diff --git a/code/DevCheckController.php b/code/DevCheckController.php index 6c9884b..caadb15 100644 --- a/code/DevCheckController.php +++ b/code/DevCheckController.php @@ -2,9 +2,8 @@ class DevCheckController extends Controller { function index() { - if(!Permission::check("ADMIN")) return Security::permissionFailure(); - $e = new EnvironmentChecker('check', 'Environment status'); + $e->init(); return $e; } } diff --git a/code/DevHealthController.php b/code/DevHealthController.php index 273d107..157e4ea 100644 --- a/code/DevHealthController.php +++ b/code/DevHealthController.php @@ -3,6 +3,7 @@ class DevHealthController extends Controller { function index() { $e = new EnvironmentChecker('health', 'Site health'); + $e->init(); $e->setErrorCode(404); return $e; } diff --git a/code/EnvironmentChecker.php b/code/EnvironmentChecker.php index c251722..d844fc8 100644 --- a/code/EnvironmentChecker.php +++ b/code/EnvironmentChecker.php @@ -31,14 +31,32 @@ class EnvironmentChecker extends RequestHandler { function init() { parent::init(); + if(!$this->canAccess()) return Security::permissionFailure($this); + } + + function canAccess($member = null) { + if(!$member) $member = Member::currentUser(); + // We allow access to this controller regardless of live-status or ADMIN permission only // if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN. - $canAccess = (Director::isDev() + if( + Director::isDev() || Director::is_cli() - // Its important that we don't run this check if dev/build was requested - || Permission::check("ADMIN") - ); - if(!$canAccess) return Security::permissionFailure($this); + || Permission::checkMember($member, "ADMIN") + ) { + return true; + } + + // Extended access checks. + // "Veto" style, return NULL to abstain vote. + $canExtended = null; + $results = $this->extend('canAccess', $member); + if($results && is_array($results)) { + if(!min($results)) return false; + else return true; + } + + return false; } function index() {