diff --git a/backend/app/plugins/wiaas/includes/class-wiaas-authentication.php b/backend/app/plugins/wiaas/includes/class-wiaas-authentication.php index 45c2045..b8d5cbf 100644 --- a/backend/app/plugins/wiaas/includes/class-wiaas-authentication.php +++ b/backend/app/plugins/wiaas/includes/class-wiaas-authentication.php @@ -13,19 +13,16 @@ class Wiaas_Authentication { public static function init() { // authenticate current user - add_action('determine_current_user', array(__CLASS__, 'authenticate_current_user'), 999); + // add_action('determine_current_user', array(__CLASS__, 'authenticate_current_user'), 999); // authenticates user on login - add_filter( 'authenticate', array( __CLASS__, 'authenticate_user_on_login' ), 999, 3); + // add_filter( 'authenticate', array( __CLASS__, 'authenticate_user_on_login' ), 999, 3); // retrieve preferred user role for user - add_filter('get_user_metadata', array(__CLASS__, 'maybe_filter_user_roles'), 10, 3); + add_filter('get_user_metadata', array(__CLASS__, 'maybe_filter_user_roles'), 10, 3); // redirect to dashboard after login - add_filter( 'login_redirect', array( __CLASS__, 'login_redirect' ) ); - - // add role selector to login form - add_action('login_form', array(__CLASS__, 'pick_role_on_login')); + // add_filter( 'login_redirect', array( __CLASS__, 'login_redirect' ) ); } /** @@ -37,26 +34,18 @@ class Wiaas_Authentication { return admin_url('index.php') ; } - /** - * Add role selector to login form - */ - public static function pick_role_on_login() { - ?> -

-

- roles)) { + return new WP_Error('wiaas_authentication_error', 'No permissions!'); + } return $user_id; } @@ -84,36 +67,27 @@ class Wiaas_Authentication { /** * Authenticate wiaas user on login based on roles assigned to organization * + * User role will be determined in `maybe_filter_user_roles` based on his organization roles + * + * If this is REST API login request user will be only authenticated with customer role if his organization his + * customer role assigned to it. + * + * If this is backend login request user will be authenticated with previously selected or first available role + * from his organization roles. + * * @param WP_User $user * @return WP_User|WP_Error */ public static function authenticate_user_on_login($user) { - // check if rest request - $is_rest_api = strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix()); // do nothing if there is an error already, - // user is super admin or - // this is rest request - if (is_wp_error($user) || $user->ID === 1 || $is_rest_api) { + // user is super admin + if (is_wp_error($user) || $user->ID === 1) { return $user; } - if (empty($_POST['role'])) { - return new WP_Error('error', 'You must selected role to login!'); - } - - // get selected role - $requested_role = sanitize_key($_POST['role']); - - // validate can user have requested role - $result = self::_can_user_have_role($user->ID, $requested_role, false); - - // if user organization has no requested role prevent access - if (is_wp_error($result)) { - return $result; - } - - // remember role for user and continue - update_user_meta($user->ID, '_wiaas_current_user_admin_role', $requested_role); + if (empty($user->roles)) { + return new WP_Error('wiaas_authentication_error', 'No permissions!'); + } return $user; } @@ -121,8 +95,12 @@ class Wiaas_Authentication { /** * - * Filters user roles retrieval so that selected user role is retrieved for admin panel - * and customer role is retrieved for JSON API request + * Override default user roles with only his organization roles. + * + * If this is REST API request retrieve customer role if organization has that role. + * + * If this is backend request retrieve previously selected role or first available organization role with + * backend access. * * @param $null * @param int $user_id @@ -135,66 +113,67 @@ class Wiaas_Authentication { if ($user_id !== 0 && $user_id !== self::SUPER_ADMIN_USER_ID && $meta_key === $wpdb->get_blog_prefix() . 'capabilities') { - $is_rest_api = strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix()); + return array( array( 'customer' => true ) ); - $role = $is_rest_api ? - 'customer' : - get_user_meta($user_id, '_wiaas_current_user_admin_role', true); + // import organization functions (during user authentication it is not yet loaded) + require_once dirname( __FILE__ ) . '/user/wiaas-organization-functions.php'; + + // get user organization + $organization_id = wiaas_get_user_organization_id($user_id); + + // validate if user has organization + if ( empty( $organization_id) ) { + return array(); + } + + // get organization roles + $roles = wiaas_get_organization_roles($organization_id); + + // if organization has no roles assigned to it user will have no roles + if ( empty($roles) ) { + return array(); + } + + /** + * REST API access + */ + + // for REST API access allow only customer role for user + if ( $is_rest_api = strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix()) ) { + return in_array('customer', $roles) ? array( array( 'customer' => true ) ) : array(); + } + + /** + * BACKEND ACCESS + */ + + // remove customer role + $roles = array_diff($roles, array( 'customer')); + + // not available backend roles for user + if ( empty($roles) ) { + return array(); + } + + // retrieve selected role for user + $role = get_user_meta($user_id, '_wiaas_current_user_admin_role', true); + + // if user has no selected role, selected role in invalid (deleted) or organization has no selected role + // assign first available role to user + if ( empty($role) || + ! wp_roles()->is_role($role) || + ! in_array($role, $roles) ) { + + // pick first role + $role = $roles[0]; + update_user_meta($user_id, '_wiaas_current_user_admin_role', $role); + } return array( array ( "$role" => true )); } return null; } - - - - // PRIVATE - - /** - * Determines if user can have requested role based on his organization roles - * - * @param int $user_id - * @param string $user_role - * @param bool $is_rest_api - * @return bool|WP_Error - */ - private static function _can_user_have_role($user_id, $user_role, $is_rest_api) { - // check if role valid for access - if (! wp_roles()->is_role($user_role)) { - return new WP_Error('error', 'Role is not valid!'); - } - - // only customer role can access API - if ($is_rest_api && $user_role !== 'customer') { - return new WP_Error('error', 'No access!'); - } - - // customer role cannot access admin backend - if (! $is_rest_api && $user_role === 'customer') { - return new WP_Error('error', 'No access!'); - } - - // import organization functions (during user authentication it is not yet loaded) - require_once dirname( __FILE__ ) . '/user/wiaas-organization-functions.php'; - - // get user organization - $organization_id = wiaas_get_user_organization_id($user_id); - - // validate if user has organization - if (empty( $organization_id)) { - return new WP_Error('error', 'Account not completed!'); - } - // get organization roles - $roles = wiaas_get_organization_roles($organization_id); - - // validate if user has organization roles - if (!in_array($user_role, $roles)) { - return new WP_Error( 'error', 'Your account is not authorized for requested role. Please contact us for help.' ); - } - - return true; - } } Wiaas_Authentication::init(); diff --git a/backend/app/plugins/wiaas/includes/document/class-wiaas-document.php b/backend/app/plugins/wiaas/includes/document/class-wiaas-document.php index d75f162..8d86efd 100644 --- a/backend/app/plugins/wiaas/includes/document/class-wiaas-document.php +++ b/backend/app/plugins/wiaas/includes/document/class-wiaas-document.php @@ -388,6 +388,7 @@ class Wiaas_Document { 'show_admin_column' => true, 'query_var' => true, 'rewrite' => array( 'slug' => 'wiaas_doc_type' ), + 'show_in_rest' => false, 'capabilities' => array( 'manage_terms' => 'manage_wiaas_doc_terms', 'edit_terms' => 'edit_wiaas_doc_terms', @@ -399,9 +400,11 @@ class Wiaas_Document { register_taxonomy( 'wiaas_doc_type', array( 'wiaas_doc' ), $args ); foreach (self::$available_doc_types as $key => $available_doc_type) { - wp_insert_term($available_doc_type['name'], 'wiaas_doc_type', array( - 'slug' => $key - )); + if (! has_term($available_doc_type['name'], 'wiaas_doc_type')) { + wp_insert_term($available_doc_type['name'], 'wiaas_doc_type', array( + 'slug' => $key + )); + } } } diff --git a/backend/app/plugins/wiaas/includes/user/class-wiaas-user-organization.php b/backend/app/plugins/wiaas/includes/user/class-wiaas-user-organization.php index 28253b8..8031883 100644 --- a/backend/app/plugins/wiaas/includes/user/class-wiaas-user-organization.php +++ b/backend/app/plugins/wiaas/includes/user/class-wiaas-user-organization.php @@ -15,8 +15,7 @@ class Wiaas_User_Organization extends WP_User_Taxonomy { 'plural' => __('Organizations', 'wiaas'), 'exclusive' => true, 'public' => true, - 'show_in_rest' => true, - 'rest_base' => 'organization' + 'show_in_rest' => false, ); $labels = array(); $caps = array();