mirror of
https://github.com/silverstripe/silverstripe-cms
synced 2024-10-22 08:05:56 +02:00
API Refactor inherited permissions (#1811)
This commit is contained in:
parent
fc2219dc72
commit
23e1aa8c45
@ -39,7 +39,7 @@ before_script:
|
|||||||
|
|
||||||
# Install composer dependencies
|
# Install composer dependencies
|
||||||
- composer install --prefer-dist
|
- composer install --prefer-dist
|
||||||
- composer require --update-with-dependencies silverstripe/framework:4.0.x-dev silverstripe/config:1.0.x-dev silverstripe/admin:1.0.x-dev silverstripe/assets:1.0.x-dev silverstripe/versioned:1.0.x-dev --prefer-dist
|
- composer require --update-with-dependencies silverstripe/framework:4.0.x-dev silverstripe/siteconfig:4.0.x-dev silverstripe/config:1.0.x-dev silverstripe/admin:1.0.x-dev silverstripe/assets:1.0.x-dev silverstripe/versioned:1.0.x-dev --prefer-dist
|
||||||
- if [[ $DB == PGSQL ]]; then composer require silverstripe/postgresql:2.0.x-dev --prefer-dist; fi
|
- if [[ $DB == PGSQL ]]; then composer require silverstripe/postgresql:2.0.x-dev --prefer-dist; fi
|
||||||
- if [[ $DB == SQLITE ]]; then composer require silverstripe/sqlite3:2.0.x-dev --prefer-dist; fi
|
- if [[ $DB == SQLITE ]]; then composer require silverstripe/sqlite3:2.0.x-dev --prefer-dist; fi
|
||||||
|
|
||||||
|
13
_config/permissions.yml
Normal file
13
_config/permissions.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
Name: sitetreepermissions
|
||||||
|
---
|
||||||
|
SilverStripe\Core\Injector\Injector:
|
||||||
|
SilverStripe\Security\PermissionChecker.sitetree:
|
||||||
|
class: SilverStripe\Security\InheritedPermissions
|
||||||
|
constructor:
|
||||||
|
BaseClass: SilverStripe\CMS\Model\SiteTree
|
||||||
|
properties:
|
||||||
|
DefaultPermissions: %$SilverStripe\SiteConfig\SiteConfigPagePermissions
|
||||||
|
GlobalEditPermissions:
|
||||||
|
- CMS_ACCESS_LeftAndMain
|
||||||
|
- CMS_ACCESS_CMSMain
|
@ -53,6 +53,7 @@ use SilverStripe\ORM\HiddenClass;
|
|||||||
use SilverStripe\ORM\Hierarchy\MarkedSet;
|
use SilverStripe\ORM\Hierarchy\MarkedSet;
|
||||||
use SilverStripe\ORM\SS_List;
|
use SilverStripe\ORM\SS_List;
|
||||||
use SilverStripe\ORM\ValidationResult;
|
use SilverStripe\ORM\ValidationResult;
|
||||||
|
use SilverStripe\Security\InheritedPermissions;
|
||||||
use SilverStripe\SiteConfig\SiteConfig;
|
use SilverStripe\SiteConfig\SiteConfig;
|
||||||
use SilverStripe\Versioned\Versioned;
|
use SilverStripe\Versioned\Versioned;
|
||||||
use SilverStripe\Security\Member;
|
use SilverStripe\Security\Member;
|
||||||
@ -466,11 +467,13 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Pre-cache permissions
|
// Pre-cache permissions
|
||||||
SiteTree::prepopulate_permission_cache(
|
$checker = SiteTree::getPermissionChecker();
|
||||||
'CanEditType',
|
if ($checker instanceof InheritedPermissions) {
|
||||||
$markingSet->markedNodeIDs(),
|
$checker->prePopulatePermissionCache(
|
||||||
[ SiteTree::class, 'can_edit_multiple']
|
InheritedPermissions::EDIT,
|
||||||
);
|
$markingSet->markedNodeIDs()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
// Render using full-subtree template
|
// Render using full-subtree template
|
||||||
return $markingSet->renderChildren(
|
return $markingSet->renderChildren(
|
||||||
|
@ -4,6 +4,7 @@ namespace SilverStripe\CMS\Model;
|
|||||||
|
|
||||||
use Page;
|
use Page;
|
||||||
use SilverStripe\CampaignAdmin\AddToCampaignHandler_FormAction;
|
use SilverStripe\CampaignAdmin\AddToCampaignHandler_FormAction;
|
||||||
|
use SilverStripe\Core\Injector\Injector;
|
||||||
use SilverStripe\ORM\CMSPreviewable;
|
use SilverStripe\ORM\CMSPreviewable;
|
||||||
use SilverStripe\CMS\Controllers\CMSPageEditController;
|
use SilverStripe\CMS\Controllers\CMSPageEditController;
|
||||||
use SilverStripe\CMS\Controllers\ContentController;
|
use SilverStripe\CMS\Controllers\ContentController;
|
||||||
@ -46,9 +47,11 @@ use SilverStripe\ORM\DataObject;
|
|||||||
use SilverStripe\ORM\DB;
|
use SilverStripe\ORM\DB;
|
||||||
use SilverStripe\ORM\HiddenClass;
|
use SilverStripe\ORM\HiddenClass;
|
||||||
use SilverStripe\ORM\Hierarchy\Hierarchy;
|
use SilverStripe\ORM\Hierarchy\Hierarchy;
|
||||||
use SilverStripe\ORM\Hierarchy\MarkedSet;
|
|
||||||
use SilverStripe\ORM\ManyManyList;
|
use SilverStripe\ORM\ManyManyList;
|
||||||
use SilverStripe\ORM\ValidationResult;
|
use SilverStripe\ORM\ValidationResult;
|
||||||
|
use SilverStripe\Security\InheritedPermissions;
|
||||||
|
use SilverStripe\Security\InheritedPermissionsExtension;
|
||||||
|
use SilverStripe\Security\PermissionChecker;
|
||||||
use SilverStripe\Versioned\Versioned;
|
use SilverStripe\Versioned\Versioned;
|
||||||
use SilverStripe\Security\Group;
|
use SilverStripe\Security\Group;
|
||||||
use SilverStripe\Security\Member;
|
use SilverStripe\Security\Member;
|
||||||
@ -83,8 +86,6 @@ use Subsite;
|
|||||||
* @property string ShowInSearch
|
* @property string ShowInSearch
|
||||||
* @property string Sort Integer value denoting the sort order.
|
* @property string Sort Integer value denoting the sort order.
|
||||||
* @property string ReportClass
|
* @property string ReportClass
|
||||||
* @property string CanViewType Type of restriction for viewing this object.
|
|
||||||
* @property string CanEditType Type of restriction for editing this object.
|
|
||||||
*
|
*
|
||||||
* @method ManyManyList ViewerGroups() List of groups that can view this object.
|
* @method ManyManyList ViewerGroups() List of groups that can view this object.
|
||||||
* @method ManyManyList EditorGroups() List of groups that can edit this object.
|
* @method ManyManyList EditorGroups() List of groups that can edit this object.
|
||||||
@ -93,6 +94,7 @@ use Subsite;
|
|||||||
* @mixin Hierarchy
|
* @mixin Hierarchy
|
||||||
* @mixin Versioned
|
* @mixin Versioned
|
||||||
* @mixin SiteTreeLinkTracking
|
* @mixin SiteTreeLinkTracking
|
||||||
|
* @mixin InheritedPermissionsExtension
|
||||||
*/
|
*/
|
||||||
class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvider, CMSPreviewable, Resettable
|
class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvider, CMSPreviewable, Resettable
|
||||||
{
|
{
|
||||||
@ -183,19 +185,12 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
"HasBrokenFile" => "Boolean",
|
"HasBrokenFile" => "Boolean",
|
||||||
"HasBrokenLink" => "Boolean",
|
"HasBrokenLink" => "Boolean",
|
||||||
"ReportClass" => "Varchar",
|
"ReportClass" => "Varchar",
|
||||||
"CanViewType" => "Enum('Anyone, LoggedInUsers, OnlyTheseUsers, Inherit', 'Inherit')",
|
|
||||||
"CanEditType" => "Enum('LoggedInUsers, OnlyTheseUsers, Inherit', 'Inherit')",
|
|
||||||
);
|
);
|
||||||
|
|
||||||
private static $indexes = array(
|
private static $indexes = array(
|
||||||
"URLSegment" => true,
|
"URLSegment" => true,
|
||||||
);
|
);
|
||||||
|
|
||||||
private static $many_many = array(
|
|
||||||
"ViewerGroups" => Group::class,
|
|
||||||
"EditorGroups" => Group::class,
|
|
||||||
);
|
|
||||||
|
|
||||||
private static $has_many = array(
|
private static $has_many = array(
|
||||||
"VirtualPages" => "SilverStripe\\CMS\\Model\\VirtualPage.CopyContentFrom"
|
"VirtualPages" => "SilverStripe\\CMS\\Model\\VirtualPage.CopyContentFrom"
|
||||||
);
|
);
|
||||||
@ -219,8 +214,6 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
private static $defaults = array(
|
private static $defaults = array(
|
||||||
"ShowInMenus" => 1,
|
"ShowInMenus" => 1,
|
||||||
"ShowInSearch" => 1,
|
"ShowInSearch" => 1,
|
||||||
"CanViewType" => "Inherit",
|
|
||||||
"CanEditType" => "Inherit"
|
|
||||||
);
|
);
|
||||||
|
|
||||||
private static $table_name = 'SiteTree';
|
private static $table_name = 'SiteTree';
|
||||||
@ -252,6 +245,7 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
Hierarchy::class,
|
Hierarchy::class,
|
||||||
Versioned::class,
|
Versioned::class,
|
||||||
SiteTreeLinkTracking::class,
|
SiteTreeLinkTracking::class,
|
||||||
|
InheritedPermissionsExtension::class,
|
||||||
];
|
];
|
||||||
|
|
||||||
private static $searchable_fields = array(
|
private static $searchable_fields = array(
|
||||||
@ -278,14 +272,6 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
*/
|
*/
|
||||||
private static $runCMSFieldsExtensions = true;
|
private static $runCMSFieldsExtensions = true;
|
||||||
|
|
||||||
/**
|
|
||||||
* Cache for canView/Edit/Publish/Delete permissions.
|
|
||||||
* Keyed by permission type (e.g. 'edit'), with an array
|
|
||||||
* of IDs mapped to their boolean permission ability (true=allow, false=deny).
|
|
||||||
* See {@link batch_permission_check()} for details.
|
|
||||||
*/
|
|
||||||
private static $cache_permissions = array();
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @config
|
* @config
|
||||||
* @var boolean
|
* @var boolean
|
||||||
@ -935,8 +921,8 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
*/
|
*/
|
||||||
public function can($perm, $member = null, $context = array())
|
public function can($perm, $member = null, $context = array())
|
||||||
{
|
{
|
||||||
if (!$member || !($member instanceof Member) || is_numeric($member)) {
|
if (!$member) {
|
||||||
$member = Member::currentUserID();
|
$member = Member::currentUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($member && Permission::checkMember($member, "ADMIN")) {
|
if ($member && Permission::checkMember($member, "ADMIN")) {
|
||||||
@ -981,8 +967,8 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$member || !($member instanceof Member) || is_numeric($member)) {
|
if (!$member) {
|
||||||
$member = Member::currentUserID();
|
$member = Member::currentUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Standard mechanism for accepting permission changes from extensions
|
// Standard mechanism for accepting permission changes from extensions
|
||||||
@ -1012,13 +998,13 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
* @uses DataExtension->canView()
|
* @uses DataExtension->canView()
|
||||||
* @uses ViewerGroups()
|
* @uses ViewerGroups()
|
||||||
*
|
*
|
||||||
* @param Member|int $member
|
* @param Member $member
|
||||||
* @return bool True if the current user can view this page
|
* @return bool True if the current user can view this page
|
||||||
*/
|
*/
|
||||||
public function canView($member = null)
|
public function canView($member = null)
|
||||||
{
|
{
|
||||||
if (!$member || !($member instanceof Member) || is_numeric($member)) {
|
if (!$member) {
|
||||||
$member = Member::currentUserID();
|
$member = Member::currentUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Standard mechanism for accepting permission changes from extensions
|
// Standard mechanism for accepting permission changes from extensions
|
||||||
@ -1037,13 +1023,16 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Note: getInheritedPermissions() is disused in this instance
|
||||||
|
// to allow parent canView extensions to influence subpage canView()
|
||||||
|
|
||||||
// check for empty spec
|
// check for empty spec
|
||||||
if (!$this->CanViewType || $this->CanViewType == 'Anyone') {
|
if (!$this->CanViewType || $this->CanViewType === InheritedPermissions::ANYONE) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// check for inherit
|
// check for inherit
|
||||||
if ($this->CanViewType == 'Inherit') {
|
if ($this->CanViewType === InheritedPermissions::INHERIT) {
|
||||||
if ($this->ParentID) {
|
if ($this->ParentID) {
|
||||||
return $this->Parent()->canView($member);
|
return $this->Parent()->canView($member);
|
||||||
} else {
|
} else {
|
||||||
@ -1052,15 +1041,12 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
}
|
}
|
||||||
|
|
||||||
// check for any logged-in users
|
// check for any logged-in users
|
||||||
if ($this->CanViewType == 'LoggedInUsers' && $member) {
|
if ($this->CanViewType === InheritedPermissions::LOGGED_IN_USERS && $member && $member->ID) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// check for specific groups
|
// check for specific groups
|
||||||
if ($member && is_numeric($member)) {
|
if ($this->CanViewType === InheritedPermissions::ONLY_THESE_USERS
|
||||||
$member = DataObject::get_by_id(Member::class, $member);
|
|
||||||
}
|
|
||||||
if ($this->CanViewType == 'OnlyTheseUsers'
|
|
||||||
&& $member
|
&& $member
|
||||||
&& $member->inGroups($this->ViewerGroups())
|
&& $member->inGroups($this->ViewerGroups())
|
||||||
) {
|
) {
|
||||||
@ -1114,31 +1100,28 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
*/
|
*/
|
||||||
public function canDelete($member = null)
|
public function canDelete($member = null)
|
||||||
{
|
{
|
||||||
if ($member instanceof Member) {
|
if (!$member) {
|
||||||
$memberID = $member->ID;
|
$member = Member::currentUser();
|
||||||
} elseif (is_numeric($member)) {
|
|
||||||
$memberID = $member;
|
|
||||||
} else {
|
|
||||||
$memberID = Member::currentUserID();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Standard mechanism for accepting permission changes from extensions
|
// Standard mechanism for accepting permission changes from extensions
|
||||||
$extended = $this->extendedCan('canDelete', $memberID);
|
$extended = $this->extendedCan('canDelete', $member);
|
||||||
if ($extended !== null) {
|
if ($extended !== null) {
|
||||||
return $extended;
|
return $extended;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!$member) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
// Default permission check
|
// Default permission check
|
||||||
if ($memberID && Permission::checkMember($memberID, array("ADMIN", "SITETREE_EDIT_ALL"))) {
|
if (Permission::checkMember($member, array("ADMIN", "SITETREE_EDIT_ALL"))) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Regular canEdit logic is handled by can_edit_multiple
|
// Check inherited permissions
|
||||||
$results = self::can_delete_multiple(array($this->ID), $memberID);
|
return static::getPermissionChecker()
|
||||||
|
->canDelete($this->ID, $member);
|
||||||
// If this page no longer exists in stage/live results won't contain the page.
|
|
||||||
// Fail-over to false
|
|
||||||
return isset($results[$this->ID]) ? $results[$this->ID] : false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1161,8 +1144,8 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
*/
|
*/
|
||||||
public function canCreate($member = null, $context = array())
|
public function canCreate($member = null, $context = array())
|
||||||
{
|
{
|
||||||
if (!$member || !(is_a($member, Member::class)) || is_numeric($member)) {
|
if (!$member) {
|
||||||
$member = Member::currentUserID();
|
$member = Member::currentUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check parent (custom canCreate option for SiteTree)
|
// Check parent (custom canCreate option for SiteTree)
|
||||||
@ -1215,37 +1198,24 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
*/
|
*/
|
||||||
public function canEdit($member = null)
|
public function canEdit($member = null)
|
||||||
{
|
{
|
||||||
if ($member instanceof Member) {
|
if (!$member) {
|
||||||
$memberID = $member->ID;
|
$member = Member::currentUser();
|
||||||
} elseif (is_numeric($member)) {
|
|
||||||
$memberID = $member;
|
|
||||||
} else {
|
|
||||||
$memberID = Member::currentUserID();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Standard mechanism for accepting permission changes from extensions
|
// Standard mechanism for accepting permission changes from extensions
|
||||||
$extended = $this->extendedCan('canEdit', $memberID);
|
$extended = $this->extendedCan('canEdit', $member);
|
||||||
if ($extended !== null) {
|
if ($extended !== null) {
|
||||||
return $extended;
|
return $extended;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default permissions
|
// Default permissions
|
||||||
if ($memberID && Permission::checkMember($memberID, array("ADMIN", "SITETREE_EDIT_ALL"))) {
|
if (Permission::checkMember($member, "SITETREE_EDIT_ALL")) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->ID) {
|
// Check inherited permissions
|
||||||
// Regular canEdit logic is handled by can_edit_multiple
|
return static::getPermissionChecker()
|
||||||
$results = self::can_edit_multiple(array($this->ID), $memberID);
|
->canEdit($this->ID, $member);
|
||||||
|
|
||||||
// If this page no longer exists in stage/live results won't contain the page.
|
|
||||||
// Fail-over to false
|
|
||||||
return isset($results[$this->ID]) ? $results[$this->ID] : false;
|
|
||||||
|
|
||||||
// Default for unsaved pages
|
|
||||||
} else {
|
|
||||||
return $this->getSiteConfig()->canEditPages($member);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1264,265 +1234,11 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Pre-populate the cache of canEdit, canView, canDelete, canPublish permissions. This method will use the static
|
* @return PermissionChecker
|
||||||
* can_(perm)_multiple method for efficiency.
|
|
||||||
*
|
|
||||||
* @param string $permission The permission: edit, view, publish, approve, etc.
|
|
||||||
* @param array $ids An array of page IDs
|
|
||||||
* @param callable|string $batchCallback The function/static method to call to calculate permissions. Defaults
|
|
||||||
* to 'SiteTree::can_(permission)_multiple'
|
|
||||||
*/
|
*/
|
||||||
public static function prepopulate_permission_cache($permission = 'CanEditType', $ids = [], $batchCallback = null)
|
public static function getPermissionChecker()
|
||||||
{
|
{
|
||||||
if (!$batchCallback) {
|
return Injector::inst()->get(PermissionChecker::class.'.sitetree');
|
||||||
$batchCallback = self::class . "::can_{$permission}_multiple";
|
|
||||||
}
|
|
||||||
|
|
||||||
if (is_callable($batchCallback)) {
|
|
||||||
call_user_func($batchCallback, $ids, Member::currentUserID(), false);
|
|
||||||
} else {
|
|
||||||
user_error("SiteTree::prepopulate_permission_cache can't calculate '$permission' "
|
|
||||||
. "with callback '$batchCallback'", E_USER_WARNING);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* This method is NOT a full replacement for the individual can*() methods, e.g. {@link canEdit()}. Rather than
|
|
||||||
* checking (potentially slow) PHP logic, it relies on the database group associations, e.g. the "CanEditType" field
|
|
||||||
* plus the "SiteTree_EditorGroups" many-many table. By batch checking multiple records, we can combine the queries
|
|
||||||
* efficiently.
|
|
||||||
*
|
|
||||||
* Caches based on $typeField data. To invalidate the cache, use {@link SiteTree::reset()} or set the $useCached
|
|
||||||
* property to FALSE.
|
|
||||||
*
|
|
||||||
* @param array $ids Of {@link SiteTree} IDs
|
|
||||||
* @param int $memberID Member ID
|
|
||||||
* @param string $typeField A property on the data record, e.g. "CanEditType".
|
|
||||||
* @param string $groupJoinTable A many-many table name on this record, e.g. "SiteTree_EditorGroups"
|
|
||||||
* @param string $siteConfigMethod Method to call on {@link SiteConfig} for toplevel items, e.g. "canEdit"
|
|
||||||
* @param string $globalPermission If the member doesn't have this permission code, don't bother iterating deeper
|
|
||||||
* @param bool $useCached
|
|
||||||
* @return array An map of {@link SiteTree} ID keys to boolean values
|
|
||||||
*/
|
|
||||||
public static function batch_permission_check(
|
|
||||||
$ids,
|
|
||||||
$memberID,
|
|
||||||
$typeField,
|
|
||||||
$groupJoinTable,
|
|
||||||
$siteConfigMethod,
|
|
||||||
$globalPermission = null,
|
|
||||||
$useCached = true
|
|
||||||
) {
|
|
||||||
if ($globalPermission === null) {
|
|
||||||
$globalPermission = array('CMS_ACCESS_LeftAndMain', 'CMS_ACCESS_CMSMain');
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sanitise the IDs
|
|
||||||
$ids = array_filter($ids, 'is_numeric');
|
|
||||||
|
|
||||||
// This is the name used on the permission cache
|
|
||||||
// converts something like 'CanEditType' to 'edit'.
|
|
||||||
$cacheKey = strtolower(substr($typeField, 3, -4)) . "-$memberID";
|
|
||||||
|
|
||||||
// Default result: nothing editable
|
|
||||||
$result = array_fill_keys($ids, false);
|
|
||||||
if ($ids) {
|
|
||||||
// Look in the cache for values
|
|
||||||
if ($useCached && isset(self::$cache_permissions[$cacheKey])) {
|
|
||||||
$cachedValues = array_intersect_key(self::$cache_permissions[$cacheKey], $result);
|
|
||||||
|
|
||||||
// If we can't find everything in the cache, then look up the remainder separately
|
|
||||||
$uncachedValues = array_diff_key($result, self::$cache_permissions[$cacheKey]);
|
|
||||||
if ($uncachedValues) {
|
|
||||||
$cachedValues = self::batch_permission_check(array_keys($uncachedValues), $memberID, $typeField, $groupJoinTable, $siteConfigMethod, $globalPermission, false) + $cachedValues;
|
|
||||||
}
|
|
||||||
return $cachedValues;
|
|
||||||
}
|
|
||||||
|
|
||||||
// If a member doesn't have a certain permission then they can't edit anything
|
|
||||||
if (!$memberID || ($globalPermission && !Permission::checkMember($memberID, $globalPermission))) {
|
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Placeholder for parameterised ID list
|
|
||||||
$idPlaceholders = DB::placeholders($ids);
|
|
||||||
|
|
||||||
// If page can't be viewed, don't grant edit permissions to do - implement can_view_multiple(), so this can
|
|
||||||
// be enabled
|
|
||||||
//$ids = array_keys(array_filter(self::can_view_multiple($ids, $memberID)));
|
|
||||||
|
|
||||||
// Get the groups that the given member belongs to
|
|
||||||
/** @var Member $member */
|
|
||||||
$member = DataObject::get_by_id(Member::class, $memberID);
|
|
||||||
$groupIDs = $member->Groups()->column("ID");
|
|
||||||
$SQL_groupList = implode(", ", $groupIDs);
|
|
||||||
if (!$SQL_groupList) {
|
|
||||||
$SQL_groupList = '0';
|
|
||||||
}
|
|
||||||
|
|
||||||
$combinedStageResult = array();
|
|
||||||
|
|
||||||
foreach (array(Versioned::DRAFT, Versioned::LIVE) as $stage) {
|
|
||||||
// Start by filling the array with the pages that actually exist
|
|
||||||
/** @skipUpgrade */
|
|
||||||
$table = ($stage=='Stage') ? "SiteTree" : "SiteTree_$stage";
|
|
||||||
|
|
||||||
if ($ids) {
|
|
||||||
$idQuery = "SELECT \"ID\" FROM \"$table\" WHERE \"ID\" IN ($idPlaceholders)";
|
|
||||||
$stageIds = DB::prepared_query($idQuery, $ids)->column();
|
|
||||||
} else {
|
|
||||||
$stageIds = array();
|
|
||||||
}
|
|
||||||
$result = array_fill_keys($stageIds, false);
|
|
||||||
|
|
||||||
// Get the uninherited permissions
|
|
||||||
$uninheritedPermissions = Versioned::get_by_stage("SilverStripe\\CMS\\Model\\SiteTree", $stage)
|
|
||||||
->where(array(
|
|
||||||
"(\"$typeField\" = 'LoggedInUsers' OR
|
|
||||||
(\"$typeField\" = 'OnlyTheseUsers' AND \"$groupJoinTable\".\"SiteTreeID\" IS NOT NULL))
|
|
||||||
AND \"SiteTree\".\"ID\" IN ($idPlaceholders)"
|
|
||||||
=> $ids
|
|
||||||
))
|
|
||||||
->leftJoin($groupJoinTable, "\"$groupJoinTable\".\"SiteTreeID\" = \"SiteTree\".\"ID\" AND \"$groupJoinTable\".\"GroupID\" IN ($SQL_groupList)");
|
|
||||||
|
|
||||||
if ($uninheritedPermissions) {
|
|
||||||
// Set all the relevant items in $result to true
|
|
||||||
$result = array_fill_keys($uninheritedPermissions->column('ID'), true) + $result;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Get permissions that are inherited
|
|
||||||
$potentiallyInherited = Versioned::get_by_stage(
|
|
||||||
"SilverStripe\\CMS\\Model\\SiteTree",
|
|
||||||
$stage,
|
|
||||||
array("\"$typeField\" = 'Inherit' AND \"SiteTree\".\"ID\" IN ($idPlaceholders)" => $ids)
|
|
||||||
);
|
|
||||||
|
|
||||||
if ($potentiallyInherited) {
|
|
||||||
// Group $potentiallyInherited by ParentID; we'll look at the permission of all those parents and
|
|
||||||
// then see which ones the user has permission on
|
|
||||||
$groupedByParent = array();
|
|
||||||
foreach ($potentiallyInherited as $item) {
|
|
||||||
/** @var SiteTree $item */
|
|
||||||
if ($item->ParentID) {
|
|
||||||
if (!isset($groupedByParent[$item->ParentID])) {
|
|
||||||
$groupedByParent[$item->ParentID] = array();
|
|
||||||
}
|
|
||||||
$groupedByParent[$item->ParentID][] = $item->ID;
|
|
||||||
} else {
|
|
||||||
// Might return different site config based on record context, e.g. when subsites module
|
|
||||||
// is used
|
|
||||||
$siteConfig = $item->getSiteConfig();
|
|
||||||
$result[$item->ID] = $siteConfig->{$siteConfigMethod}($memberID);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($groupedByParent) {
|
|
||||||
$actuallyInherited = self::batch_permission_check(array_keys($groupedByParent), $memberID, $typeField, $groupJoinTable, $siteConfigMethod);
|
|
||||||
if ($actuallyInherited) {
|
|
||||||
$parentIDs = array_keys(array_filter($actuallyInherited));
|
|
||||||
foreach ($parentIDs as $parentID) {
|
|
||||||
// Set all the relevant items in $result to true
|
|
||||||
$result = array_fill_keys($groupedByParent[$parentID], true) + $result;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$combinedStageResult = $combinedStageResult + $result;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (isset($combinedStageResult)) {
|
|
||||||
// Cache the results
|
|
||||||
if (empty(self::$cache_permissions[$cacheKey])) {
|
|
||||||
self::$cache_permissions[$cacheKey] = array();
|
|
||||||
}
|
|
||||||
self::$cache_permissions[$cacheKey] = $combinedStageResult + self::$cache_permissions[$cacheKey];
|
|
||||||
return $combinedStageResult;
|
|
||||||
} else {
|
|
||||||
return array();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get the 'can edit' information for a number of SiteTree pages.
|
|
||||||
*
|
|
||||||
* @param array $ids An array of IDs of the SiteTree pages to look up
|
|
||||||
* @param int $memberID ID of member
|
|
||||||
* @param bool $useCached Return values from the permission cache if they exist
|
|
||||||
* @return array A map where the IDs are keys and the values are booleans stating whether the given page can be
|
|
||||||
* edited
|
|
||||||
*/
|
|
||||||
public static function can_edit_multiple($ids, $memberID, $useCached = true)
|
|
||||||
{
|
|
||||||
return self::batch_permission_check($ids, $memberID, 'CanEditType', 'SiteTree_EditorGroups', 'canEditPages', null, $useCached);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get the 'can edit' information for a number of SiteTree pages.
|
|
||||||
*
|
|
||||||
* @param array $ids An array of IDs of the SiteTree pages to look up
|
|
||||||
* @param int $memberID ID of member
|
|
||||||
* @param bool $useCached Return values from the permission cache if they exist
|
|
||||||
* @return array
|
|
||||||
*/
|
|
||||||
public static function can_delete_multiple($ids, $memberID, $useCached = true)
|
|
||||||
{
|
|
||||||
$deletable = array();
|
|
||||||
$result = array_fill_keys($ids, false);
|
|
||||||
$cacheKey = "delete-$memberID";
|
|
||||||
|
|
||||||
// Look in the cache for values
|
|
||||||
if ($useCached && isset(self::$cache_permissions[$cacheKey])) {
|
|
||||||
$cachedValues = array_intersect_key(self::$cache_permissions[$cacheKey], $result);
|
|
||||||
|
|
||||||
// If we can't find everything in the cache, then look up the remainder separately
|
|
||||||
$uncachedValues = array_diff_key($result, self::$cache_permissions[$cacheKey]);
|
|
||||||
if ($uncachedValues) {
|
|
||||||
$cachedValues = self::can_delete_multiple(array_keys($uncachedValues), $memberID, false)
|
|
||||||
+ $cachedValues;
|
|
||||||
}
|
|
||||||
return $cachedValues;
|
|
||||||
}
|
|
||||||
|
|
||||||
// You can only delete pages that you can edit
|
|
||||||
$editableIDs = array_keys(array_filter(self::can_edit_multiple($ids, $memberID)));
|
|
||||||
if ($editableIDs) {
|
|
||||||
// You can only delete pages whose children you can delete
|
|
||||||
$editablePlaceholders = DB::placeholders($editableIDs);
|
|
||||||
$childRecords = SiteTree::get()->where(array(
|
|
||||||
"\"SiteTree\".\"ParentID\" IN ($editablePlaceholders)" => $editableIDs
|
|
||||||
));
|
|
||||||
if ($childRecords) {
|
|
||||||
$children = $childRecords->map("ID", "ParentID");
|
|
||||||
|
|
||||||
// Find out the children that can be deleted
|
|
||||||
$deletableChildren = self::can_delete_multiple($children->keys(), $memberID);
|
|
||||||
|
|
||||||
// Get a list of all the parents that have no undeletable children
|
|
||||||
$deletableParents = array_fill_keys($editableIDs, true);
|
|
||||||
foreach ($deletableChildren as $id => $canDelete) {
|
|
||||||
if (!$canDelete) {
|
|
||||||
unset($deletableParents[$children[$id]]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Use that to filter the list of deletable parents that have children
|
|
||||||
$deletableParents = array_keys($deletableParents);
|
|
||||||
|
|
||||||
// Also get the $ids that don't have children
|
|
||||||
$parents = array_unique($children->values());
|
|
||||||
$deletableLeafNodes = array_diff($editableIDs, $parents);
|
|
||||||
|
|
||||||
// Combine the two
|
|
||||||
$deletable = array_merge($deletableParents, $deletableLeafNodes);
|
|
||||||
} else {
|
|
||||||
$deletable = $editableIDs;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert the array of deletable IDs into a map of the original IDs with true/false as the value
|
|
||||||
return array_fill_keys($deletable, true) + array_fill_keys($ids, false);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -2283,29 +1999,32 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$viewersOptionsSource = array();
|
$viewersOptionsSource = [
|
||||||
$viewersOptionsSource["Inherit"] = _t(__CLASS__.'.INHERIT', "Inherit from parent page");
|
InheritedPermissions::INHERIT => _t(__CLASS__.'.INHERIT', "Inherit from parent page"),
|
||||||
$viewersOptionsSource["Anyone"] = _t(__CLASS__.'.ACCESSANYONE', "Anyone");
|
InheritedPermissions::ANYONE => _t(__CLASS__.'.ACCESSANYONE', "Anyone"),
|
||||||
$viewersOptionsSource["LoggedInUsers"] = _t(__CLASS__.'.ACCESSLOGGEDIN', "Logged-in users");
|
InheritedPermissions::LOGGED_IN_USERS => _t(__CLASS__.'.ACCESSLOGGEDIN', "Logged-in users"),
|
||||||
$viewersOptionsSource["OnlyTheseUsers"] = _t(__CLASS__.'.ACCESSONLYTHESE', "Only these people (choose from list)");
|
InheritedPermissions::ONLY_THESE_USERS => _t(
|
||||||
|
__CLASS__.'.ACCESSONLYTHESE',
|
||||||
|
"Only these people (choose from list)"
|
||||||
|
),
|
||||||
|
];
|
||||||
$viewersOptionsField->setSource($viewersOptionsSource);
|
$viewersOptionsField->setSource($viewersOptionsSource);
|
||||||
|
|
||||||
$editorsOptionsSource = array();
|
// Editors have same options, except no "Anyone"
|
||||||
$editorsOptionsSource["Inherit"] = _t(__CLASS__.'.INHERIT', "Inherit from parent page");
|
$editorsOptionsSource = $viewersOptionsSource;
|
||||||
$editorsOptionsSource["LoggedInUsers"] = _t(__CLASS__.'.EDITANYONE', "Anyone who can log-in to the CMS");
|
unset($editorsOptionsSource[InheritedPermissions::ANYONE]);
|
||||||
$editorsOptionsSource["OnlyTheseUsers"] = _t(__CLASS__.'.EDITONLYTHESE', "Only these people (choose from list)");
|
|
||||||
$editorsOptionsField->setSource($editorsOptionsSource);
|
$editorsOptionsField->setSource($editorsOptionsSource);
|
||||||
|
|
||||||
if (!Permission::check('SITETREE_GRANT_ACCESS')) {
|
if (!Permission::check('SITETREE_GRANT_ACCESS')) {
|
||||||
$fields->makeFieldReadonly($viewersOptionsField);
|
$fields->makeFieldReadonly($viewersOptionsField);
|
||||||
if ($this->CanViewType == 'OnlyTheseUsers') {
|
if ($this->CanEditType === InheritedPermissions::ONLY_THESE_USERS) {
|
||||||
$fields->makeFieldReadonly($viewerGroupsField);
|
$fields->makeFieldReadonly($viewerGroupsField);
|
||||||
} else {
|
} else {
|
||||||
$fields->removeByName('ViewerGroups');
|
$fields->removeByName('ViewerGroups');
|
||||||
}
|
}
|
||||||
|
|
||||||
$fields->makeFieldReadonly($editorsOptionsField);
|
$fields->makeFieldReadonly($editorsOptionsField);
|
||||||
if ($this->CanEditType == 'OnlyTheseUsers') {
|
if ($this->CanEditType === InheritedPermissions::ONLY_THESE_USERS) {
|
||||||
$fields->makeFieldReadonly($editorGroupsField);
|
$fields->makeFieldReadonly($editorGroupsField);
|
||||||
} else {
|
} else {
|
||||||
$fields->removeByName('EditorGroups');
|
$fields->removeByName('EditorGroups');
|
||||||
@ -3138,11 +2857,9 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
|
|||||||
*/
|
*/
|
||||||
public static function reset()
|
public static function reset()
|
||||||
{
|
{
|
||||||
self::$cache_permissions = array();
|
$permissions = static::getPermissionChecker();
|
||||||
}
|
if ($permissions instanceof InheritedPermissions) {
|
||||||
|
$permissions->clearCache();
|
||||||
public static function on_db_reset()
|
}
|
||||||
{
|
|
||||||
self::$cache_permissions = array();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -247,7 +247,7 @@ class VirtualPage extends Page
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
if ($this->CopyContentFromID
|
if ($this->CopyContentFromID
|
||||||
&& !Versioned::get_versionnumber_by_stage('SilverStripe\\CMS\\Model\\SiteTree', 'Live', $this->CopyContentFromID)
|
&& !Versioned::get_versionnumber_by_stage(SiteTree::class, Versioned::LIVE, $this->CopyContentFromID)
|
||||||
) {
|
) {
|
||||||
$msgs[] = _t(
|
$msgs[] = _t(
|
||||||
'SilverStripe\\CMS\\Model\\SiteTree.VIRTUALPAGEDRAFTWARNING',
|
'SilverStripe\\CMS\\Model\\SiteTree.VIRTUALPAGEDRAFTWARNING',
|
||||||
|
@ -94,8 +94,8 @@ class SiteTreePermissionsTest extends FunctionalTest
|
|||||||
|
|
||||||
// Test can_edit_multiple
|
// Test can_edit_multiple
|
||||||
$this->assertEquals(
|
$this->assertEquals(
|
||||||
array($pageID => true),
|
[ $pageID => true ],
|
||||||
SiteTree::can_edit_multiple(array($pageID), $member->ID)
|
SiteTree::getPermissionChecker()->canEditMultiple([$pageID], $member)
|
||||||
);
|
);
|
||||||
|
|
||||||
// Test canEdit
|
// Test canEdit
|
||||||
@ -117,8 +117,8 @@ class SiteTreePermissionsTest extends FunctionalTest
|
|||||||
|
|
||||||
// Test can_edit_multiple
|
// Test can_edit_multiple
|
||||||
$this->assertEquals(
|
$this->assertEquals(
|
||||||
array($pageID => true),
|
[ $pageID => true ],
|
||||||
SiteTree::can_edit_multiple(array($pageID), $member->ID)
|
SiteTree::getPermissionChecker()->canEditMultiple([$pageID], $member)
|
||||||
);
|
);
|
||||||
|
|
||||||
// Test canEdit
|
// Test canEdit
|
||||||
|
@ -6,6 +6,7 @@ use SilverStripe\CMS\Model\VirtualPage;
|
|||||||
use SilverStripe\Control\ContentNegotiator;
|
use SilverStripe\Control\ContentNegotiator;
|
||||||
use SilverStripe\Control\Controller;
|
use SilverStripe\Control\Controller;
|
||||||
use SilverStripe\ORM\DB;
|
use SilverStripe\ORM\DB;
|
||||||
|
use SilverStripe\Security\InheritedPermissions;
|
||||||
use SilverStripe\Versioned\Versioned;
|
use SilverStripe\Versioned\Versioned;
|
||||||
use SilverStripe\ORM\DataObject;
|
use SilverStripe\ORM\DataObject;
|
||||||
use SilverStripe\ORM\ValidationException;
|
use SilverStripe\ORM\ValidationException;
|
||||||
@ -670,8 +671,11 @@ class SiteTreeTest extends SapphireTest
|
|||||||
$page->CanEditType = 'OnlyTheseUsers';
|
$page->CanEditType = 'OnlyTheseUsers';
|
||||||
$page->EditorGroups()->add($this->idFromFixture(Group::class, 'editors'));
|
$page->EditorGroups()->add($this->idFromFixture(Group::class, 'editors'));
|
||||||
$page->write();
|
$page->write();
|
||||||
|
|
||||||
// Clear permission cache
|
// Clear permission cache
|
||||||
SiteTree::on_db_reset();
|
/** @var InheritedPermissions $checker */
|
||||||
|
$checker = SiteTree::getPermissionChecker();
|
||||||
|
$checker->clearCache();
|
||||||
|
|
||||||
// Confirm that Member.editor can now edit the page
|
// Confirm that Member.editor can now edit the page
|
||||||
$this->objFromFixture(Member::class, 'editor')->logIn();
|
$this->objFromFixture(Member::class, 'editor')->logIn();
|
||||||
|
Loading…
Reference in New Issue
Block a user