permission = $permission; $this->role = $role; $this->permissionService = $permissionService; } /** * Get all the user roles from the system. */ public function getAllRoles(): Collection { return $this->role->all(); } /** * Get all the roles except for the provided one. */ public function getAllRolesExcept(Role $role): Collection { return $this->role->where('id', '!=', $role->id)->get(); } /** * Get a role via its ID. */ public function getRoleById($id): Role { return $this->role->newQuery()->findOrFail($id); } /** * Save a new role into the system. */ public function saveNewRole(array $roleData): Role { $role = $this->role->newInstance($roleData); $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true'; $role->save(); $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : []; $this->assignRolePermissions($role, $permissions); $this->permissionService->buildJointPermissionForRole($role); Activity::add(ActivityType::ROLE_CREATE, $role); return $role; } /** * Updates an existing role. * Ensure Admin role always have core permissions. */ public function updateRole($roleId, array $roleData) { /** @var Role $role */ $role = $this->role->newQuery()->findOrFail($roleId); $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : []; if ($role->system_name === 'admin') { $permissions = array_merge($permissions, [ 'users-manage', 'user-roles-manage', 'restrictions-manage-all', 'restrictions-manage-own', 'settings-manage', ]); } $this->assignRolePermissions($role, $permissions); $role->fill($roleData); $role->mfa_enforced = ($roleData['mfa_enforced'] ?? 'false') === 'true'; $role->save(); $this->permissionService->buildJointPermissionForRole($role); Activity::add(ActivityType::ROLE_UPDATE, $role); } /** * Assign an list of permission names to an role. */ protected function assignRolePermissions(Role $role, array $permissionNameArray = []) { $permissions = []; $permissionNameArray = array_values($permissionNameArray); if ($permissionNameArray) { $permissions = $this->permission->newQuery() ->whereIn('name', $permissionNameArray) ->pluck('id') ->toArray(); } $role->permissions()->sync($permissions); } /** * Delete a role from the system. * Check it's not an admin role or set as default before deleting. * If an migration Role ID is specified the users assign to the current role * will be added to the role of the specified id. * * @throws PermissionsException * @throws Exception */ public function deleteRole($roleId, $migrateRoleId) { /** @var Role $role */ $role = $this->role->newQuery()->findOrFail($roleId); // Prevent deleting admin role or default registration role. if ($role->system_name && in_array($role->system_name, $this->systemRoles)) { throw new PermissionsException(trans('errors.role_system_cannot_be_deleted')); } elseif ($role->id === intval(setting('registration-role'))) { throw new PermissionsException(trans('errors.role_registration_default_cannot_delete')); } if ($migrateRoleId) { $newRole = $this->role->newQuery()->find($migrateRoleId); if ($newRole) { $users = $role->users()->pluck('id')->toArray(); $newRole->users()->sync($users); } } $this->permissionService->deleteJointPermissionsForRole($role); Activity::add(ActivityType::ROLE_DELETE, $role); $role->delete(); } }