Create institutional manager role

[SteelWagstaff]

Currently, the network manager is a 'restricted' super admin. We want to create a sub-class of network manager -- an 'institutional manager' who resembles a network manager, but only for books/users associated with a given institution. The primary way that an institutional manager differs from a network manager in our database is that an institutional manager is associated with one (and only one) institution.

We need to find a consistent way of specifying which institution an institutional manager is associated with. We also need to determine a consistent way of checking institutional values for the institutional manager and the book/user the institutional manager wants to take action on when performing admin actions (edit/activate/deactivate/delete book or edit/delete user).

See https://github.com/pressbooks/pressbooks-multi-institution/issues/2 for details of requirements.

[arzola]

I've been working on menus handler to hide specific options when this kind of users are logged in

Current TODO

• Dashboard page for institutional managers (WIP)
• Hook into wp menus to append institution ID if required
• Filtering books/users by institution on stats
• Modify Stats with proper institution filters applied

[SteelWagstaff]

@arzola I'm a little concerned about the direction this task is taking this sprint. From my point of view, the goal is to create a functional new role and to ensure that users are assigned and unassigned from this role whenever they are assigned as institutional managers by the create/manage institution form. The action should make them a super admin and apply some restriction that indicates that they are an 'institutional manager' rather than an unrestricted super admin or a (restricted) network manager. This user needs to be restricted to only being able to edit and delete books/users when they're assigned to their institution.

Figuring out how to display various pages (custom dashboard, book/user lists, institutional stats page) to this role can come in a later sprint, IMO.

[arzola]

As we discussed yesterday I have the following

• [x] Grant super admin privileges to new institution managers and add them to the restricted users list when they are added on the institutions form
• [x] Remove institutional managers from the restricted users list and revoke their super admin privileges when they are removed on the instutions form
• [x] Created get_institution_by_manager function that would check if the current user is a restricted super admin and return their institution id, it would return 0 if is not restricted or is they are not manager on an institution
• [x] Hide unwanted menu options for institutional manager "role"
• [x] Mapping/modify files that would require to review the conditions for is_restricted
• [x] Cap book management to manage books that belongs to their institution only (pre_get_sites,sites_clauses hooks)
• [ ] Tests

  Files to be reviewed / modified (is_restricted)

• [ ] inc/admin/network/class-sharingandprivacyoptions.php
• [x] inc/admin/class-network-managers-list-table.php
• [ ] inc/admin/laf/namespace.php
• [x] inc/admin/menus/class-sidebar.php
• [x] inc/admin/menus/class-topbar.php
• [ ] inc/admin/networkmanagers/namespace.php
• [ ] tests/test-admin-networkmanagers.php
• [ ] web/app/plugins/pressbooks-lti-provider-1p3/inc/class-admin.php
• [x] web/app/plugins/pressbooks-network-analytics/inc/admin/class-books.php
• [x] web/app/plugins/pressbooks-network-analytics/inc/admin/class-menus.php
• [x] web/app/plugins/pressbooks-plugins-config/inc/class-plugins-config.php

I uploaded a POC in https://oscardev.pressbooks.network

TODO:

• [ ] Block all actions and allow them using an allowlist
• [ ] Tests
• [ ] Move filters to appropriate objects instead of Bootstrap file

Probably for next iteration

• [ ] Deep analysis of how network analytics tables works in order to cap functionality or understand if we are gonna build those tables from scratch using our new eloquent tables approach
• [ ] Institutional manager dashboard

[arzola]

Approach to follow next iteration.

1. Block all pages by default and having an allowlist for pages the institution manager could see
2. Map and append filters in every action on network analytics plugin to handle permissions (Edit users, edit books, delete actions, etc): #45
3. Create new dashboard page: https://github.com/pressbooks/pressbooks-multi-institution/issues/39
4. Set of tests
5. Discuss if data collector tables should hold the institution ID on the book record (and maybe users too) #43

[SteelWagstaff]

@arzola see https://github.com/pressbooks/pressbooks-multi-institution/issues/45 for initial description of capabilities institutional managers need to have. How does this look to you?

[SteelWagstaff]

Closing in favour of #45