Merge branch 'master' of github.com:chamilo/chamilo-lms

Author: ywarnier

src/CoreBundle/Controller/Api/DownloadSelectedDocumentsAction.php

@@ -7,11 +7,18 @@
 namespace Chamilo\CoreBundle\Controller\Api;
 
 use Chamilo\CoreBundle\Entity\ResourceNode;
+use Chamilo\CoreBundle\Exception\NotAllowedException;
+use Chamilo\CoreBundle\Helpers\CidReqHelper;
 use Chamilo\CoreBundle\Helpers\ResourceFileHelper;
 use Chamilo\CoreBundle\Repository\ResourceNodeRepository;
+use Chamilo\CoreBundle\Security\Authorization\Voter\CourseVoter;
+use Chamilo\CoreBundle\Security\Authorization\Voter\GroupVoter;
+use Chamilo\CoreBundle\Security\Authorization\Voter\ResourceFileVoter;
+use Chamilo\CoreBundle\Security\Authorization\Voter\SessionVoter;
 use Chamilo\CoreBundle\Traits\ControllerTrait;
 use Chamilo\CourseBundle\Repository\CDocumentRepository;
 use Exception;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
@@ -31,6 +38,8 @@ public function __construct(
         private readonly ResourceNodeRepository $resourceNodeRepository,
         private readonly CDocumentRepository $documentRepo,
         private readonly ResourceFileHelper $resourceFileHelper,
+        private readonly Security $security,
+        private readonly CidReqHelper $cidReqHelper,
     ) {}
 
     /**
@@ -48,7 +57,32 @@ public function __invoke(Request $request): Response
             return new Response('No items selected.', Response::HTTP_BAD_REQUEST);
         }
 
-        $documents = $this->documentRepo->findBy(['iid' => $documentIds]);
+        if ($this->security->isGranted('ROLE_ADMIN')) {
+            $documents = $this->documentRepo->findBy(['iid' => $documentIds]);
+        } else {
+            $course = $this->cidReqHelper->getCourseEntity();
+            $session = $this->cidReqHelper->getSessionEntity();
+            $group = $this->cidReqHelper->getGroupEntity();
+
+            if (!$course || !$this->security->isGranted(CourseVoter::VIEW, $course)) {
+                throw new NotAllowedException("You're not allowed in this course");
+            }
+
+            if ($session && !$this->security->isGranted(SessionVoter::VIEW, $session)) {
+                throw new NotAllowedException("You're not allowed in this session");
+            }
+
+            if ($group && !$this->security->isGranted(GroupVoter::VIEW, $group)) {
+                throw new NotAllowedException("You're not allowed in this group");
+            }
+
+            $qb = $this->documentRepo->getResourcesByCourse($course, $session, $group);
+            $qb->andWhere(
+                $qb->expr()->in('resource.iid', $documentIds)
+            );
+
+            $documents = $qb->getQuery()->getResult();
+        }
 
         if (empty($documents)) {
             return new Response('No documents found.', Response::HTTP_NOT_FOUND);
@@ -120,6 +154,10 @@ private function addNodeToZip(ZipStream $zip, ResourceNode $node, string $curren
         $resourceFile = $this->resourceFileHelper->resolveResourceFileByAccessUrl($node);
 
         if ($resourceFile) {
+            if (!$this->security->isGranted(ResourceFileVoter::DOWNLOAD, $resourceFile)) {
+                return;
+            }
+
             $fileName = $currentPath.$resourceFile->getOriginalName();
             $stream = $this->resourceNodeRepository->getResourceNodeFileStream($node, $resourceFile);
 

src/CoreBundle/EventListener/CidReqListener.php

@@ -171,6 +171,7 @@ public function onKernelRequest(RequestEvent $event): void
                     throw new AccessDeniedException($this->translator->trans("You're not allowed in this group"));
                 }
 
+                $sessionHandler->set('group', $group);
                 $sessionHandler->set('gid', $groupId);
                 // @todo check if course has group
                 /*if ($course->hasGroup($group)) {

src/CoreBundle/Helpers/CidReqHelper.php

@@ -9,6 +9,7 @@
 use Chamilo\CoreBundle\Entity\Course;
 use Chamilo\CoreBundle\Entity\Session;
 use Chamilo\CoreBundle\EventListener\CidReqListener;
+use Chamilo\CourseBundle\Entity\CGroup;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
@@ -71,6 +72,11 @@ public function getGroupId(): ?int
         return $session?->get('gid');
     }
 
+    public function getGroupEntity(): ?CGroup
+    {
+        return $this->getSessionHandler()->get('group');
+    }
+
     public function getDoctrineCourseEntity(): ?Course
     {
         $courseId = $this->getCourseId();

src/CoreBundle/Helpers/ResourceAclHelper.php

@@ -7,6 +7,9 @@
 namespace Chamilo\CoreBundle\Helpers;
 
 use Chamilo\CoreBundle\Entity\ResourceLink;
+use Chamilo\CoreBundle\Entity\ResourceRight;
+use Chamilo\CoreBundle\Entity\User;
+use Chamilo\CoreBundle\Security\Authorization\Voter\ResourceFileVoter;
 use Chamilo\CoreBundle\Security\Authorization\Voter\ResourceNodeVoter;
 use Laminas\Permissions\Acl\Acl;
 use Laminas\Permissions\Acl\Resource\GenericResource;
@@ -22,12 +25,13 @@ public function __construct(
         private Security $security,
     ) { }
 
-    public function isAllowed(
-        string $attribute,
+    /**
+     * @param iterable<int, ResourceRight> $rights
+     */
+    private function init(
         ResourceLink $resourceLink,
         iterable $rights,
-        bool $allowAnonsToView,
-    ): bool {
+    ): Acl {
         // Creating roles
         $anon = new GenericRole('IS_AUTHENTICATED_ANONYMOUSLY');
         $userRole = new GenericRole('ROLE_USER');
@@ -71,16 +75,20 @@ public function isAllowed(
             $acl->allow($right->getRole(), null, (string) $right->getMask());
         }
 
-        // Anons can see.
-        if ($allowAnonsToView) {
-            $acl->allow($anon, null, (string) ResourceNodeVoter::getReaderMask());
-        }
+        return $acl;
+    }
 
-        // Asked mask
-        $mask = new MaskBuilder();
-        $mask->add($attribute);
+    /**
+     * @param iterable<int, ResourceRight> $rights
+     */
+    public function isAllowed(
+        string $attribute,
+        ResourceLink $resourceLink,
+        iterable $rights,
+    ): bool {
+        $acl = $this->init($resourceLink, $rights);
 
-        $askedMask = (string) $mask->get();
+        $askedMask = (string) self::getPermissionMask([$attribute]);
 
         if ($this->security->getToken() instanceof NullToken) {
             return (bool) $acl->isAllowed('IS_AUTHENTICATED_ANONYMOUSLY', $resourceLink->getId(), $askedMask);
@@ -98,4 +106,15 @@ public function isAllowed(
 
         return false;
     }
+
+    public static function getPermissionMask(array $attributes): int
+    {
+        $builder = new MaskBuilder();
+
+        foreach ($attributes as $attribute) {
+            $builder->add($attribute);
+        }
+
+        return $builder->get();
+    }
 }

src/CoreBundle/Repository/ResourceRepository.php

@@ -18,12 +18,14 @@
 use Chamilo\CoreBundle\Entity\Session;
 use Chamilo\CoreBundle\Entity\User;
 use Chamilo\CoreBundle\Helpers\CreateUploadedFileHelper;
+use Chamilo\CoreBundle\Helpers\ResourceAclHelper;
 use Chamilo\CoreBundle\Security\Authorization\Voter\ResourceNodeVoter;
 use Chamilo\CoreBundle\Traits\NonResourceRepository;
 use Chamilo\CoreBundle\Traits\Repository\RepositoryQueryBuilderTrait;
 use Chamilo\CourseBundle\Entity\CGroup;
 use DateTime;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepositoryProxy;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\QueryBuilder;
@@ -37,6 +39,9 @@
 
 /**
  * Extends Resource EntityRepository.
+ *
+ * @template T of object
+ * @template-extends ServiceEntityRepositoryProxy<T>
  */
 abstract class ResourceRepository extends ServiceEntityRepository
 {

src/CoreBundle/Security/Authorization/Voter/ResourceFileVoter.php

@@ -0,0 +1,56 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\Security\Authorization\Voter;
+
+use Chamilo\CoreBundle\Entity\ResourceFile;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @extends Voter<'DOWNLOAD', ResourceFile>
+ */
+final class ResourceFileVoter extends Voter
+{
+    public const DOWNLOAD = 'VIEW';
+
+    public function __construct(
+        private readonly AccessDecisionManagerInterface $accessDecisionManager,
+    ) {}
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        $options = [
+            self::DOWNLOAD,
+        ];
+
+        if (!\in_array($attribute, $options, true)) {
+            return false;
+        }
+
+        return $subject instanceof ResourceFile;
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        $resourceFile = $subject;
+        $resourceNode = $resourceFile->getResourceNode();
+
+        if ($this->accessDecisionManager->decide($token, ['ROLE_ADMIN'])) {
+            return true;
+        }
+
+        return match ($attribute) {
+            self::DOWNLOAD => $this->accessDecisionManager->decide(
+                $token,
+                [ResourceNodeVoter::VIEW],
+                $resourceNode
+            ),
+            default => false,
+        };
+    }
+}

src/CoreBundle/Security/Authorization/Voter/ResourceNodeVoter.php

@@ -60,21 +60,12 @@ public function __construct(
 
     public static function getReaderMask(): int
     {
-        $builder = (new MaskBuilder())
-            ->add(self::VIEW)
-        ;
-
-        return $builder->get();
+        return ResourceAclHelper::getPermissionMask([self::VIEW]);
     }
 
     public static function getEditorMask(): int
     {
-        $builder = (new MaskBuilder())
-            ->add(self::VIEW)
-            ->add(self::EDIT)
-        ;
-
-        return $builder->get();
+        return ResourceAclHelper::getPermissionMask([self::VIEW, self::EDIT]);
     }
 
     protected function supports(string $attribute, $subject): bool
@@ -357,7 +348,6 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
 
         // Getting rights from the link
         $rightsFromResourceLink = $link->getResourceRights();
-        $allowAnonsToView = false;
 
         $rights = [];
         if ($rightsFromResourceLink->count() > 0) {
@@ -400,7 +390,6 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
             if (ResourceLink::VISIBILITY_PUBLISHED === $link->getVisibility()
                 && $link->getCourse()->isPublic()
             ) {
-                $allowAnonsToView = true;
                 $resourceRight = (new ResourceRight())
                     ->setMask($readerMask)
                     ->setRole('IS_AUTHENTICATED_ANONYMOUSLY')
@@ -454,7 +443,7 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
             $rights[] = $resourceRight;
         }
 
-        return $this->resourceAclHelper->isAllowed($attribute, $link, $rights, $allowAnonsToView);
+        return $this->resourceAclHelper->isAllowed($attribute, $link, $rights);
     }
 
     /**

src/CourseBundle/Entity/CDocument.php

@@ -16,6 +16,7 @@
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
+use ApiPlatform\Metadata\QueryParameter;
 use ApiPlatform\OpenApi\Model\Operation;
 use ApiPlatform\OpenApi\Model\Parameter;
 use ApiPlatform\OpenApi\Model\RequestBody;
@@ -162,6 +163,20 @@
         new Post(
             uriTemplate: '/documents/download-selected',
             controller: DownloadSelectedDocumentsAction::class,
+            parameters: [
+                'cid' => new QueryParameter(
+                    schema: ['type' => 'integer'],
+                    description: 'Course identifier',
+                ),
+                'sid' => new QueryParameter(
+                    schema: ['type' => 'integer'],
+                    description: 'Session identifier',
+                ),
+                'gid' => new QueryParameter(
+                    schema: ['type' => 'integer'],
+                    description: 'Course grou identifier',
+                ),
+            ],
             openapi: new Operation(
                 summary: 'Download selected documents as a ZIP file.',
                 description: 'Streams a ZIP archive generated on-the-fly. The ZIP file includes folders and files selected.',

src/CourseBundle/Repository/CDocumentRepository.php

@@ -25,6 +25,9 @@
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Throwable;
 
+/**
+ * @extends ResourceRepository<CDocument>
+ */
 final class CDocumentRepository extends ResourceRepository
 {
     public function __construct(ManagerRegistry $registry)

tests/behat/README.md

@@ -14,11 +14,10 @@ java -jar /my-dir/selenium-server-standalone-3.1.0.jar
 
 - Download the Chrome driver, unzip and copy into /usr/bin
 
-Check the latest version at https://sites.google.com/a/chromium.org/chromedriver/downloads,
-then adapt the following command to the latest version. Use a version that matches your version of the Chrome browser.
+Check the latest `chromedriver` version at [https://googlechromelabs.github.io/chrome-for-testing/](https://googlechromelabs.github.io/chrome-for-testing/) that matches your configuration (linux64 for Ubuntu), then adapt the following command to the latest version. Use a version that matches your version of the Chrome browser.
 
 ```
-cd /tmp && wget https://chromedriver.storage.googleapis.com/2.35/chromedriver_linux64.zip && unzip chromedriver_linux64.zip && sudo mv chromedriver /usr/local/bin
+cd /tmp && wget https://storage.googleapis.com/chrome-for-testing-public/143.0.7499.40/linux64/chromedriver-linux64.zip && unzip chromedriver_linux64.zip && sudo mv chromedriver /usr/local/bin
 ```
 
 ### Chamilo configuration