Programmatically add user to site permissions using event listener

Dear Omeka S community,

We have a use case where we want to have a site’s content available to ( LDAP-)authenticated users only.
I found the module RestricedSites module that seems useful for this scenario.

With the RestrictedSites module, one should authorize users in the Site Settings - User permissions, giving them at least Viewer permission.

What I would like to achieve is that a LDAP-authenticated user is automatically authorized for the site.
In other words, I would like to make use of the ‘ldap.user.create.pre’ event and attach a listener that assigns the respective user the site’s Viewer role.

This is my current code in Module.php:

public function attachListeners(SharedEventManagerInterface $sharedEventManager) {

	$sharedEventManager->attach(  
	  //The class identifier that triggers the event:  
	  'Ldap\Authentication\Adapter\LdapAdapter',  
	  
	  // The named event identifier to listen to:  
	  'ldap.user.create.pre',  
	  
	  // Any callback for the event (= action to take when the event occurs)  
        function () { 
          $logger = $this->getServiceLocator()->get('Omeka\Logger');
          $logger->info("Successfully attached to the event 'ldap.user.create.pre'");

//          TODO: Give the current user Viewer role on the site permissions 

        }
      );

}

At this stage I am not sure how to proceed. Is there already a class-method that I can use at this place? Should I create my own function?
Any help is appreciated.

Thank you very much.
Best regards,
Maarten Coonen, Maastricht University Library

Modifying site permissions happens, like many things in Omeka S, using the API. So you’d get the API manager object and issue a request to update the site you want to grant permissions to, using the o:site_permission key to define the permission you want to grant.

Though, you could also do it directly against the database using Doctrine: get the Site entity and add a new SitePermission entity to its sitePermissions array.

I was thinking I’d suggest just changing the ACL instead so all the roles that require login have access, but it looks like RestrictedSites doesn’t really use the ACL for this, it just checks for the site permission/role directly.

Thank you John!
We will try out the API approach and will report back here.

Best,
Maarten