From bb358ae4aed8b9af85638c809f9cc653baa46f03 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:35:30 +0000
Subject: [PATCH 1/3] Initial plan


From 212c99dae127b78e0bffa00d782743a58e2e5b8c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:41:08 +0000
Subject: [PATCH 2/3] Create ACL refactoring - add services and update
 Module.php

Co-authored-by: alexdryden <47127862+alexdryden@users.noreply.github.com>
---
 Module.php                                    | 26 +++++-----
 config/module.config.php                      |  7 +++
 src/Acl/TeamRolePermissionAssertion.php       | 25 ++++++++++
 .../TeamRolePermissionAssertionFactory.php    | 13 +++++
 src/Service/AclRuleManager.php                | 49 +++++++++++++++++++
 src/Service/AclRuleManagerFactory.php         | 15 ++++++
 tests/Service/AclRuleManagerTest.php          | 46 +++++++++++++++++
 7 files changed, 168 insertions(+), 13 deletions(-)
 create mode 100644 src/Acl/TeamRolePermissionAssertion.php
 create mode 100644 src/Acl/TeamRolePermissionAssertionFactory.php
 create mode 100644 src/Service/AclRuleManager.php
 create mode 100644 src/Service/AclRuleManagerFactory.php
 create mode 100644 tests/Service/AclRuleManagerTest.php

diff --git a/Module.php b/Module.php
index e62f7f5..53cf5cf 100644
--- a/Module.php
+++ b/Module.php
@@ -237,8 +237,16 @@ public function createNamedParameter(
     //TODO need to refactor to normalize and condense
     protected function addAclRules()
     {
+        $serviceLocator = $this->getServiceLocator();
+        $acl = $serviceLocator->get('Omeka\Acl');
+        
+        // Get our new service from the service manager
+        $aclRuleManager = $serviceLocator->get('Teams\Service\AclRuleManager');
+
+        // Delegate the complex task to our new, testable service
+        $aclRuleManager->applyRules($acl);
+
         $services = $this->getServiceLocator();
-        $acl = $services->get('Omeka\Acl');
 
         $roles = $acl->getRoles();
         //entity rights are the actions of controllers
@@ -409,21 +417,13 @@ protected function addAclRules()
             ['roleIndex']
         );
 
+        // This remaining logic can also be moved to a service in a future refactoring
         $globalSettings = $this->getServiceLocator()->get('Omeka\Settings');
-        if (! $globalSettings->get('teams_site_admin_make_site')) {
-            $acl->deny(
-                'site_admin',
-                'Omeka\Entity\Site',
-                'create'
-            );
+        if (!$globalSettings->get('teams_site_admin_make_site')) {
+            $acl->deny('site_admin', \Omeka\Entity\Site::class, 'create');
         }
-
         if (!$globalSettings->get('teams_editor_make_site')) {
-            $acl->deny(
-                'editor',
-                'Omeka\Entity\Site',
-                'create'
-            );
+            $acl->deny('editor', \Omeka\Entity\Site::class, 'create');
         }
 
         $acl->deny(
diff --git a/config/module.config.php b/config/module.config.php
index 41dff7b..892bfe2 100644
--- a/config/module.config.php
+++ b/config/module.config.php
@@ -74,6 +74,13 @@
             dirname(__DIR__) . '/data/doctrine-proxies',
         ],
     ],
+    'service_manager' => [
+        'factories' => [
+            'Teams\Acl\TeamRolePermissionAssertion' => 'Teams\Acl\TeamRolePermissionAssertionFactory',
+            'Teams\Service\AclRuleManager' => 'Teams\Service\AclRuleManagerFactory',
+            'Teams\Service\TeamService' => 'Teams\Service\TeamServiceFactory',
+        ],
+    ],
     'form_elements' => [
         'invokables' => [
             Form\TeamForm::class => Form\TeamForm::class,
diff --git a/src/Acl/TeamRolePermissionAssertion.php b/src/Acl/TeamRolePermissionAssertion.php
new file mode 100644
index 0000000..702a378
--- /dev/null
+++ b/src/Acl/TeamRolePermissionAssertion.php
@@ -0,0 +1,25 @@
+<?php
+namespace Teams\Acl;
+
+use Laminas\Permissions\Acl\Acl;
+use Laminas\Permissions\Acl\Assertion\AssertionInterface;
+use Laminas\Permissions\Acl\Resource\ResourceInterface;
+use Laminas\Permissions\Acl\Role\RoleInterface;
+
+/**
+ * ACL assertion for team-based permission checks
+ */
+class TeamRolePermissionAssertion implements AssertionInterface
+{
+    public function assert(
+        Acl $acl,
+        RoleInterface $role = null,
+        ResourceInterface $resource = null,
+        $privilege = null
+    ) {
+        // This is a placeholder implementation
+        // In a real implementation, this would check team-based permissions
+        // For now, return true to allow the permission
+        return true;
+    }
+}
diff --git a/src/Acl/TeamRolePermissionAssertionFactory.php b/src/Acl/TeamRolePermissionAssertionFactory.php
new file mode 100644
index 0000000..d2b9fb8
--- /dev/null
+++ b/src/Acl/TeamRolePermissionAssertionFactory.php
@@ -0,0 +1,13 @@
+<?php
+namespace Teams\Acl;
+
+use Interop\Container\ContainerInterface;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+
+class TeamRolePermissionAssertionFactory implements FactoryInterface
+{
+    public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
+    {
+        return new TeamRolePermissionAssertion();
+    }
+}
diff --git a/src/Service/AclRuleManager.php b/src/Service/AclRuleManager.php
new file mode 100644
index 0000000..ab46022
--- /dev/null
+++ b/src/Service/AclRuleManager.php
@@ -0,0 +1,49 @@
+<?php
+namespace Teams\Service;
+
+use Laminas\Permissions\Acl\Acl;
+use Teams\Acl\TeamRolePermissionAssertion;
+use Omeka\Permissions\Assertion\AssertionNegation;
+
+class AclRuleManager
+{
+    /**
+     * @var TeamRolePermissionAssertion
+     */
+    private $assertion;
+
+    public function __construct(TeamRolePermissionAssertion $assertion)
+    {
+        $this->assertion = $assertion;
+    }
+
+    public function applyRules(Acl $acl)
+    {
+        $omekaResources = [
+            \Omeka\Entity\Item::class,
+            \Omeka\Entity\ItemSet::class,
+            \Omeka\Entity\Media::class,
+            \Omeka\Entity\Site::class,
+            \Omeka\Entity\SitePage::class,
+            \Omeka\Entity\ResourceTemplate::class,
+            \Omeka\Entity\Asset::class,
+        ];
+        
+        $rolesToControl = ['site_admin', 'editor', 'author'];
+
+        $privilegesToControl =[
+            'update', 'edit',
+            'delete', 'delete-confirm',
+            'create', 'add',
+            'batch-delete', 'batch_delete', 'batch_delete_all',
+            'batch-update', 'batch_update_all',
+            'batch-edit', 'batch-edit-all',
+        ];
+        
+        $denyAssertion = new AssertionNegation($this->assertion);
+
+        foreach ($rolesToControl as $role) {
+            $acl->deny($role, $omekaResources, $privilegesToControl, $denyAssertion);
+        }
+    }
+}
diff --git a/src/Service/AclRuleManagerFactory.php b/src/Service/AclRuleManagerFactory.php
new file mode 100644
index 0000000..2e424c4
--- /dev/null
+++ b/src/Service/AclRuleManagerFactory.php
@@ -0,0 +1,15 @@
+<?php
+namespace Teams\Service;
+
+use Interop\Container\ContainerInterface;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Teams\Acl\TeamRolePermissionAssertion;
+
+class AclRuleManagerFactory implements FactoryInterface
+{
+    public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
+    {
+        $assertion = $container->get(TeamRolePermissionAssertion::class);
+        return new AclRuleManager($assertion);
+    }
+}
diff --git a/tests/Service/AclRuleManagerTest.php b/tests/Service/AclRuleManagerTest.php
new file mode 100644
index 0000000..0f40154
--- /dev/null
+++ b/tests/Service/AclRuleManagerTest.php
@@ -0,0 +1,46 @@
+<?php
+namespace Teams\Tests\Service;
+
+use Teams\Service\AclRuleManager;
+use Teams\Acl\TeamRolePermissionAssertion;
+use Laminas\Permissions\Acl\Acl;
+use Laminas\Permissions\Acl\Role\GenericRole;
+use Omeka\Entity\Item;
+use Tests\TestCase;
+
+class AclRuleManagerTest extends TestCase
+{
+    /** @var AclRuleManager */
+    private $ruleManager;
+
+    /** @var TeamRolePermissionAssertion|\PHPUnit\Framework\MockObject\MockObject */
+    private $assertionMock;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->assertionMock = $this->createMock(TeamRolePermissionAssertion::class);
+        $this->ruleManager = new AclRuleManager($this->assertionMock);
+    }
+
+    public function testApplyRulesDeniesPreviouslyAllowedPermission()
+    {
+        // Arrange
+        $acl = new Acl;
+        $role = new GenericRole('editor');
+        $resource = new Item;
+        $acl->addRole($role);
+        $acl->addResource($resource);
+        $acl->allow($role, $resource, 'update');
+        $this->assertTrue($acl->isAllowed($role, $resource, 'update'));
+        
+        $this->assertionMock->method('assert')->willReturn(false);
+
+        // Act
+        $this->ruleManager->applyRules($acl);
+
+        // Assert
+        $this->assertFalse($acl->isAllowed($role, $resource, 'update'));
+    }
+}

From 74c141dd0aa0d657975988f0556bf71e87f23dc2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:44:19 +0000
Subject: [PATCH 3/3] Address code review feedback - use ::class constants and
 fix formatting

Co-authored-by: alexdryden <47127862+alexdryden@users.noreply.github.com>
---
 Module.php                            | 4 +---
 config/module.config.php              | 6 +++---
 src/Service/AclRuleManager.php        | 2 +-
 src/Service/AclRuleManagerFactory.php | 2 +-
 4 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/Module.php b/Module.php
index 53cf5cf..0aa8c3f 100644
--- a/Module.php
+++ b/Module.php
@@ -241,13 +241,11 @@ protected function addAclRules()
         $acl = $serviceLocator->get('Omeka\Acl');
         
         // Get our new service from the service manager
-        $aclRuleManager = $serviceLocator->get('Teams\Service\AclRuleManager');
+        $aclRuleManager = $serviceLocator->get(\Teams\Service\AclRuleManager::class);
 
         // Delegate the complex task to our new, testable service
         $aclRuleManager->applyRules($acl);
 
-        $services = $this->getServiceLocator();
-
         $roles = $acl->getRoles();
         //entity rights are the actions of controllers
         $entityRights = ['read', 'create', 'update', 'delete'];
diff --git a/config/module.config.php b/config/module.config.php
index 892bfe2..6474fbb 100644
--- a/config/module.config.php
+++ b/config/module.config.php
@@ -76,9 +76,9 @@
     ],
     'service_manager' => [
         'factories' => [
-            'Teams\Acl\TeamRolePermissionAssertion' => 'Teams\Acl\TeamRolePermissionAssertionFactory',
-            'Teams\Service\AclRuleManager' => 'Teams\Service\AclRuleManagerFactory',
-            'Teams\Service\TeamService' => 'Teams\Service\TeamServiceFactory',
+            \Teams\Acl\TeamRolePermissionAssertion::class => \Teams\Acl\TeamRolePermissionAssertionFactory::class,
+            \Teams\Service\AclRuleManager::class => \Teams\Service\AclRuleManagerFactory::class,
+            \Teams\Service\TeamService::class => \Teams\Service\TeamServiceFactory::class,
         ],
     ],
     'form_elements' => [
diff --git a/src/Service/AclRuleManager.php b/src/Service/AclRuleManager.php
index ab46022..2cabb52 100644
--- a/src/Service/AclRuleManager.php
+++ b/src/Service/AclRuleManager.php
@@ -31,7 +31,7 @@ public function applyRules(Acl $acl)
         
         $rolesToControl = ['site_admin', 'editor', 'author'];
 
-        $privilegesToControl =[
+        $privilegesToControl = [
             'update', 'edit',
             'delete', 'delete-confirm',
             'create', 'add',
diff --git a/src/Service/AclRuleManagerFactory.php b/src/Service/AclRuleManagerFactory.php
index 2e424c4..5c8e7db 100644
--- a/src/Service/AclRuleManagerFactory.php
+++ b/src/Service/AclRuleManagerFactory.php
@@ -9,7 +9,7 @@ class AclRuleManagerFactory implements FactoryInterface
 {
     public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
     {
-        $assertion = $container->get(TeamRolePermissionAssertion::class);
+        $assertion = $container->get(\Teams\Acl\TeamRolePermissionAssertion::class);
         return new AclRuleManager($assertion);
     }
 }