GroupSubsites::providePermissions() - Code Metrics - silverstripe/silverstripe-subsites - Measure and Improve Code Quality continuously with Scrutinizer

GroupSubsites::providePermissions() A
last analyzed 2019-11-27 14:30 UTC

↳ Parent: GroupSubsites

Complexity

Conditions	1
Paths	1

Size

Total Lines	14
Code Lines	10

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	1
eloc	10
nc	1
nop	0
dl	0
loc	14
rs	9.9332
c	0
b	0
f	0

<?php

namespace SilverStripe\Subsites\Extensions;

use SilverStripe\Control\Cookie;
use SilverStripe\Core\Convert;
use SilverStripe\Forms\CheckboxSetField;
use SilverStripe\Forms\FieldList;
use SilverStripe\Forms\OptionsetField;
use SilverStripe\Forms\ReadonlyField;
use SilverStripe\ORM\DataExtension;
use SilverStripe\ORM\DataObject;
use SilverStripe\ORM\DataQuery;
use SilverStripe\ORM\DB;
use SilverStripe\ORM\Queries\SQLSelect;
use SilverStripe\Security\Group;
use SilverStripe\Security\PermissionProvider;
use SilverStripe\Subsites\Model\Subsite;
use SilverStripe\Subsites\State\SubsiteState;

/**
 * Extension for the Group object to add subsites support
 *
 * @package subsites
 */
class GroupSubsites extends DataExtension implements PermissionProvider
{
    private static $db = [

        'AccessAllSubsites' => 'Boolean'
    ];

    private static $many_many = [

        'Subsites' => Subsite::class
    ];

    private static $defaults = [

        'AccessAllSubsites' => true
    ];

    /**
     * Migrations for GroupSubsites data.
     */
    public function requireDefaultRecords()
    {
        if (!$this->owner) {
            return;
        }
        // Migration for Group.SubsiteID data from when Groups only had a single subsite
        $schema = DataObject::getSchema();
        $groupTable = Convert::raw2sql($schema->tableName(Group::class));
        $groupFields = DB::field_list($groupTable);

        // Detection of SubsiteID field is the trigger for old-style-subsiteID migration
        if (isset($groupFields['SubsiteID'])) {
            // Migrate subsite-specific data
            DB::query('INSERT INTO "Group_Subsites" ("GroupID", "SubsiteID")
				SELECT "ID", "SubsiteID" FROM "' . $groupTable . '" WHERE "SubsiteID" > 0');

            // Migrate global-access data
            DB::query('UPDATE "' . $groupTable . '" SET "AccessAllSubsites" = 1 WHERE "SubsiteID" = 0');

            // Move the field out of the way so that this migration doesn't get executed again
            DB::get_schema()->renameField($groupTable, 'SubsiteID', '_obsolete_SubsiteID');

            // No subsite access on anything means that we've just installed the subsites module.
            // Make all previous groups global-access groups
        } else {
            if (!DB::query('SELECT "Group"."ID" FROM "' . $groupTable . '"
			LEFT JOIN "Group_Subsites" ON "Group_Subsites"."GroupID" = "Group"."ID" AND "Group_Subsites"."SubsiteID" > 0
			WHERE "AccessAllSubsites" = 1
			OR "Group_Subsites"."GroupID" IS NOT NULL ')->value()
            ) {
                DB::query('UPDATE "' . $groupTable . '" SET "AccessAllSubsites" = 1');
            }
        }
    }

    public function updateCMSFields(FieldList $fields)
    {
        if ($this->owner->canEdit()) {
            // i18n tab
            $fields->findOrMakeTab('Root.Subsites', _t(__CLASS__ . '.SECURITYTABTITLE', 'Subsites'));

            $subsites = Subsite::accessible_sites(['ADMIN', 'SECURITY_SUBSITE_GROUP'], true);
            $subsiteMap = $subsites->map();

            // Prevent XSS injection
            $subsiteMap = Convert::raw2xml($subsiteMap->toArray());

            // Interface is different if you have the rights to modify subsite group values on
            // all subsites
            if (isset($subsiteMap[0])) {
                $fields->addFieldToTab('Root.Subsites', new OptionsetField(
                    'AccessAllSubsites',
                    _t(__CLASS__ . '.ACCESSRADIOTITLE', 'Give this group access to'),
                    [
                        1 => _t(__CLASS__ . '.ACCESSALL', 'All subsites'),
                        0 => _t(__CLASS__ . '.ACCESSONLY', 'Only these subsites'),
                    ]
                ));

                unset($subsiteMap[0]);
                $fields->addFieldToTab('Root.Subsites', new CheckboxSetField(
                    'Subsites',
                    '',
                    $subsiteMap
                ));
            } else {
                if (sizeof($subsiteMap) <= 1) {
                    $fields->addFieldToTab('Root.Subsites', new ReadonlyField(
                        'SubsitesHuman',
                        _t(__CLASS__ . '.ACCESSRADIOTITLE', 'Give this group access to'),
                        reset($subsiteMap)
                    ));
                } else {
                    $fields->addFieldToTab('Root.Subsites', new CheckboxSetField(
                        'Subsites',
                        _t(__CLASS__ . '.ACCESSRADIOTITLE', 'Give this group access to'),
                        $subsiteMap
                    ));
                }
            }
        }
    }

    /**
     * If this group belongs to a subsite, append the subsites title to the group title to make it easy to
     * distinguish in the tree-view of the security admin interface.
     *
     * @param string $title
     */
    public function updateTreeTitle(&$title)
    {
        if ($this->owner->AccessAllSubsites) {
            $title = _t(__CLASS__ . '.GlobalGroup', 'global group');
            $title = htmlspecialchars($this->owner->Title, ENT_QUOTES) . ' <i>(' . $title . ')</i>';
        } else {
            $subsites = Convert::raw2xml(implode(', ', $this->owner->Subsites()->column('Title')));
            $title = htmlspecialchars($this->owner->Title) . " <i>($subsites)</i>";
        }
    }

    /**
     * Update any requests to limit the results to the current site
     * @param SQLSelect $query
     * @param DataQuery|null $dataQuery
     */
    public function augmentSQL(SQLSelect $query, DataQuery $dataQuery = null)
    {
        if (Subsite::$disable_subsite_filter) {
            return;
        }
        if (Cookie::get('noSubsiteFilter') == 'true') {
            return;
        }
        if ($dataQuery && $dataQuery->getQueryParam('Subsite.filter') === false) {

            return;
        }

        // If you're querying by ID, ignore the sub-site - this is a bit ugly...
        if (!$query->filtersOnID()) {
            $subsiteID = SubsiteState::singleton()->getSubsiteId();
            if ($subsiteID === null) {
                return;
            }

            // Don't filter by Group_Subsites if we've already done that
            $hasGroupSubsites = false;
            foreach ($query->getFrom() as $item) {
                if ((is_array($item) && strpos(
                    $item['table'],
                    'Group_Subsites'
                ) !== false) || (!is_array($item) && strpos(
                    $item,
                    'Group_Subsites'
                ) !== false)
                ) {
                    $hasGroupSubsites = true;
                    break;
                }
            }

            if (!$hasGroupSubsites) {
                if ($subsiteID) {
                    $query->addLeftJoin('Group_Subsites', "\"Group_Subsites\".\"GroupID\"
                        = \"Group\".\"ID\" AND \"Group_Subsites\".\"SubsiteID\" = $subsiteID");
                    $query->addWhere('("Group_Subsites"."SubsiteID" IS NOT NULL OR
                        "Group"."AccessAllSubsites" = 1)');
                } else {
                    $query->addWhere('"Group"."AccessAllSubsites" = 1');
                }
            }

            // WORKAROUND for databases that complain about an ORDER BY when the column wasn't selected
            // (e.g. SQL Server)
            $select = $query->getSelect();
            if (isset($select[0]) && !$select[0] == 'COUNT(*)') {
                $query->addOrderBy('AccessAllSubsites', 'DESC');
            }
        }
    }

    public function onBeforeWrite()
    {
        // New record test approximated by checking whether the ID has changed.
        // Note also that the after write test is only used when we're *not* on a subsite
        if ($this->owner->isChanged('ID') && !SubsiteState::singleton()->getSubsiteId()) {
            $this->owner->AccessAllSubsites = 1;
        }
    }

    public function onAfterWrite()
    {
        // New record test approximated by checking whether the ID has changed.
        // Note also that the after write test is only used when we're on a subsite
        if ($this->owner->isChanged('ID') && $currentSubsiteID = SubsiteState::singleton()->getSubsiteId()) {
            $subsites = $this->owner->Subsites();
            $subsites->add($currentSubsiteID);
        }
    }

    public function alternateCanEdit()
    {
        // Find the sites that this group belongs to and the sites where we have appropriate perm.
        $accessibleSites = Subsite::accessible_sites('CMS_ACCESS_SecurityAdmin')->column('ID');
        $linkedSites = $this->owner->Subsites()->column('ID');

        // We are allowed to access this site if at we have CMS_ACCESS_SecurityAdmin permission on
        // at least one of the sites
        return (bool)array_intersect($accessibleSites, $linkedSites);
    }

    public function providePermissions()
    {
        return [
            'SECURITY_SUBSITE_GROUP' => [
                'name' => _t(__CLASS__ . '.MANAGE_SUBSITES', 'Manage subsites for groups'),
                'category' => _t(
                    'SilverStripe\\Security\\Permission.PERMISSIONS_CATEGORY',
                    'Roles and access permissions'
                ),
                'help' => _t(
                    __CLASS__ . '.MANAGE_SUBSITES_HELP',
                    'Ability to limit the permissions for a group to one or more subsites.'
                ),
                'sort' => 200
            ]
        ];
    }
}


1			<?php
2
3			namespace SilverStripe\Subsites\Extensions;
4
5			use SilverStripe\Control\Cookie;
6			use SilverStripe\Core\Convert;
7			use SilverStripe\Forms\CheckboxSetField;
8			use SilverStripe\Forms\FieldList;
9			use SilverStripe\Forms\OptionsetField;
10			use SilverStripe\Forms\ReadonlyField;
11			use SilverStripe\ORM\DataExtension;
12			use SilverStripe\ORM\DataObject;
13			use SilverStripe\ORM\DataQuery;
14			use SilverStripe\ORM\DB;
15			use SilverStripe\ORM\Queries\SQLSelect;
16			use SilverStripe\Security\Group;
17			use SilverStripe\Security\PermissionProvider;
18			use SilverStripe\Subsites\Model\Subsite;
19			use SilverStripe\Subsites\State\SubsiteState;
20
21			/**
22			* Extension for the Group object to add subsites support
23			*
24			* @package subsites
25			*/
26			class GroupSubsites extends DataExtension implements PermissionProvider
27			{
28			private static $db = [
			0 ignored issues – show introduced 2017-12-04 02:38 UTC by Report Bug Copy Issue Report The private property `$db` is not used, and could be removed. Loading history...
29			'AccessAllSubsites' => 'Boolean'
30			];
31
32			private static $many_many = [
			0 ignored issues – show introduced 2017-12-04 02:38 UTC by Report Bug Copy Issue Report The private property `$many_many` is not used, and could be removed. Loading history...
33			'Subsites' => Subsite::class
34			];
35
36			private static $defaults = [
			0 ignored issues – show introduced 2017-12-04 02:38 UTC by Report Bug Copy Issue Report The private property `$defaults` is not used, and could be removed. Loading history...
37			'AccessAllSubsites' => true
38			];
39
40			/**
41			* Migrations for GroupSubsites data.
42			*/
43			public function requireDefaultRecords()
44			{
45			if (!$this->owner) {
46			return;
47			}
48			// Migration for Group.SubsiteID data from when Groups only had a single subsite
49			$schema = DataObject::getSchema();
50			$groupTable = Convert::raw2sql($schema->tableName(Group::class));
51			$groupFields = DB::field_list($groupTable);
52
53			// Detection of SubsiteID field is the trigger for old-style-subsiteID migration
54			if (isset($groupFields['SubsiteID'])) {
55			// Migrate subsite-specific data
56			DB::query('INSERT INTO "Group_Subsites" ("GroupID", "SubsiteID")
57			SELECT "ID", "SubsiteID" FROM "' . $groupTable . '" WHERE "SubsiteID" > 0');
58
59			// Migrate global-access data
60			DB::query('UPDATE "' . $groupTable . '" SET "AccessAllSubsites" = 1 WHERE "SubsiteID" = 0');
61
62			// Move the field out of the way so that this migration doesn't get executed again
63			DB::get_schema()->renameField($groupTable, 'SubsiteID', '_obsolete_SubsiteID');
64
65			// No subsite access on anything means that we've just installed the subsites module.
66			// Make all previous groups global-access groups
67			} else {
68			if (!DB::query('SELECT "Group"."ID" FROM "' . $groupTable . '"
69			LEFT JOIN "Group_Subsites" ON "Group_Subsites"."GroupID" = "Group"."ID" AND "Group_Subsites"."SubsiteID" > 0
70			WHERE "AccessAllSubsites" = 1
71			OR "Group_Subsites"."GroupID" IS NOT NULL ')->value()
72			) {
73			DB::query('UPDATE "' . $groupTable . '" SET "AccessAllSubsites" = 1');
74			}
75			}
76			}
77
78			public function updateCMSFields(FieldList $fields)
79			{
80			if ($this->owner->canEdit()) {
81			// i18n tab
82			$fields->findOrMakeTab('Root.Subsites', _t(__CLASS__ . '.SECURITYTABTITLE', 'Subsites'));
83
84			$subsites = Subsite::accessible_sites(['ADMIN', 'SECURITY_SUBSITE_GROUP'], true);
85			$subsiteMap = $subsites->map();
86
87			// Prevent XSS injection
88			$subsiteMap = Convert::raw2xml($subsiteMap->toArray());
89
90			// Interface is different if you have the rights to modify subsite group values on
91			// all subsites
92			if (isset($subsiteMap[0])) {
93			$fields->addFieldToTab('Root.Subsites', new OptionsetField(
94			'AccessAllSubsites',
95			_t(__CLASS__ . '.ACCESSRADIOTITLE', 'Give this group access to'),
96			[
97			1 => _t(__CLASS__ . '.ACCESSALL', 'All subsites'),
98			0 => _t(__CLASS__ . '.ACCESSONLY', 'Only these subsites'),
99			]
100			));
101
102			unset($subsiteMap[0]);
103			$fields->addFieldToTab('Root.Subsites', new CheckboxSetField(
104			'Subsites',
105			'',
106			$subsiteMap
107			));
108			} else {
109			if (sizeof($subsiteMap) <= 1) {
110			$fields->addFieldToTab('Root.Subsites', new ReadonlyField(
111			'SubsitesHuman',
112			_t(__CLASS__ . '.ACCESSRADIOTITLE', 'Give this group access to'),
113			reset($subsiteMap)
114			));
115			} else {
116			$fields->addFieldToTab('Root.Subsites', new CheckboxSetField(
117			'Subsites',
118			_t(__CLASS__ . '.ACCESSRADIOTITLE', 'Give this group access to'),
119			$subsiteMap
120			));
121			}
122			}
123			}
124			}
125
126			/**
127			* If this group belongs to a subsite, append the subsites title to the group title to make it easy to
128			* distinguish in the tree-view of the security admin interface.
129			*
130			* @param string $title
131			*/
132			public function updateTreeTitle(&$title)
133			{
134			if ($this->owner->AccessAllSubsites) {
135			$title = _t(__CLASS__ . '.GlobalGroup', 'global group');
136			$title = htmlspecialchars($this->owner->Title, ENT_QUOTES) . ' <i>(' . $title . ')</i>';
137			} else {
138			$subsites = Convert::raw2xml(implode(', ', $this->owner->Subsites()->column('Title')));
139			$title = htmlspecialchars($this->owner->Title) . " <i>($subsites)</i>";
140			}
141			}
142
143			/**
144			* Update any requests to limit the results to the current site
145			* @param SQLSelect $query
146			* @param DataQuery\|null $dataQuery
147			*/
148			public function augmentSQL(SQLSelect $query, DataQuery $dataQuery = null)
149			{
150			if (Subsite::$disable_subsite_filter) {
151			return;
152			}
153			if (Cookie::get('noSubsiteFilter') == 'true') {
154			return;
155			}
156			if ($dataQuery && $dataQuery->getQueryParam('Subsite.filter') === false) {
			0 ignored issues – show introduced 2018-10-19 14:33 UTC by Report Bug Copy Issue Report The condition `$dataQuery->getQueryPara...site.filter') === false` is always `false`. Loading history...
157			return;
158			}
159
160			// If you're querying by ID, ignore the sub-site - this is a bit ugly...
161			if (!$query->filtersOnID()) {
162			$subsiteID = SubsiteState::singleton()->getSubsiteId();
163			if ($subsiteID === null) {
164			return;
165			}
166
167			// Don't filter by Group_Subsites if we've already done that
168			$hasGroupSubsites = false;
169			foreach ($query->getFrom() as $item) {
170			if ((is_array($item) && strpos(
171			$item['table'],
172			'Group_Subsites'
173			) !== false) \|\| (!is_array($item) && strpos(
174			$item,
175			'Group_Subsites'
176			) !== false)
177			) {
178			$hasGroupSubsites = true;
179			break;
180			}
181			}
182
183			if (!$hasGroupSubsites) {
184			if ($subsiteID) {
185			$query->addLeftJoin('Group_Subsites', "\"Group_Subsites\".\"GroupID\"
186			= \"Group\".\"ID\" AND \"Group_Subsites\".\"SubsiteID\" = $subsiteID");
187			$query->addWhere('("Group_Subsites"."SubsiteID" IS NOT NULL OR
188			"Group"."AccessAllSubsites" = 1)');
189			} else {
190			$query->addWhere('"Group"."AccessAllSubsites" = 1');
191			}
192			}
193
194			// WORKAROUND for databases that complain about an ORDER BY when the column wasn't selected
195			// (e.g. SQL Server)
196			$select = $query->getSelect();
197			if (isset($select[0]) && !$select[0] == 'COUNT(*)') {
198			$query->addOrderBy('AccessAllSubsites', 'DESC');
199			}
200			}
201			}
202
203			public function onBeforeWrite()
204			{
205			// New record test approximated by checking whether the ID has changed.
206			// Note also that the after write test is only used when we're not on a subsite
207			if ($this->owner->isChanged('ID') && !SubsiteState::singleton()->getSubsiteId()) {
208			$this->owner->AccessAllSubsites = 1;
209			}
210			}
211
212			public function onAfterWrite()
213			{
214			// New record test approximated by checking whether the ID has changed.
215			// Note also that the after write test is only used when we're on a subsite
216			if ($this->owner->isChanged('ID') && $currentSubsiteID = SubsiteState::singleton()->getSubsiteId()) {
217			$subsites = $this->owner->Subsites();
218			$subsites->add($currentSubsiteID);
219			}
220			}
221
222			public function alternateCanEdit()
223			{
224			// Find the sites that this group belongs to and the sites where we have appropriate perm.
225			$accessibleSites = Subsite::accessible_sites('CMS_ACCESS_SecurityAdmin')->column('ID');
226			$linkedSites = $this->owner->Subsites()->column('ID');
227
228			// We are allowed to access this site if at we have CMS_ACCESS_SecurityAdmin permission on
229			// at least one of the sites
230			return (bool)array_intersect($accessibleSites, $linkedSites);
231			}
232
233			public function providePermissions()
234			{
235			return [
236			'SECURITY_SUBSITE_GROUP' => [
237			'name' => _t(__CLASS__ . '.MANAGE_SUBSITES', 'Manage subsites for groups'),
238			'category' => _t(
239			'SilverStripe\\Security\\Permission.PERMISSIONS_CATEGORY',
240			'Roles and access permissions'
241			),
242			'help' => _t(
243			__CLASS__ . '.MANAGE_SUBSITES_HELP',
244			'Ability to limit the permissions for a group to one or more subsites.'
245			),
246			'sort' => 200
247			]
248			];
249			}
250			}
251

silverstripe / silverstripe-subsites

GroupSubsites::providePermissions() A last analyzed 2019-11-27 14:30 UTC

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like

GroupSubsites::providePermissions() A
last analyzed 2019-11-27 14:30 UTC