|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace SilverStripe\Security; |
|
4
|
|
|
|
|
5
|
|
|
|
|
6
|
|
|
use SilverStripe\ORM\ArrayList; |
|
7
|
|
|
use SilverStripe\ORM\DataObject; |
|
8
|
|
|
use SilverStripe\ORM\HasManyList; |
|
9
|
|
|
use SilverStripe\ORM\ManyManyList; |
|
10
|
|
|
use SilverStripe\ORM\UnsavedRelationList; |
|
11
|
|
|
use Requirements; |
|
12
|
|
|
use FieldList; |
|
13
|
|
|
use TabSet; |
|
14
|
|
|
use Tab; |
|
15
|
|
|
use TextField; |
|
16
|
|
|
use DropdownField; |
|
17
|
|
|
use TextareaField; |
|
18
|
|
|
use Config; |
|
19
|
|
|
use GridFieldConfig_RelationEditor; |
|
20
|
|
|
use GridFieldButtonRow; |
|
21
|
|
|
use GridFieldExportButton; |
|
22
|
|
|
use GridFieldPrintButton; |
|
23
|
|
|
use GridField; |
|
24
|
|
|
use HTMLEditorConfig; |
|
25
|
|
|
use LiteralField; |
|
26
|
|
|
use ListboxField; |
|
27
|
|
|
use HiddenField; |
|
28
|
|
|
use InvalidArgumentException; |
|
29
|
|
|
use Convert; |
|
30
|
|
|
|
|
31
|
|
|
/** |
|
32
|
|
|
* A security group. |
|
33
|
|
|
* |
|
34
|
|
|
* @package framework |
|
35
|
|
|
* @subpackage security |
|
36
|
|
|
* |
|
37
|
|
|
* @property string Title Name of the group |
|
38
|
|
|
* @property string Description Description of the group |
|
39
|
|
|
* @property string Code Group code |
|
40
|
|
|
* @property string Locked Boolean indicating whether group is locked in security panel |
|
41
|
|
|
* @property int Sort |
|
42
|
|
|
* @property string HtmlEditorConfig |
|
43
|
|
|
* |
|
44
|
|
|
* @property int ParentID ID of parent group |
|
45
|
|
|
* |
|
46
|
|
|
* @method Group Parent() Return parent group |
|
47
|
|
|
* @method HasManyList Permissions() List of group permissions |
|
48
|
|
|
* @method HasManyList Groups() List of child groups |
|
49
|
|
|
* @method ManyManyList Roles() List of PermissionRoles |
|
50
|
|
|
*/ |
|
51
|
|
|
class Group extends DataObject { |
|
52
|
|
|
|
|
53
|
|
|
private static $db = array( |
|
54
|
|
|
"Title" => "Varchar(255)", |
|
55
|
|
|
"Description" => "Text", |
|
56
|
|
|
"Code" => "Varchar(255)", |
|
57
|
|
|
"Locked" => "Boolean", |
|
58
|
|
|
"Sort" => "Int", |
|
59
|
|
|
"HtmlEditorConfig" => "Text" |
|
60
|
|
|
); |
|
61
|
|
|
|
|
62
|
|
|
private static $has_one = array( |
|
63
|
|
|
"Parent" => "SilverStripe\\Security\\Group", |
|
64
|
|
|
); |
|
65
|
|
|
|
|
66
|
|
|
private static $has_many = array( |
|
67
|
|
|
"Permissions" => "SilverStripe\\Security\\Permission", |
|
68
|
|
|
"Groups" => "SilverStripe\\Security\\Group" |
|
69
|
|
|
); |
|
70
|
|
|
|
|
71
|
|
|
private static $many_many = array( |
|
72
|
|
|
"Members" => "SilverStripe\\Security\\Member", |
|
73
|
|
|
"Roles" => "SilverStripe\\Security\\PermissionRole", |
|
74
|
|
|
); |
|
75
|
|
|
|
|
76
|
|
|
private static $extensions = array( |
|
77
|
|
|
"SilverStripe\\ORM\\Hierarchy\\Hierarchy", |
|
78
|
|
|
); |
|
79
|
|
|
|
|
80
|
|
|
private static $table_name = "Group"; |
|
81
|
|
|
|
|
82
|
|
|
public function populateDefaults() { |
|
83
|
|
|
parent::populateDefaults(); |
|
84
|
|
|
|
|
85
|
|
|
if(!$this->Title) $this->Title = _t('SecurityAdmin.NEWGROUP',"New Group"); |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
|
|
public function getAllChildren() { |
|
89
|
|
|
$doSet = new ArrayList(); |
|
90
|
|
|
|
|
91
|
|
|
$children = Group::get()->filter("ParentID", $this->ID); |
|
|
|
|
|
|
92
|
|
|
foreach($children as $child) { |
|
93
|
|
|
$doSet->push($child); |
|
94
|
|
|
$doSet->merge($child->getAllChildren()); |
|
95
|
|
|
} |
|
96
|
|
|
|
|
97
|
|
|
return $doSet; |
|
98
|
|
|
} |
|
99
|
|
|
|
|
100
|
|
|
/** |
|
101
|
|
|
* Caution: Only call on instances, not through a singleton. |
|
102
|
|
|
* The "root group" fields will be created through {@link SecurityAdmin->EditForm()}. |
|
103
|
|
|
* |
|
104
|
|
|
* @return FieldList |
|
105
|
|
|
*/ |
|
106
|
|
|
public function getCMSFields() { |
|
107
|
|
|
Requirements::javascript(FRAMEWORK_DIR . '/client/dist/js/PermissionCheckboxSetField.js'); |
|
108
|
|
|
|
|
109
|
|
|
$fields = new FieldList( |
|
110
|
|
|
new TabSet("Root", |
|
111
|
|
|
new Tab('Members', _t('SecurityAdmin.MEMBERS', 'Members'), |
|
112
|
|
|
new TextField("Title", $this->fieldLabel('Title')), |
|
113
|
|
|
$parentidfield = DropdownField::create( 'ParentID', |
|
114
|
|
|
$this->fieldLabel('Parent'), |
|
115
|
|
|
Group::get()->exclude('ID', $this->ID)->map('ID', 'Breadcrumbs') |
|
|
|
|
|
|
116
|
|
|
)->setEmptyString(' '), |
|
117
|
|
|
new TextareaField('Description', $this->fieldLabel('Description')) |
|
118
|
|
|
), |
|
119
|
|
|
|
|
120
|
|
|
$permissionsTab = new Tab('Permissions', _t('SecurityAdmin.PERMISSIONS', 'Permissions'), |
|
121
|
|
|
$permissionsField = new PermissionCheckboxSetField( |
|
122
|
|
|
'Permissions', |
|
123
|
|
|
false, |
|
124
|
|
|
'SilverStripe\\Security\\Permission', |
|
125
|
|
|
'GroupID', |
|
126
|
|
|
$this |
|
127
|
|
|
) |
|
128
|
|
|
) |
|
129
|
|
|
) |
|
130
|
|
|
); |
|
131
|
|
|
|
|
132
|
|
|
$parentidfield->setDescription( |
|
133
|
|
|
_t('Group.GroupReminder', 'If you choose a parent group, this group will take all it\'s roles') |
|
134
|
|
|
); |
|
135
|
|
|
|
|
136
|
|
|
// Filter permissions |
|
137
|
|
|
// TODO SecurityAdmin coupling, not easy to get to the form fields through GridFieldDetailForm |
|
138
|
|
|
$permissionsField->setHiddenPermissions((array)Config::inst()->get('SecurityAdmin', 'hidden_permissions')); |
|
139
|
|
|
|
|
140
|
|
|
if($this->ID) { |
|
141
|
|
|
$group = $this; |
|
142
|
|
|
$config = GridFieldConfig_RelationEditor::create(); |
|
143
|
|
|
$config->addComponent(new GridFieldButtonRow('after')); |
|
144
|
|
|
$config->addComponents(new GridFieldExportButton('buttons-after-left')); |
|
145
|
|
|
$config->addComponents(new GridFieldPrintButton('buttons-after-left')); |
|
146
|
|
|
$config->getComponentByType('GridFieldAddExistingAutocompleter') |
|
|
|
|
|
|
147
|
|
|
->setResultsFormat('$Title ($Email)')->setSearchFields(array('FirstName', 'Surname', 'Email')); |
|
148
|
|
|
$config->getComponentByType('GridFieldDetailForm') |
|
|
|
|
|
|
149
|
|
|
->setValidator(Member_Validator::create()) |
|
150
|
|
|
->setItemEditFormCallback(function($form, $component) use($group) { |
|
|
|
|
|
|
151
|
|
|
$record = $form->getRecord(); |
|
152
|
|
|
$groupsField = $form->Fields()->dataFieldByName('DirectGroups'); |
|
153
|
|
|
if($groupsField) { |
|
154
|
|
|
// If new records are created in a group context, |
|
155
|
|
|
// set this group by default. |
|
156
|
|
|
if($record && !$record->ID) { |
|
157
|
|
|
$groupsField->setValue($group->ID); |
|
158
|
|
|
} elseif($record && $record->ID) { |
|
159
|
|
|
// TODO Mark disabled once chosen.js supports it |
|
160
|
|
|
// $groupsField->setDisabledItems(array($group->ID)); |
|
|
|
|
|
|
161
|
|
|
$form->Fields()->replaceField('DirectGroups', |
|
162
|
|
|
$groupsField->performReadonlyTransformation()); |
|
163
|
|
|
} |
|
164
|
|
|
} |
|
165
|
|
|
}); |
|
166
|
|
|
$memberList = GridField::create('Members',false, $this->DirectMembers(), $config) |
|
167
|
|
|
->addExtraClass('members_grid'); |
|
168
|
|
|
// @todo Implement permission checking on GridField |
|
169
|
|
|
//$memberList->setPermissions(array('edit', 'delete', 'export', 'add', 'inlineadd')); |
|
|
|
|
|
|
170
|
|
|
$fields->addFieldToTab('Root.Members', $memberList); |
|
171
|
|
|
} |
|
172
|
|
|
|
|
173
|
|
|
// Only add a dropdown for HTML editor configurations if more than one is available. |
|
174
|
|
|
// Otherwise Member->getHtmlEditorConfigForCMS() will default to the 'cms' configuration. |
|
175
|
|
|
$editorConfigMap = HTMLEditorConfig::get_available_configs_map(); |
|
176
|
|
|
if(count($editorConfigMap) > 1) { |
|
177
|
|
|
$fields->addFieldToTab('Root.Permissions', |
|
178
|
|
|
new DropdownField( |
|
179
|
|
|
'HtmlEditorConfig', |
|
180
|
|
|
'HTML Editor Configuration', |
|
181
|
|
|
$editorConfigMap |
|
182
|
|
|
), |
|
183
|
|
|
'Permissions' |
|
184
|
|
|
); |
|
185
|
|
|
} |
|
186
|
|
|
|
|
187
|
|
|
if(!Permission::check('EDIT_PERMISSIONS')) { |
|
188
|
|
|
$fields->removeFieldFromTab('Root', 'Permissions'); |
|
189
|
|
|
} |
|
190
|
|
|
|
|
191
|
|
|
// Only show the "Roles" tab if permissions are granted to edit them, |
|
192
|
|
|
// and at least one role exists |
|
193
|
|
|
if(Permission::check('APPLY_ROLES') && DataObject::get('SilverStripe\\Security\\PermissionRole')) { |
|
194
|
|
|
$fields->findOrMakeTab('Root.Roles', _t('SecurityAdmin.ROLES', 'Roles')); |
|
195
|
|
|
$fields->addFieldToTab('Root.Roles', |
|
196
|
|
|
new LiteralField( |
|
197
|
|
|
"", |
|
198
|
|
|
"<p>" . |
|
199
|
|
|
_t( |
|
200
|
|
|
'SecurityAdmin.ROLESDESCRIPTION', |
|
201
|
|
|
"Roles are predefined sets of permissions, and can be assigned to groups.<br />" |
|
202
|
|
|
. "They are inherited from parent groups if required." |
|
203
|
|
|
) . '<br />' . |
|
204
|
|
|
sprintf( |
|
205
|
|
|
'<a href="%s" class="add-role">%s</a>', |
|
206
|
|
|
singleton('SecurityAdmin')->Link('show/root#Root_Roles'), |
|
207
|
|
|
// TODO This should include #Root_Roles to switch directly to the tab, |
|
208
|
|
|
// but tabstrip.js doesn't display tabs when directly adressed through a URL pragma |
|
209
|
|
|
_t('Group.RolesAddEditLink', 'Manage roles') |
|
210
|
|
|
) . |
|
211
|
|
|
"</p>" |
|
212
|
|
|
) |
|
213
|
|
|
); |
|
214
|
|
|
|
|
215
|
|
|
// Add roles (and disable all checkboxes for inherited roles) |
|
216
|
|
|
$allRoles = PermissionRole::get(); |
|
217
|
|
|
if(!Permission::check('ADMIN')) { |
|
218
|
|
|
$allRoles = $allRoles->filter("OnlyAdminCanApply", 0); |
|
219
|
|
|
} |
|
220
|
|
|
if($this->ID) { |
|
221
|
|
|
$groupRoles = $this->Roles(); |
|
222
|
|
|
$inheritedRoles = new ArrayList(); |
|
223
|
|
|
$ancestors = $this->getAncestors(); |
|
224
|
|
|
foreach($ancestors as $ancestor) { |
|
225
|
|
|
$ancestorRoles = $ancestor->Roles(); |
|
226
|
|
|
if($ancestorRoles) $inheritedRoles->merge($ancestorRoles); |
|
227
|
|
|
} |
|
228
|
|
|
$groupRoleIDs = $groupRoles->column('ID') + $inheritedRoles->column('ID'); |
|
229
|
|
|
$inheritedRoleIDs = $inheritedRoles->column('ID'); |
|
230
|
|
|
} else { |
|
231
|
|
|
$groupRoleIDs = array(); |
|
232
|
|
|
$inheritedRoleIDs = array(); |
|
233
|
|
|
} |
|
234
|
|
|
|
|
235
|
|
|
$rolesField = ListboxField::create('Roles', false, $allRoles->map()->toArray()) |
|
236
|
|
|
->setDefaultItems($groupRoleIDs) |
|
237
|
|
|
->setAttribute('data-placeholder', _t('Group.AddRole', 'Add a role for this group')) |
|
238
|
|
|
->setDisabledItems($inheritedRoleIDs); |
|
239
|
|
|
if(!$allRoles->Count()) { |
|
240
|
|
|
$rolesField->setAttribute('data-placeholder', _t('Group.NoRoles', 'No roles found')); |
|
241
|
|
|
} |
|
242
|
|
|
$fields->addFieldToTab('Root.Roles', $rolesField); |
|
243
|
|
|
} |
|
244
|
|
|
|
|
245
|
|
|
$fields->push($idField = new HiddenField("ID")); |
|
246
|
|
|
|
|
247
|
|
|
$this->extend('updateCMSFields', $fields); |
|
248
|
|
|
|
|
249
|
|
|
return $fields; |
|
250
|
|
|
} |
|
251
|
|
|
|
|
252
|
|
|
/** |
|
253
|
|
|
* @param bool $includerelations Indicate if the labels returned include relation fields |
|
254
|
|
|
* @return array |
|
255
|
|
|
*/ |
|
256
|
|
|
public function fieldLabels($includerelations = true) { |
|
257
|
|
|
$labels = parent::fieldLabels($includerelations); |
|
258
|
|
|
$labels['Title'] = _t('SecurityAdmin.GROUPNAME', 'Group name'); |
|
259
|
|
|
$labels['Description'] = _t('Group.Description', 'Description'); |
|
260
|
|
|
$labels['Code'] = _t('Group.Code', 'Group Code', 'Programmatical code identifying a group'); |
|
261
|
|
|
$labels['Locked'] = _t('Group.Locked', 'Locked?', 'Group is locked in the security administration area'); |
|
262
|
|
|
$labels['Sort'] = _t('Group.Sort', 'Sort Order'); |
|
263
|
|
|
if($includerelations){ |
|
264
|
|
|
$labels['Parent'] = _t('Group.Parent', 'Parent Group', 'One group has one parent group'); |
|
265
|
|
|
$labels['Permissions'] = _t('Group.has_many_Permissions', 'Permissions', 'One group has many permissions'); |
|
266
|
|
|
$labels['Members'] = _t('Group.many_many_Members', 'Members', 'One group has many members'); |
|
267
|
|
|
} |
|
268
|
|
|
|
|
269
|
|
|
return $labels; |
|
270
|
|
|
} |
|
271
|
|
|
|
|
272
|
|
|
/** |
|
273
|
|
|
* Get many-many relation to {@link Member}, |
|
274
|
|
|
* including all members which are "inherited" from children groups of this record. |
|
275
|
|
|
* See {@link DirectMembers()} for retrieving members without any inheritance. |
|
276
|
|
|
* |
|
277
|
|
|
* @param String $filter |
|
278
|
|
|
* @return ManyManyList |
|
279
|
|
|
*/ |
|
280
|
|
|
public function Members($filter = '') { |
|
281
|
|
|
// First get direct members as a base result |
|
282
|
|
|
$result = $this->DirectMembers(); |
|
283
|
|
|
|
|
284
|
|
|
// Unsaved group cannot have child groups because its ID is still 0. |
|
285
|
|
|
if(!$this->exists()) return $result; |
|
286
|
|
|
|
|
287
|
|
|
// Remove the default foreign key filter in prep for re-applying a filter containing all children groups. |
|
288
|
|
|
// Filters are conjunctive in DataQuery by default, so this filter would otherwise overrule any less specific |
|
289
|
|
|
// ones. |
|
290
|
|
|
if(!($result instanceof UnsavedRelationList)) { |
|
291
|
|
|
$result = $result->alterDataQuery(function($query){ |
|
292
|
|
|
$query->removeFilterOn('Group_Members'); |
|
293
|
|
|
}); |
|
294
|
|
|
} |
|
295
|
|
|
// Now set all children groups as a new foreign key |
|
296
|
|
|
$groups = Group::get()->byIDs($this->collateFamilyIDs()); |
|
|
|
|
|
|
297
|
|
|
$result = $result->forForeignID($groups->column('ID'))->where($filter); |
|
298
|
|
|
|
|
299
|
|
|
return $result; |
|
300
|
|
|
} |
|
301
|
|
|
|
|
302
|
|
|
/** |
|
303
|
|
|
* Return only the members directly added to this group |
|
304
|
|
|
*/ |
|
305
|
|
|
public function DirectMembers() { |
|
306
|
|
|
return $this->getManyManyComponents('Members'); |
|
307
|
|
|
} |
|
308
|
|
|
|
|
309
|
|
|
/** |
|
310
|
|
|
* Return a set of this record's "family" of IDs - the IDs of |
|
311
|
|
|
* this record and all its descendants. |
|
312
|
|
|
* |
|
313
|
|
|
* @return array |
|
314
|
|
|
*/ |
|
315
|
|
|
public function collateFamilyIDs() { |
|
316
|
|
|
if (!$this->exists()) { |
|
317
|
|
|
throw new \InvalidArgumentException("Cannot call collateFamilyIDs on unsaved Group."); |
|
318
|
|
|
} |
|
319
|
|
|
|
|
320
|
|
|
$familyIDs = array(); |
|
321
|
|
|
$chunkToAdd = array($this->ID); |
|
322
|
|
|
|
|
323
|
|
|
while($chunkToAdd) { |
|
|
|
|
|
|
324
|
|
|
$familyIDs = array_merge($familyIDs,$chunkToAdd); |
|
325
|
|
|
|
|
326
|
|
|
// Get the children of *all* the groups identified in the previous chunk. |
|
327
|
|
|
// This minimises the number of SQL queries necessary |
|
328
|
|
|
$chunkToAdd = Group::get()->filter("ParentID", $chunkToAdd)->column('ID'); |
|
|
|
|
|
|
329
|
|
|
} |
|
330
|
|
|
|
|
331
|
|
|
return $familyIDs; |
|
332
|
|
|
} |
|
333
|
|
|
|
|
334
|
|
|
/** |
|
335
|
|
|
* Returns an array of the IDs of this group and all its parents |
|
336
|
|
|
*/ |
|
337
|
|
|
public function collateAncestorIDs() { |
|
338
|
|
|
$parent = $this; |
|
339
|
|
|
while(isset($parent) && $parent instanceof Group) { |
|
340
|
|
|
$items[] = $parent->ID; |
|
|
|
|
|
|
341
|
|
|
$parent = $parent->Parent; |
|
|
|
|
|
|
342
|
|
|
} |
|
343
|
|
|
return $items; |
|
|
|
|
|
|
344
|
|
|
} |
|
345
|
|
|
|
|
346
|
|
|
/** |
|
347
|
|
|
* This isn't a decendant of SiteTree, but needs this in case |
|
348
|
|
|
* the group is "reorganised"; |
|
349
|
|
|
*/ |
|
350
|
|
|
public function cmsCleanup_parentChanged() { |
|
351
|
|
|
} |
|
352
|
|
|
|
|
353
|
|
|
/** |
|
354
|
|
|
* Override this so groups are ordered in the CMS |
|
355
|
|
|
*/ |
|
356
|
|
|
public function stageChildren() { |
|
357
|
|
|
return Group::get() |
|
|
|
|
|
|
358
|
|
|
->filter("ParentID", $this->ID) |
|
359
|
|
|
->exclude("ID", $this->ID) |
|
360
|
|
|
->sort('"Sort"'); |
|
361
|
|
|
} |
|
362
|
|
|
|
|
363
|
|
|
public function getTreeTitle() { |
|
364
|
|
|
if($this->hasMethod('alternateTreeTitle')) return $this->alternateTreeTitle(); |
|
365
|
|
|
else return htmlspecialchars($this->Title, ENT_QUOTES); |
|
366
|
|
|
} |
|
367
|
|
|
|
|
368
|
|
|
/** |
|
369
|
|
|
* Overloaded to ensure the code is always descent. |
|
370
|
|
|
* |
|
371
|
|
|
* @param string |
|
372
|
|
|
*/ |
|
373
|
|
|
public function setCode($val){ |
|
374
|
|
|
$this->setField("Code", Convert::raw2url($val)); |
|
375
|
|
|
} |
|
376
|
|
|
|
|
377
|
|
|
public function validate() { |
|
378
|
|
|
$result = parent::validate(); |
|
379
|
|
|
|
|
380
|
|
|
// Check if the new group hierarchy would add certain "privileged permissions", |
|
381
|
|
|
// and require an admin to perform this change in case it does. |
|
382
|
|
|
// This prevents "sub-admin" users with group editing permissions to increase their privileges. |
|
383
|
|
|
if($this->Parent()->exists() && !Permission::check('ADMIN')) { |
|
384
|
|
|
$inheritedCodes = Permission::get() |
|
385
|
|
|
->filter('GroupID', $this->Parent()->collateAncestorIDs()) |
|
386
|
|
|
->column('Code'); |
|
387
|
|
|
$privilegedCodes = Config::inst()->get('SilverStripe\\Security\\Permission', 'privileged_permissions'); |
|
388
|
|
|
if(array_intersect($inheritedCodes, $privilegedCodes)) { |
|
389
|
|
|
$result->error(sprintf( |
|
390
|
|
|
_t( |
|
391
|
|
|
'Group.HierarchyPermsError', |
|
392
|
|
|
'Can\'t assign parent group "%s" with privileged permissions (requires ADMIN access)' |
|
393
|
|
|
), |
|
394
|
|
|
$this->Parent()->Title |
|
395
|
|
|
)); |
|
396
|
|
|
} |
|
397
|
|
|
} |
|
398
|
|
|
|
|
399
|
|
|
return $result; |
|
400
|
|
|
} |
|
401
|
|
|
|
|
402
|
|
|
public function onBeforeWrite() { |
|
403
|
|
|
parent::onBeforeWrite(); |
|
404
|
|
|
|
|
405
|
|
|
// Only set code property when the group has a custom title, and no code exists. |
|
406
|
|
|
// The "Code" attribute is usually treated as a more permanent identifier than database IDs |
|
407
|
|
|
// in custom application logic, so can't be changed after its first set. |
|
408
|
|
|
if(!$this->Code && $this->Title != _t('SecurityAdmin.NEWGROUP',"New Group")) { |
|
409
|
|
|
if(!$this->Code) $this->setCode($this->Title); |
|
410
|
|
|
} |
|
411
|
|
|
} |
|
412
|
|
|
|
|
413
|
|
|
public function onBeforeDelete() { |
|
414
|
|
|
parent::onBeforeDelete(); |
|
415
|
|
|
|
|
416
|
|
|
// if deleting this group, delete it's children as well |
|
417
|
|
|
foreach($this->Groups() as $group) { |
|
418
|
|
|
$group->delete(); |
|
419
|
|
|
} |
|
420
|
|
|
|
|
421
|
|
|
// Delete associated permissions |
|
422
|
|
|
foreach($this->Permissions() as $permission) { |
|
423
|
|
|
$permission->delete(); |
|
424
|
|
|
} |
|
425
|
|
|
} |
|
426
|
|
|
|
|
427
|
|
|
/** |
|
428
|
|
|
* Checks for permission-code CMS_ACCESS_SecurityAdmin. |
|
429
|
|
|
* If the group has ADMIN permissions, it requires the user to have ADMIN permissions as well. |
|
430
|
|
|
* |
|
431
|
|
|
* @param $member Member |
|
432
|
|
|
* @return boolean |
|
433
|
|
|
*/ |
|
434
|
|
|
public function canEdit($member = null) { |
|
435
|
|
|
if(!$member || !(is_a($member, 'SilverStripe\\Security\\Member')) || is_numeric($member)) $member = Member::currentUser(); |
|
436
|
|
|
|
|
437
|
|
|
// extended access checks |
|
438
|
|
|
$results = $this->extend('canEdit', $member); |
|
439
|
|
|
if($results && is_array($results)) if(!min($results)) return false; |
|
|
|
|
|
|
440
|
|
|
|
|
441
|
|
|
if( |
|
442
|
|
|
// either we have an ADMIN |
|
443
|
|
|
(bool)Permission::checkMember($member, "ADMIN") |
|
444
|
|
|
|| ( |
|
445
|
|
|
// or a privileged CMS user and a group without ADMIN permissions. |
|
446
|
|
|
// without this check, a user would be able to add himself to an administrators group |
|
447
|
|
|
// with just access to the "Security" admin interface |
|
448
|
|
|
Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && |
|
449
|
|
|
!Permission::get()->filter(array('GroupID' => $this->ID, 'Code' => 'ADMIN'))->exists() |
|
450
|
|
|
) |
|
451
|
|
|
) { |
|
452
|
|
|
return true; |
|
453
|
|
|
} |
|
454
|
|
|
|
|
455
|
|
|
return false; |
|
456
|
|
|
} |
|
457
|
|
|
|
|
458
|
|
|
/** |
|
459
|
|
|
* Checks for permission-code CMS_ACCESS_SecurityAdmin. |
|
460
|
|
|
* |
|
461
|
|
|
* @param $member Member |
|
462
|
|
|
* @return boolean |
|
463
|
|
|
*/ |
|
464
|
|
|
public function canView($member = null) { |
|
465
|
|
|
if(!$member || !(is_a($member, 'SilverStripe\\Security\\Member')) || is_numeric($member)) $member = Member::currentUser(); |
|
466
|
|
|
|
|
467
|
|
|
// extended access checks |
|
468
|
|
|
$results = $this->extend('canView', $member); |
|
469
|
|
|
if($results && is_array($results)) if(!min($results)) return false; |
|
|
|
|
|
|
470
|
|
|
|
|
471
|
|
|
// user needs access to CMS_ACCESS_SecurityAdmin |
|
472
|
|
|
if(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")) return true; |
|
473
|
|
|
|
|
474
|
|
|
return false; |
|
475
|
|
|
} |
|
476
|
|
|
|
|
477
|
|
|
public function canDelete($member = null) { |
|
478
|
|
|
if(!$member || !(is_a($member, 'SilverStripe\\Security\\Member')) || is_numeric($member)) $member = Member::currentUser(); |
|
479
|
|
|
|
|
480
|
|
|
// extended access checks |
|
481
|
|
|
$results = $this->extend('canDelete', $member); |
|
482
|
|
|
if($results && is_array($results)) if(!min($results)) return false; |
|
|
|
|
|
|
483
|
|
|
|
|
484
|
|
|
return $this->canEdit($member); |
|
485
|
|
|
} |
|
486
|
|
|
|
|
487
|
|
|
/** |
|
488
|
|
|
* Returns all of the children for the CMS Tree. |
|
489
|
|
|
* Filters to only those groups that the current user can edit |
|
490
|
|
|
*/ |
|
491
|
|
|
public function AllChildrenIncludingDeleted() { |
|
492
|
|
|
$extInstance = $this->getExtensionInstance('SilverStripe\\ORM\\Hierarchy\\Hierarchy'); |
|
493
|
|
|
$extInstance->setOwner($this); |
|
494
|
|
|
$children = $extInstance->AllChildrenIncludingDeleted(); |
|
495
|
|
|
$extInstance->clearOwner(); |
|
496
|
|
|
|
|
497
|
|
|
$filteredChildren = new ArrayList(); |
|
498
|
|
|
|
|
499
|
|
|
if($children) foreach($children as $child) { |
|
500
|
|
|
if($child->canView()) $filteredChildren->push($child); |
|
501
|
|
|
} |
|
502
|
|
|
|
|
503
|
|
|
return $filteredChildren; |
|
504
|
|
|
} |
|
505
|
|
|
|
|
506
|
|
|
/** |
|
507
|
|
|
* Add default records to database. |
|
508
|
|
|
* |
|
509
|
|
|
* This function is called whenever the database is built, after the |
|
510
|
|
|
* database tables have all been created. |
|
511
|
|
|
*/ |
|
512
|
|
|
public function requireDefaultRecords() { |
|
513
|
|
|
parent::requireDefaultRecords(); |
|
514
|
|
|
|
|
515
|
|
|
// Add default author group if no other group exists |
|
516
|
|
|
$allGroups = DataObject::get('SilverStripe\\Security\\Group'); |
|
517
|
|
|
if(!$allGroups->count()) { |
|
518
|
|
|
$authorGroup = new Group(); |
|
519
|
|
|
$authorGroup->Code = 'content-authors'; |
|
520
|
|
|
$authorGroup->Title = _t('Group.DefaultGroupTitleContentAuthors', 'Content Authors'); |
|
521
|
|
|
$authorGroup->Sort = 1; |
|
522
|
|
|
$authorGroup->write(); |
|
523
|
|
|
Permission::grant($authorGroup->ID, 'CMS_ACCESS_CMSMain'); |
|
524
|
|
|
Permission::grant($authorGroup->ID, 'CMS_ACCESS_AssetAdmin'); |
|
525
|
|
|
Permission::grant($authorGroup->ID, 'CMS_ACCESS_ReportAdmin'); |
|
526
|
|
|
Permission::grant($authorGroup->ID, 'SITETREE_REORGANISE'); |
|
527
|
|
|
} |
|
528
|
|
|
|
|
529
|
|
|
// Add default admin group if none with permission code ADMIN exists |
|
530
|
|
|
$adminGroups = Permission::get_groups_by_permission('ADMIN'); |
|
531
|
|
|
if(!$adminGroups->count()) { |
|
532
|
|
|
$adminGroup = new Group(); |
|
533
|
|
|
$adminGroup->Code = 'administrators'; |
|
534
|
|
|
$adminGroup->Title = _t('Group.DefaultGroupTitleAdministrators', 'Administrators'); |
|
535
|
|
|
$adminGroup->Sort = 0; |
|
536
|
|
|
$adminGroup->write(); |
|
537
|
|
|
Permission::grant($adminGroup->ID, 'ADMIN'); |
|
538
|
|
|
} |
|
539
|
|
|
|
|
540
|
|
|
// Members are populated through Member->requireDefaultRecords() |
|
541
|
|
|
} |
|
542
|
|
|
|
|
543
|
|
|
} |
|
544
|
|
|
|
silverstripe /
silverstripe-framework
Loading history...
This check looks for accesses to local static members using the fully qualified name instead of
self::.While this is perfectly valid, the fully qualified name of
Certificate::TRIPLEDES_CBCcould just as well be replaced byself::TRIPLEDES_CBC. Referencing local members withself::assured the access will still work when the class is renamed, makes it perfectly clear that the member is in fact local and will usually be shorter.