[WWcvs] webwork2: modifications to support changes to global.conf.dist adding

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Log Message:
-----------
modifications to support changes to global.conf.dist adding %userRoles 
hash and changing the meaning of values in %permissionLevels.

Authz will now look up the role obtained from %permissionLevels in the
%userRoles hash, and compare the resulting number with the user's
permission level.

Modified Files:
--------------
    webwork2/conf:
        global.conf.dist
    webwork2/lib/WeBWorK:
        Authz.pm

Revision Data
-------------
Index: global.conf.dist
===================================================================
RCS file: /webwork/cvs/system/webwork2/conf/global.conf.dist,v
retrieving revision 1.142
retrieving revision 1.143
diff -Lconf/global.conf.dist -Lconf/global.conf.dist -u -r1.142 -r1.143

--- conf/global.conf.dist
+++ conf/global.conf.dist
@@ -476,81 +476,89 @@
 # Authorization system
 ################################################################################
 
-# This lets you specify a minimum permission level needed to perform certain
-# actions. For each pair in the hash below, in order to perform the action
-# described by the key, the user must have a permission level greater than or
-# equal to the value.
-
-my $guest     = -5;
-my $student   = 0;
-my $proctor   = 2;
-my $ta        = 5;
-my $professor = 10;
-my $nobody    = undef;
+# this section lets you define which groups of users can perform which actions.
 
+# this hash maps a numeric permission level to the name of a role. the number
+# assigned to a role is significant -- roles with higher numbers are considered
+# "more privileged", and are included when that role is listed for a privilege
+# below.
+# 
+%userRoles = (
+	guest => -5,
+	student => 0,
+	proctor => 2,
+	ta => 5,
+	professor => 10,
+);
+
+# this hash maps operations to the roles that are allowed to perform those
+# operations. the role listed and any role with a higher permission level (in
+# the %userRoles hash) will be allowed to perform the operation. If the role
+# is undefined, no users will be allowed to perform the operation.
+# 
 %permissionLevels = (
-	login                          => $guest,
-	report_bugs                    => $student,
-	submit_feedback                => $student,
-	change_password                => $student,
-	change_email_address           => $student,
+	login                          => "guest",
+	report_bugs                    => "student",
+	submit_feedback                => "student",
+	change_password                => "student",
+	change_email_address           => "student",
 
-	proctor_quiz                   => $proctor,
+	proctor_quiz                   => "proctor",
 	
-	view_multiple_sets             => $ta,
-	view_unopened_sets             => $ta,
-	view_unpublished_sets          => $ta,
-	view_answers                   => $ta,
+	view_multiple_sets             => "ta",
+	view_unopened_sets             => "ta",
+	view_unpublished_sets          => "ta",
+	view_answers                   => "ta",
 	
-	become_student                 => $professor,
-	access_instructor_tools        => $ta,
-	score_sets                     => $professor,
-	send_mail                      => $professor,
-	receive_feedback               => $ta,
+	become_student                 => "professor",
+	access_instructor_tools        => "ta",
+	score_sets                     => "professor",
+	send_mail                      => "professor",
+	receive_feedback               => "ta",
 	
-	create_and_delete_problem_sets => $professor,
-	assign_problem_sets            => $professor,
-	modify_problem_sets            => $professor,
-	modify_student_data            => $professor,
-	modify_classlist_files         => $professor,
-	modify_set_def_files           => $professor,
-	modify_scoring_files           => $professor,
-	modify_problem_template_files  => $professor,
+	create_and_delete_problem_sets => "professor",
+	assign_problem_sets            => "professor",
+	modify_problem_sets            => "professor",
+	modify_student_data            => "professor",
+	modify_classlist_files         => "professor",
+	modify_set_def_files           => "professor",
+	modify_scoring_files           => "professor",
+	modify_problem_template_files  => "professor",
 	
-	create_and_delete_courses      => $professor,
-	fix_course_databases           => $professor,
+	create_and_delete_courses      => "professor",
+	fix_course_databases           => "professor",
 	
 	##### Behavior of the interactive problem processor #####
 	
-	show_correct_answers_before_answer_date         => $ta,
-	show_solutions_before_answer_date               => $ta,
-	avoid_recording_answers                         => $ta,
+	show_correct_answers_before_answer_date         => "ta",
+	show_solutions_before_answer_date               => "ta",
+	avoid_recording_answers                         => "ta",
 	# Below this level, old answers are never initially shown
-	can_show_old_answers_by_default                 => $student,
+	can_show_old_answers_by_default                 => "student",
 	# at this level, we look at showOldAnswers for default value
 	# even after the due date
-	can_always_use_show_old_answers_default         => $professor,
-	check_answers_before_open_date                  => $ta,
-	check_answers_after_open_date_with_attempts     => $ta,
-	check_answers_after_open_date_without_attempts  => $guest,
-	check_answers_after_due_date                    => $guest,
-	check_answers_after_answer_date                 => $guest,
-	record_answers_when_acting_as_student           => $nobody,
+	can_always_use_show_old_answers_default         => "professor",
+	check_answers_before_open_date                  => "ta",
+	check_answers_after_open_date_with_attempts     => "ta",
+	check_answers_after_open_date_without_attempts  => "guest",
+	check_answers_after_due_date                    => "guest",
+	check_answers_after_answer_date                 => "guest",
+	record_answers_when_acting_as_student           => undef,
 	# "record_answers_when_acting_as_student" takes precedence
 	# over the following for professors acting as students:
-	record_answers_before_open_date                 => $nobody,
-	record_answers_after_open_date_with_attempts    => $student,
-	record_answers_after_open_date_without_attempts => $nobody,
-	record_answers_after_due_date                   => $nobody,
-	record_answers_after_answer_date                => $nobody,
-	dont_log_past_answers                           => $professor,
+	record_answers_before_open_date                 => undef,
+	record_answers_after_open_date_with_attempts    => "student",
+	record_answers_after_open_date_without_attempts => undef,
+	record_answers_after_due_date                   => undef,
+	record_answers_after_answer_date                => undef,
+	dont_log_past_answers                           => "professor",
 	
 	##### Behavior of the Hardcopy Processor #####
 	
-	download_hardcopy_multiuser  => $ta,
-	download_hardcopy_multiset   => $ta,
-	download_hardcopy_format_pdf => $guest,
-	download_hardcopy_format_tex => $ta,
+	download_hardcopy_multiuser  => "ta",
+	download_hardcopy_multiset   => "ta",
+	download_hardcopy_format_pdf => "guest",
+	download_hardcopy_format_tex => "ta",
 );
 
 ################################################################################
Index: Authz.pm
===================================================================
RCS file: /webwork/cvs/system/webwork2/lib/WeBWorK/Authz.pm,v
retrieving revision 1.22
retrieving revision 1.23
diff -Llib/WeBWorK/Authz.pm -Llib/WeBWorK/Authz.pm -u -r1.22 -r1.23
--- lib/WeBWorK/Authz.pm
+++ lib/WeBWorK/Authz.pm
@@ -59,6 +59,7 @@
 
 use strict;
 use warnings;
+use Carp qw/croak/;
 
 ################################################################################
 
@@ -146,7 +147,7 @@
 	if (@_ != 3) {
 		shift @_; # get rid of self
 		my $nargs = @_;
-		die "hasPermissions called with $nargs arguments instead of the expected 2: '@_'"
+		croak "hasPermissions called with $nargs arguments instead of the expected 2: '@_'"
 	}
 	
 	my ($self, $userID, $activity) = @_;
@@ -162,7 +163,7 @@
 		$PermissionLevel = $self->{PermissionLevel};
 	} else {
 		# a different user, or no user was defined before
-		my $prettyCachedUserID = defined $cachedUserID ? "'$cachedUserID'" : "undefined";
+		#my $prettyCachedUserID = defined $cachedUserID ? "'$cachedUserID'" : "undefined";
 		#warn "hasPermissions called with user '$userID', but cached user is $prettyCachedUserID. Accessing database.\n";
 		$PermissionLevel = $db->getPermissionLevel($userID); # checked
 	}
@@ -182,15 +183,29 @@
 		return 0;
 	}
 	
+	my $userRoles = $ce->{userRoles};
 	my $permissionLevels = $ce->{permissionLevels};
+	
 	if (exists $permissionLevels->{$activity}) {
-		if (defined $permissionLevels->{$activity}) {
-			return $permission_level >= $permissionLevels->{$activity};
+		my $activity_role = $permissionLevels->{$activity};
+		if (defined $activity_role) {
+			if (exists $userRoles->{$activity_role}) {
+				my $role_permlevel = $userRoles->{$activity_role};
+				if (defined $role_permlevel) {
+					return $permission_level >= $role_permlevel;
+				} else {
+					warn "Role '$activity_role' has undefined permisison level -- assuming no permission.\n";
+					return 0;
+				}
+			} else {
+				warn "Role '$activity_role' for activity '$activity' not found in \%userRoles -- assuming no permission.\n";
+				return 0;
+			}
 		} else {
-			return 0; # nobody has permission to do this
+			return 0; # undefiend $activity_role, no one has permission to perform $activity
 		}
 	} else {
-		warn "Activity '$activity' not found in %permissionLevels -- assuming no permission.\n";
+		warn "Activity '$activity' not found in \%permissionLevels -- assuming no permission.\n";
 		return 0;
 	}
 }


