Redo roles and permissions (#95)

Peter Staab:
This pull request does a number of things with roles and permissions: 
- all roles and permissions are defined in `permissions.dist.yml`
- admins can copy this file over and change permissions/add roles, etc. 
- there is a role called `course_admin`, which can have additional permissions that instructors don't have. 
- there are both server-side permissions and ui permissions.
- there is a script `bin/update_perms.pl` which loads both the roles and permissions in the `permissions.yml` file into the database.
- on the server side, the permissions are checked by querying the database. 
- on the UI side, after login, the permissions are loaded in the store to be able to be queried whenever. 
- every route is now checked that the user has permission to visit that route.

Glenn Rice:
Make a Boolean InflateColumn package that works for the boolean data type.

K. Andrew Parker:
Track authentication expiry in session store.

Co-authored-by: K. Andrew Parker <[email protected]>
Co-authored-by: Glenn Rice <[email protected]>

Author: 3 people

README.md

@@ -46,7 +46,7 @@ are assuming terminal/shell commands.
 
 1. Clone the webwork3 code with `git clone https://github.com/openwebwork/webwork3.git`
 2. Change directory to the webwork3 directory: `cd webwork3`
-3. Copy conf/webwork3.yml.dist to conf/webwork3.yml and modify it appropriately if needed.
+3. Copy `conf/webwork3.dist.yml` to `conf/webwork3.yml` and modify it appropriately if needed.
 
 ### Download Quasar
 
@@ -163,7 +163,7 @@ sudo systemctl start webwork3
 10. Set up permissions for the renderer with the following commands executed from the renderer directory.
 
 ```sh
-sudo chown -R youruser:www-data logs 
+sudo chown -R youruser:www-data logs
 sudo chmod g+rw logs/standalone_results.log
 sudo chmod -R g+rw lib/WeBWorK/tmp/* lib/WeBWorK/htdocs/tmp/*
 ```

bin/import_ww2_db.pl

@@ -100,7 +100,12 @@ BEGIN
 
 my $dbh = DBI->connect($db_dsn, $db_user, $db_pass, { RaiseError => 1, AutoCommit => 0 });
 
-my $schema = DB::Schema->connect($config->{database_dsn}, $config->{database_user}, $config->{database_password});
+my $schema = DB::Schema->connect(
+	$config->{database_dsn},
+	$config->{database_user},
+	$config->{database_password},
+	{ quote_names => 1 }
+);
 
 my $course_rs       = $schema->resultset('Course');
 my $user_rs         = $schema->resultset('User');

bin/update_perms.pl

@@ -0,0 +1,57 @@
+#!/usr/bin/env perl
+
+=head1 NAME
+
+update_perms.pl - Load the roles and permissions in conf/permissions.yml into the database
+
+=head1 SYNOPSIS
+
+update_perms.p [options]
+
+ Options:
+   -h|--help    Show full help
+
+=head1 DESCRIPTION
+
+All of the roles and permissions for webwork3 are defined in conf/permissions.yml (or it's
+default file permissions.dist.yml).  This script checks for consistancy of that file and
+then loads the roles and permissions into the database.
+
+=cut
+
+use warnings;
+use strict;
+
+require Exporter;
+use base qw(Exporter);
+our @EXPORT_OK = qw/updatePermissions/;
+
+BEGIN {
+	use File::Basename qw/dirname/;
+	use Cwd qw/abs_path/;
+	$main::webwork3_dir = dirname(dirname(abs_path(__FILE__)));
+}
+
+use lib "$main::webwork3_dir/lib";
+
+use Getopt::Long qw(:config bundling);
+use Pod::Usage;
+use DB::Schema;
+
+use DB::Utils qw/updatePermissions/;
+
+my $showHelp;
+GetOptions('h|help' => \$showHelp);
+pod2usage({ -verbose => 2, -exitval => 0 }) if $showHelp;
+
+# Load the configuration to obtain the database settings.
+my $ww3_conf = "$main::webwork3_dir/conf/webwork3.yml";
+$ww3_conf = "$main::webwork3_dir/conf/webwork3.dist.yml" unless -r $ww3_conf;
+
+my $role_perm_file = "$main::webwork3_dir/conf/permissions.yml";
+# if it doesn't exist, load the default one:
+$role_perm_file = "$main::webwork3_dir/conf/permissions.dist.yml" unless -r $role_perm_file;
+
+updatePermissions($ww3_conf, $role_perm_file);
+
+1;

conf/permissions.dist.yml

@@ -0,0 +1,185 @@
+---
+# This file defines the default roles and permissions for webwork 3. If you wish to add or
+# change any roles, copy this file to conf/permissions.yml and make changes.
+# Whether or not you have made changes, run /bin/update_role_db.pl to load all roles
+# in the database.
+
+roles:
+  - course_admin
+  - instructor
+  - ta
+  - student
+
+# This defines the permisions for each role for the backend/database.
+#
+# This hash has each of the Controllers (Logger, Permission, Course, ...) as a field
+# and each action as a subfield.  For each Controller/action, there are three possibilities
+#
+# - authenticated: true      this route can be accessed by any user who has been authenticated.
+# - admin_required: true     this route can only be accessed by a user with admin flag (no course role)
+# - allow_self_access: true  this route can be accessed by a user matching the user_id
+# - allowed_roles: Array     this route can be accessed by a user with a role in the given array.
+#                            and '*' can be used for all roles.
+
+db_permissions:
+  Logger:
+    clientLog:
+      authenticated: true
+  Permission:
+    getRoles:
+      authenticated: true
+    getUIRoutePermissions:
+      authenticated: true
+    checkPermission:
+      authenticated: true
+
+  Course:
+    getCourses:
+      allowed_roles: ['*']
+    getCourse:
+      allowed_roles: ['*']
+    updateCourse:
+      admin_required: true
+    addCourse:
+      admin_required: true
+    deleteCourse:
+      admin_required: true
+  User:
+    getGlobalUsers:
+      admin_required: true
+    getGlobalUser:
+      admin_required: true
+    checkGlobalUser:
+      allowed_roles: ['course_admin', 'instructor']
+    updateGlobalUser:
+      admin_required: true
+    addGlobalUser:
+      admin_required: true
+    deleteGlobalUser:
+      admin_required: true
+    # The following actions are needed for instructors to handle global users
+    getGlobalUsersFromCourse:
+      allowed_roles: ['course_admin', 'instructor']
+    getGlobalUserFromCourse:
+      allowed_roles: ['course_admin', 'instructor']
+    getUserCoursesFromCourse:
+      allowed_roles: ['course_admin', 'instructor']
+    updateGlobalUserFromCourse:
+      allowed_roles: ['course_admin', 'instructor']
+    addGlobalUserFromCourse:
+      allowed_roles: ['course_admin', 'instructor']
+    deleteGlobalUserFromCourse:
+      allowed_roles: ['course_admin', 'instructor']
+    getCourseUsers:
+      allowed_roles: ['course_admin', 'instructor']
+    getUserCourses:
+      allow_self_access: true
+      allowed_roles: ['course_admin', 'instructor']
+    getGlobalCourseUsers:
+      allowed_roles: ['course_admin', 'instructor']
+    getCourseUser:
+      allowed_roles: ['course_admin', 'instructor']
+    addCourseUser:
+      allowed_roles: ['course_admin', 'instructor']
+    updateCourseUser:
+      allowed_roles: ['course_admin', 'instructor']
+    deleteCourseUser:
+      allowed_roles: ['course_admin', 'instructor']
+  ProblemSet:
+    getProblemSets:
+      allowed_roles: ['course_admin', 'instructor', 'student']
+    getProblemSet:
+      allowed_roles: ['course_admin', 'instructor']
+    addProblemSet:
+      allowed_roles: ['course_admin', 'instructor']
+    updateProblemSet:
+      allowed_roles: ['course_admin', 'instructor']
+    deleteProblemSet:
+      allowed_roles: ['course_admin', 'instructor']
+    getAllUserSets:
+      allowed_roles: ['course_admin', 'instructor']
+    getUserSets:
+      allowed_roles: ['course_admin', 'instructor']
+    addUserSet:
+      allowed_roles: ['course_admin', 'instructor']
+    updateUserSet:
+      allowed_roles: ['course_admin', 'instructor']
+    deleteUserSet:
+      allowed_roles: ['course_admin', 'instructor']
+  Problem:
+    getAllProblems:
+      allowed_roles: ['course_admin', 'instructor', 'student']
+    getProblem:
+      allowed_roles: ['course_admin', 'instructor', 'student']
+    addProblem:
+      allowed_roles: ['course_admin', 'instructor']
+    updateProblem:
+      allowed_roles: ['course_admin', 'instructor']
+    deleteProblem:
+      allowed_roles: ['course_admin', 'instructor']
+
+    # UserProblem Routes
+
+    getUserProblemsForSet:
+      allowed_roles: ['course_admin', 'instructor']
+    getUserProblemsForUser:
+      allowed_roles: ['course_admin', 'instructor']
+      allow_self_access: true
+    getUserProblem:
+      allowed_roles: ['course_admin', 'instructor']
+      allow_self_access: true
+    addUserProblem:
+      allowed_roles: ['course_admin', 'instructor']
+    updateUserProblem:
+      allowed_roles: ['course_admin', 'instructor']
+      allow_self_access: true
+    deleteUserProblem:
+      allowed_roles: ['course_admin', 'instructor']
+
+    # ProblemPool routes
+    getProblemPools:
+      allowed_roles: ['course_admin', 'instructor']
+    getProblemPool:
+      allowed_roles: ['course_admin', 'instructor']
+    addProblemPool:
+      allowed_roles: ['course_admin', 'instructor']
+    updateProblemPool:
+      allowed_roles: ['course_admin', 'instructor']
+    deleteProblemPool:
+      allowed_roles: ['course_admin', 'instructor']
+
+    # PoolProblem routes
+    getPoolProblems:
+      allowed_roles: ['course_admin', 'instructor']
+    getPoolProblem:
+      allowed_roles: ['course_admin', 'instructor']
+    addProblemToPool:
+      allowed_roles: ['course_admin', 'instructor']
+    updatePoolProblem:
+      allowed_roles: ['course_admin', 'instructor']
+    removePoolProblem:
+      allowed_roles: ['course_admin', 'instructor']
+  Settings:
+    getDefaultCourseSettings:
+      allowed_roles: ['*']
+    getCourseSettings:
+      allowed_roles: ['*']
+    updateCourseSettings:
+      allowed_roles: ['course_admin', 'instructor']
+
+# This defines the permisions for each role for the frontend/UI layer.
+
+# This object is a list of routes, followed by an array of roles allowed.
+
+ui_permissions:
+  /login:
+    allowed_roles: ['*']
+  /users/*/courses:
+    allowed_roles: ['instructor', 'course_admin']
+    allow_self_access: true
+  /courses/*/instructor:
+    allowed_roles: ['instructor', 'course_admin']
+  /courses/*/student:
+    allowed_roles: ['student', 'instructor', 'course_admin']
+  /admin:
+    admin_required: true

conf/permissions.yaml

@@ -13,11 +13,18 @@ webwork3_home: .
 # For the sqlite database
 database_dsn: dbi:SQLite:./t/db/sample_db.sqlite
 # For mysql or mariadb
-#database_dsn: dbi:mysql:dbname=webwork3_test
+# database_dsn: dbi:mysql:dbname=webwork3_test
 # For postgres
 #database_dsn: dbi:Pg:dbname=webwork3_test;host=localhost
 
 # Database credentials for mysql, mariadb, or postgres.
 # These are ignored if the 'sqlite' database is used.
 database_user: webworkWrite
 database_password: password
+
+# Cookie control settings
+# cookie_samesite: None
+# disable this for testing.
+cookie_secure: 0
+cookie_lifetime: 3600
+

conf/webwork3-test.dist.yml

@@ -3,6 +3,9 @@ use warnings;
 use strict;
 
 use Exception::Class (
+	'DB::Exception::RouteWithoutPermission' => {
+		fields => [ 'route', 'message' ]
+	},
 	'DB::Exception::UndefinedCourseField' => {
 		fields      => ['message'],
 		description => 'There is an undefined course setting field'
@@ -100,6 +103,10 @@ use Exception::Class (
 	'DB::Exception::UserProblemNotFound' => {
 		fields      => [ 'course_name', 'problem_number', 'problem_version', 'username', 'set_name' ],
 		description => 'The requested user problem is not found.'
+	},
+	'DB::Exception::UserRoleUndefined' => {
+		fields      => ['role_name'],
+		description => 'The role name is not defined.'
 	}
 );
 
@@ -108,7 +115,7 @@ DB::Exception::UndefinedCourseField->Trace(1);
 DB::Exception::InvalidCourseField->Trace(1);
 DB::Exception::UserSetNotInCourse->Trace(1);
 DB::Exception::SetNotInCourse->Trace(1);
-# DB::Exception::UserNotInCourse->Trace(1);
+DB::Exception::UserNotInCourse->Trace(1);
 DB::Exception::UserNotFound->Trace(1);
 DB::Exception::CourseAlreadyExists->Trace(1);
 DB::Exception::InvalidParameter->Trace(1);
@@ -120,4 +127,5 @@ DB::Exception::UserSetExists->Trace(1);
 DB::Exception::ImproperDateOrder->Trace(1);
 DB::Exception::SetAlreadyExists->Trace(1);
 DB::Exception::UserProblemNotFound->Trace(1);
+DB::Exception::UserRoleUndefined->Trace(1);
 1;

lib/DB/Exception.pm

@@ -40,7 +40,7 @@ our $REQUIRED_PARAMS = { _ALL_   => ['visible'] };
 
 __PACKAGE__->table('course');
 
-__PACKAGE__->load_components('InflateColumn::Serializer', 'Core');
+__PACKAGE__->load_components(qw/InflateColumn::Serializer InflateColumn::Boolean Core/);
 
 __PACKAGE__->add_columns(
 	course_id => {
@@ -68,14 +68,6 @@ __PACKAGE__->add_columns(
 	}
 );
 
-__PACKAGE__->inflate_column(
-	'visible',
-	{
-		inflate => sub { return shift ? true : false; },
-		deflate => sub { return shift; }
-	}
-);
-
 __PACKAGE__->set_primary_key('course_id');
 
 # set up the many-to-many relationship to users