id', 'owned_by', 'book_id']);
                },
                'pages' => function ($query) {
                    $query->withTrashed()->select(['id', 'owned_by', 'book_id', 'chapter_id']);
                },
            ]);
    }

    /**
     * Build joint permissions for the given book and role combinations.
     */
    protected function buildJointPermissionsForBooks(EloquentCollection $books, array $roles, bool $deleteOld = false)
    {
        $entities = clone $books;

        /** @var Book $book */
        foreach ($books->all() as $book) {
            foreach ($book->getRelation('chapters') as $chapter) {
                $entities->push($chapter);
            }
            foreach ($book->getRelation('pages') as $page) {
                $entities->push($page);
            }
        }

        if ($deleteOld) {
            $this->deleteManyJointPermissionsForEntities($entities->all());
        }

        $this->createManyJointPermissions($entities->all(), $roles);
    }

    /**
     * Rebuild the entity jointPermissions for a collection of entities.
     */
    protected function buildJointPermissionsForEntities(array $entities)
    {
        $roles = Role::query()->get()->values()->all();
        $this->deleteManyJointPermissionsForEntities($entities);
        $this->createManyJointPermissions($entities, $roles);
    }

    /**
     * Delete all the entity jointPermissions for a list of entities.
     *
     * @param Entity[] $entities
     */
    protected function deleteManyJointPermissionsForEntities(array $entities)
    {
        $simpleEntities = $this->entitiesToSimpleEntities($entities);
        $idsByType = $this->entitiesToTypeIdMap($simpleEntities);

        DB::transaction(function () use ($idsByType) {
            foreach ($idsByType as $type => $ids) {
                foreach (array_chunk($ids, 1000) as $idChunk) {
                    DB::table('joint_permissions')
                        ->where('entity_type', '=', $type)
                        ->whereIn('entity_id', $idChunk)
                        ->delete();
                }
            }
        });
    }

    /**
     * @param Entity[] $entities
     *
     * @return SimpleEntityData[]
     */
    protected function entitiesToSimpleEntities(array $entities): array
    {
        $simpleEntities = [];

        foreach ($entities as $entity) {
            $simple = SimpleEntityData::fromEntity($entity);
            $simpleEntities[] = $simple;
        }

        return $simpleEntities;
    }

    /**
     * Create & Save entity jointPermissions for many entities and roles.
     *
     * @param Entity[] $originalEntities
     * @param Role[]   $roles
     */
    protected function createManyJointPermissions(array $originalEntities, array $roles)
    {
        $entities = $this->entitiesToSimpleEntities($originalEntities);
        $jointPermissions = [];

        // Fetch related entity permissions
        $permissions = new MassEntityPermissionEvaluator($entities, 'view');

        // Create a mapping of role permissions
        $rolePermissionMap = [];
        foreach ($roles as $role) {
            foreach ($role->permissions as $permission) {
                $rolePermissionMap[$role->getRawAttribute('id') . ':' . $permission->getRawAttribute('name')] = true;
            }
        }

        // Create Joint Permission Data
        foreach ($entities as $entity) {
            foreach ($roles as $role) {
                $jp = $this->createJointPermissionData(
                    $entity,
                    $role->getRawAttribute('id'),
                    $permissions,
                    $rolePermissionMap,
                    $role->system_name === 'admin'
                );
                $jointPermissions[] = $jp;
            }
        }

        DB::transaction(function () use ($jointPermissions) {
            foreach (array_chunk($jointPermissions, 1000) as $jointPermissionChunk) {
                DB::table('joint_permissions')->insert($jointPermissionChunk);
            }
        });
    }

    /**
     * From the given entity list, provide back a mapping of entity types to
     * the ids of that given type. The type used is the DB morph class.
     *
     * @param SimpleEntityData[] $entities
     *
     * @return array<string, int[]>
     */
    protected function entitiesToTypeIdMap(array $entities): array
    {
        $idsByType = [];

        foreach ($entities as $entity) {
            if (!isset($idsByType[$entity->type])) {
                $idsByType[$entity->type] = [];
            }

            $idsByType[$entity->type][] = $entity->id;
        }

        return $idsByType;
    }

    /**
     * Create entity permission data for an entity and role
     * for a particular action.
     */
    protected function createJointPermissionData(SimpleEntityData $entity, int $roleId, MassEntityPermissionEvaluator $permissionMap, array $rolePermissionMap, bool $isAdminRole): array
    {
        // Ensure system admin role retains permissions
        if ($isAdminRole) {
            return $this->createJointPermissionDataArray($entity, $roleId, PermissionStatus::EXPLICIT_ALLOW, true);
        }

        // Return evaluated entity permission status if it has an affect.
        $entityPermissionStatus = $permissionMap->evaluateEntityForRole($entity, $roleId);
        if ($entityPermissionStatus !== null) {
            return $this->createJointPermissionDataArray($entity, $roleId, $entityPermissionStatus, false);
        }

        // Otherwise default to the role-level permissions
        $permissionPrefix = $entity->type . '-view';
        $roleHasPermission = isset($rolePermissionMap[$roleId . ':' . $permissionPrefix . '-all']);
        $roleHasPermissionOwn = isset($rolePermissionMap[$roleId . ':' . $permissionPrefix . '-own']);
        $status = $roleHasPermission ? PermissionStatus::IMPLICIT_ALLOW : PermissionStatus::IMPLICIT_DENY;
        return $this->createJointPermissionDataArray($entity, $roleId, $status, $roleHasPermissionOwn);
    }

    /**
     * Create an array of data with the information of an entity jointPermissions.
     * Used to build data for bulk insertion.
     */
    protected function createJointPermissionDataArray(SimpleEntityData $entity, int $roleId, int $permissionStatus, bool $hasPermissionOwn): array
    {
        $ownPermissionActive = ($hasPermissionOwn && $permissionStatus !== PermissionStatus::EXPLICIT_DENY && $entity->owned_by);

        return [
            'entity_id'   => $entity->id,
            'entity_type' => $entity->type,
            'role_id'     => $roleId,
            'status'      => $permissionStatus,
            'owner_id'    => $ownPermissionActive ? $entity->owned_by : null,
        ];
    }
}
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Permissions;`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00
			`use BookStack\Entities\Models\Book;`
			`use BookStack\Entities\Models\BookChild;`
			`use BookStack\Entities\Models\Chapter;`
			`use BookStack\Entities\Models\Entity;`
			`use BookStack\Entities\Models\Page;`
Queries: Updated all app book static query uses 2024-02-08 00:37:36 +08:00			`use BookStack\Entities\Queries\EntityQueries;`
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Permissions\Models\JointPermission;`
			`use BookStack\Users\Models\Role;`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`use Illuminate\Database\Eloquent\Builder;`
			`use Illuminate\Database\Eloquent\Collection as EloquentCollection;`
			`use Illuminate\Support\Facades\DB;`

Dropped use of non-view joint permissions 2022-07-17 04:50:42 +08:00			`/**`
			`* Joint permissions provide a pre-query "cached" table of view permissions for all core entity`
			`* types for all roles in the system. This class generates out that table for different scenarios.`
			`*/`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`class JointPermissionBuilder`
			`{`
Queries: Updated all app book static query uses 2024-02-08 00:37:36 +08:00			`public function __construct(`
			`protected EntityQueries $queries,`
			`) {`
			`}`


Renamed and cleaned up existing permission service classes use 2022-07-13 03:15:41 +08:00			`/**`
			`* Re-generate all entity permission from scratch.`
			`*/`
			`public function rebuildForAll()`
			`{`
			`JointPermission::query()->truncate();`

			`// Get all roles (Should be the most limited dimension)`
			`$roles = Role::query()->with('permissions')->get()->all();`

			`// Chunk through all books`
			`$this->bookFetchQuery()->chunk(5, function (EloquentCollection $books) use ($roles) {`
			`$this->buildJointPermissionsForBooks($books, $roles);`
			`});`

			`// Chunk through all bookshelves`
Queries: Updated all app book static query uses 2024-02-08 00:37:36 +08:00			`$this->queries->shelves->start()->withTrashed()->select(['id', 'owned_by'])`
Renamed and cleaned up existing permission service classes use 2022-07-13 03:15:41 +08:00			`->chunk(50, function (EloquentCollection $shelves) use ($roles) {`
			`$this->createManyJointPermissions($shelves->all(), $roles);`
			`});`
			`}`

			`/**`
			`* Rebuild the entity jointPermissions for a particular entity.`
			`*/`
			`public function rebuildForEntity(Entity $entity)`
			`{`
			`$entities = [$entity];`
			`if ($entity instanceof Book) {`
			`$books = $this->bookFetchQuery()->where('id', '=', $entity->id)->get();`
			`$this->buildJointPermissionsForBooks($books, Role::query()->with('permissions')->get()->all(), true);`

			`return;`
			`}`

			`/** @var BookChild $entity */`
			`if ($entity->book) {`
			`$entities[] = $entity->book;`
			`}`

			`if ($entity instanceof Page && $entity->chapter_id) {`
			`$entities[] = $entity->chapter;`
			`}`

			`if ($entity instanceof Chapter) {`
			`foreach ($entity->pages as $page) {`
			`$entities[] = $page;`
			`}`
			`}`

			`$this->buildJointPermissionsForEntities($entities);`
			`}`

			`/**`
			`* Build the entity jointPermissions for a particular role.`
			`*/`
			`public function rebuildForRole(Role $role)`
			`{`
			`$roles = [$role];`
			`$role->jointPermissions()->delete();`
Dropped use of non-view joint permissions 2022-07-17 04:50:42 +08:00			`$role->load('permissions');`
Renamed and cleaned up existing permission service classes use 2022-07-13 03:15:41 +08:00
			`// Chunk through all books`
Permissions: Updated generation querying to be more efficient Query of existing entity permissions during view permission generation could cause timeouts or SQL placeholder limits due to massive whereOr query generation, where an "or where" clause would be created for each entity type/id combo involved, which could be all within 20 books. This updates the query handling to use a query per type involved, with no "or where"s, and to be chunked at large entity counts. Also tweaked role-specific permission regen to chunk books at half-previous rate to prevent such a large scope being involved on each chunk. For #4695 2023-12-23 21:35:57 +08:00			`$this->bookFetchQuery()->chunk(10, function ($books) use ($roles) {`
Renamed and cleaned up existing permission service classes use 2022-07-13 03:15:41 +08:00			`$this->buildJointPermissionsForBooks($books, $roles);`
			`});`

			`// Chunk through all bookshelves`
Queries: Updated all app book static query uses 2024-02-08 00:37:36 +08:00			`$this->queries->shelves->start()->select(['id', 'owned_by'])`
Permissions: Updated generation querying to be more efficient Query of existing entity permissions during view permission generation could cause timeouts or SQL placeholder limits due to massive whereOr query generation, where an "or where" clause would be created for each entity type/id combo involved, which could be all within 20 books. This updates the query handling to use a query per type involved, with no "or where"s, and to be chunked at large entity counts. Also tweaked role-specific permission regen to chunk books at half-previous rate to prevent such a large scope being involved on each chunk. For #4695 2023-12-23 21:35:57 +08:00			`->chunk(100, function ($shelves) use ($roles) {`
Renamed and cleaned up existing permission service classes use 2022-07-13 03:15:41 +08:00			`$this->createManyJointPermissions($shelves->all(), $roles);`
			`});`
			`}`

Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`/**`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`* Get a query for fetching a book with its children.`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`*/`
			`protected function bookFetchQuery(): Builder`
			`{`
Queries: Updated all app book static query uses 2024-02-08 00:37:36 +08:00			`return $this->queries->books->start()->withTrashed()`
Updated joint perms. gen. to use new entity permission format 2022-10-08 21:28:44 +08:00			`->select(['id', 'owned_by'])->with([`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`'chapters' => function ($query) {`
Fixed chapter fetching during joint permission building Somehow I accidentally deleted previous line 143 in this commit: 3839bf6bf11ac6b4d19c2ae8f62a314a2c164251 which would then break permission generation for content related to, or containing, chapters in the recycle bin. Found via user report (subz) & debugging in discord. 2022-10-22 04:49:29 +08:00			`$query->withTrashed()->select(['id', 'owned_by', 'book_id']);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`},`
			`'pages' => function ($query) {`
Updated joint perms. gen. to use new entity permission format 2022-10-08 21:28:44 +08:00			`$query->withTrashed()->select(['id', 'owned_by', 'book_id', 'chapter_id']);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`},`
			`]);`
			`}`

			`/**`
			`* Build joint permissions for the given book and role combinations.`
			`*/`
			`protected function buildJointPermissionsForBooks(EloquentCollection $books, array $roles, bool $deleteOld = false)`
			`{`
			`$entities = clone $books;`

			`/** @var Book $book */`
			`foreach ($books->all() as $book) {`
			`foreach ($book->getRelation('chapters') as $chapter) {`
			`$entities->push($chapter);`
			`}`
			`foreach ($book->getRelation('pages') as $page) {`
			`$entities->push($page);`
			`}`
			`}`

			`if ($deleteOld) {`
			`$this->deleteManyJointPermissionsForEntities($entities->all());`
			`}`

			`$this->createManyJointPermissions($entities->all(), $roles);`
			`}`

			`/**`
			`* Rebuild the entity jointPermissions for a collection of entities.`
			`*/`
			`protected function buildJointPermissionsForEntities(array $entities)`
			`{`
			`$roles = Role::query()->get()->values()->all();`
			`$this->deleteManyJointPermissionsForEntities($entities);`
			`$this->createManyJointPermissions($entities, $roles);`
			`}`

			`/**`
			`* Delete all the entity jointPermissions for a list of entities.`
			`*`
			`* @param Entity[] $entities`
			`*/`
			`protected function deleteManyJointPermissionsForEntities(array $entities)`
			`{`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`$simpleEntities = $this->entitiesToSimpleEntities($entities);`
			`$idsByType = $this->entitiesToTypeIdMap($simpleEntities);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00
			`DB::transaction(function () use ($idsByType) {`
			`foreach ($idsByType as $type => $ids) {`
			`foreach (array_chunk($ids, 1000) as $idChunk) {`
			`DB::table('joint_permissions')`
			`->where('entity_type', '=', $type)`
			`->whereIn('entity_id', $idChunk)`
			`->delete();`
			`}`
			`}`
			`});`
			`}`

Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`/**`
			`* @param Entity[] $entities`
Applied StyleCI changes 2022-07-17 17:32:16 +08:00			`*`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`* @return SimpleEntityData[]`
			`*/`
			`protected function entitiesToSimpleEntities(array $entities): array`
			`{`
			`$simpleEntities = [];`

			`foreach ($entities as $entity) {`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`$simple = SimpleEntityData::fromEntity($entity);`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`$simpleEntities[] = $simple;`
			`}`

			`return $simpleEntities;`
			`}`

Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`/**`
			`* Create & Save entity jointPermissions for many entities and roles.`
			`*`
Worked towards phpstan level 2, 13 errors remain 2022-10-24 19:12:48 +08:00			`* @param Entity[] $originalEntities`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`* @param Role[] $roles`
			`*/`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`protected function createManyJointPermissions(array $originalEntities, array $roles)`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`{`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`$entities = $this->entitiesToSimpleEntities($originalEntities);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`$jointPermissions = [];`

			`// Fetch related entity permissions`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`$permissions = new MassEntityPermissionEvaluator($entities, 'view');`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00
			`// Create a mapping of role permissions`
			`$rolePermissionMap = [];`
			`foreach ($roles as $role) {`
			`foreach ($role->permissions as $permission) {`
			`$rolePermissionMap[$role->getRawAttribute('id') . ':' . $permission->getRawAttribute('name')] = true;`
			`}`
			`}`

			`// Create Joint Permission Data`
			`foreach ($entities as $entity) {`
			`foreach ($roles as $role) {`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`$jp = $this->createJointPermissionData(`
Dropped use of non-view joint permissions 2022-07-17 04:50:42 +08:00			`$entity,`
			`$role->getRawAttribute('id'),`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`$permissions,`
Dropped use of non-view joint permissions 2022-07-17 04:50:42 +08:00			`$rolePermissionMap,`
			`$role->system_name === 'admin'`
			`);`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`$jointPermissions[] = $jp;`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`}`
			`}`

			`DB::transaction(function () use ($jointPermissions) {`
			`foreach (array_chunk($jointPermissions, 1000) as $jointPermissionChunk) {`
			`DB::table('joint_permissions')->insert($jointPermissionChunk);`
			`}`
			`});`
			`}`

			`/**`
			`* From the given entity list, provide back a mapping of entity types to`
			`* the ids of that given type. The type used is the DB morph class.`
Applied StyleCI changes 2022-07-17 17:32:16 +08:00			`*`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`* @param SimpleEntityData[] $entities`
Applied StyleCI changes 2022-07-17 17:32:16 +08:00			`*`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`* @return array<string, int[]>`
			`*/`
			`protected function entitiesToTypeIdMap(array $entities): array`
			`{`
			`$idsByType = [];`

			`foreach ($entities as $entity) {`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`if (!isset($idsByType[$entity->type])) {`
			`$idsByType[$entity->type] = [];`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`}`

Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`$idsByType[$entity->type][] = $entity->id;`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`}`

			`return $idsByType;`
			`}`

			`/**`
			`* Create entity permission data for an entity and role`
			`* for a particular action.`
			`*/`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`protected function createJointPermissionData(SimpleEntityData $entity, int $roleId, MassEntityPermissionEvaluator $permissionMap, array $rolePermissionMap, bool $isAdminRole): array`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`{`
Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`// Ensure system admin role retains permissions`
Added simple data model for faster permission generation 2022-07-13 04:13:02 +08:00			`if ($isAdminRole) {`
Implemented alternate approach to current joint_permissions Is a tweak upon the existing approach, mainly to store and query role permission access in a way that allows muli-level states that may override eachother. These states are represented in the new PermissionStatus class. This also simplifies how own permissions are stored and queried, to be part of a single column. 2023-01-24 22:55:34 +08:00			`return $this->createJointPermissionDataArray($entity, $roleId, PermissionStatus::EXPLICIT_ALLOW, true);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`}`

Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`// Return evaluated entity permission status if it has an affect.`
			`$entityPermissionStatus = $permissionMap->evaluateEntityForRole($entity, $roleId);`
			`if ($entityPermissionStatus !== null) {`
Addressed fallback override cases found during testing Had misalignment between query and usercan, The nuance between fallback and entity-role permissions was not taken into account by the query system. Now added with new test cases to cover. 2023-01-25 04:42:20 +08:00			`return $this->createJointPermissionDataArray($entity, $roleId, $entityPermissionStatus, false);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`}`

Shared entity permission logic across both query methods The runtime userCan() and the JointPermissionBuilder now share much of the same logic for handling entity permission resolution. 2023-01-23 23:09:03 +08:00			`// Otherwise default to the role-level permissions`
			`$permissionPrefix = $entity->type . '-view';`
			`$roleHasPermission = isset($rolePermissionMap[$roleId . ':' . $permissionPrefix . '-all']);`
			`$roleHasPermissionOwn = isset($rolePermissionMap[$roleId . ':' . $permissionPrefix . '-own']);`
Implemented alternate approach to current joint_permissions Is a tweak upon the existing approach, mainly to store and query role permission access in a way that allows muli-level states that may override eachother. These states are represented in the new PermissionStatus class. This also simplifies how own permissions are stored and queried, to be part of a single column. 2023-01-24 22:55:34 +08:00			`$status = $roleHasPermission ? PermissionStatus::IMPLICIT_ALLOW : PermissionStatus::IMPLICIT_DENY;`
			`return $this->createJointPermissionDataArray($entity, $roleId, $status, $roleHasPermissionOwn);`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`}`

			`/**`
			`* Create an array of data with the information of an entity jointPermissions.`
			`* Used to build data for bulk insertion.`
			`*/`
Implemented alternate approach to current joint_permissions Is a tweak upon the existing approach, mainly to store and query role permission access in a way that allows muli-level states that may override eachother. These states are represented in the new PermissionStatus class. This also simplifies how own permissions are stored and queried, to be part of a single column. 2023-01-24 22:55:34 +08:00			`protected function createJointPermissionDataArray(SimpleEntityData $entity, int $roleId, int $permissionStatus, bool $hasPermissionOwn): array`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`{`
Implemented alternate approach to current joint_permissions Is a tweak upon the existing approach, mainly to store and query role permission access in a way that allows muli-level states that may override eachother. These states are represented in the new PermissionStatus class. This also simplifies how own permissions are stored and queried, to be part of a single column. 2023-01-24 22:55:34 +08:00			`$ownPermissionActive = ($hasPermissionOwn && $permissionStatus !== PermissionStatus::EXPLICIT_DENY && $entity->owned_by);`

Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`return [`
Implemented alternate approach to current joint_permissions Is a tweak upon the existing approach, mainly to store and query role permission access in a way that allows muli-level states that may override eachother. These states are represented in the new PermissionStatus class. This also simplifies how own permissions are stored and queried, to be part of a single column. 2023-01-24 22:55:34 +08:00			`'entity_id' => $entity->id,`
			`'entity_type' => $entity->type,`
			`'role_id' => $roleId,`
			`'status' => $permissionStatus,`
			`'owner_id' => $ownPermissionActive ? $entity->owned_by : null,`
Extracted permission building out of permission service 2022-07-13 02:38:11 +08:00			`];`
			`}`
Applied StyleCI changes 2022-07-17 17:32:16 +08:00			`}`