2017-05-11 11:07:27 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace SilverStripe\Security;
|
|
|
|
|
|
|
|
use InvalidArgumentException;
|
|
|
|
use SilverStripe\Core\Injector\Injectable;
|
|
|
|
use SilverStripe\ORM\DataList;
|
|
|
|
use SilverStripe\ORM\DataObject;
|
|
|
|
use SilverStripe\ORM\Hierarchy\Hierarchy;
|
|
|
|
use SilverStripe\Versioned\Versioned;
|
2017-12-04 02:23:14 +01:00
|
|
|
use Psr\SimpleCache\CacheInterface;
|
2017-12-07 04:15:55 +01:00
|
|
|
use SilverStripe\Core\Cache\MemberCacheFlusher;
|
2017-12-11 05:49:23 +01:00
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
/**
|
|
|
|
* Calculates batch permissions for nested objects for:
|
|
|
|
* - canView: Supports 'Anyone' type
|
|
|
|
* - canEdit
|
|
|
|
* - canDelete: Includes special logic for ensuring parent objects can only be deleted if their children can
|
|
|
|
* be deleted also.
|
|
|
|
*/
|
2017-12-07 04:15:55 +01:00
|
|
|
class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
|
2017-05-11 11:07:27 +02:00
|
|
|
{
|
|
|
|
use Injectable;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Delete permission
|
|
|
|
*/
|
|
|
|
const DELETE = 'delete';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* View permission
|
|
|
|
*/
|
|
|
|
const VIEW = 'view';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Edit permission
|
|
|
|
*/
|
|
|
|
const EDIT = 'edit';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Anyone canView permission
|
|
|
|
*/
|
|
|
|
const ANYONE = 'Anyone';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Restrict to logged in users
|
|
|
|
*/
|
|
|
|
const LOGGED_IN_USERS = 'LoggedInUsers';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Restrict to specific groups
|
|
|
|
*/
|
|
|
|
const ONLY_THESE_USERS = 'OnlyTheseUsers';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Inherit from parent
|
|
|
|
*/
|
|
|
|
const INHERIT = 'Inherit';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Class name
|
|
|
|
*
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
protected $baseClass = null;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Object for evaluating top level permissions designed as "Inherit"
|
|
|
|
*
|
|
|
|
* @var DefaultPermissionChecker
|
|
|
|
*/
|
|
|
|
protected $defaultPermissions = null;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Global permissions required to edit.
|
|
|
|
* If empty no global permissions are required
|
|
|
|
*
|
|
|
|
* @var array
|
|
|
|
*/
|
|
|
|
protected $globalEditPermissions = [];
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Cache of permissions
|
|
|
|
*
|
|
|
|
* @var array
|
|
|
|
*/
|
|
|
|
protected $cachePermissions = [];
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @var CacheInterface
|
|
|
|
*/
|
|
|
|
protected $cacheService;
|
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
/**
|
|
|
|
* Construct new permissions object
|
|
|
|
*
|
|
|
|
* @param string $baseClass Base class
|
2017-12-04 02:23:14 +01:00
|
|
|
* @param CacheInterface $cache
|
2017-05-11 11:07:27 +02:00
|
|
|
*/
|
2017-12-04 02:23:14 +01:00
|
|
|
public function __construct($baseClass, CacheInterface $cache = null)
|
2017-05-11 11:07:27 +02:00
|
|
|
{
|
|
|
|
if (!is_a($baseClass, DataObject::class, true)) {
|
|
|
|
throw new InvalidArgumentException('Invalid DataObject class: ' . $baseClass);
|
|
|
|
}
|
2017-12-04 02:23:14 +01:00
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
$this->baseClass = $baseClass;
|
2017-12-04 02:23:14 +01:00
|
|
|
$this->cacheService = $cache;
|
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* Commits the cache
|
|
|
|
*/
|
|
|
|
public function __destruct()
|
|
|
|
{
|
|
|
|
// Ensure back-end cache is updated
|
|
|
|
if (!empty($this->cachePermissions) && $this->cacheService) {
|
|
|
|
foreach ($this->cachePermissions as $key => $permissions) {
|
|
|
|
$this->cacheService->set($key, $permissions);
|
|
|
|
}
|
|
|
|
// Prevent double-destruct
|
|
|
|
$this->cachePermissions = [];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Clear the cache for this instance only
|
2017-12-11 05:49:23 +01:00
|
|
|
*
|
|
|
|
* @param array $memberIDs A list of member IDs
|
2017-12-04 02:23:14 +01:00
|
|
|
*/
|
2017-12-07 04:15:55 +01:00
|
|
|
public function flushMemberCache($memberIDs = null)
|
2017-12-04 02:23:14 +01:00
|
|
|
{
|
|
|
|
if (!$this->cacheService) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Hard flush, e.g. flush=1
|
2017-12-07 04:15:55 +01:00
|
|
|
if (!$memberIDs) {
|
2017-12-04 02:23:14 +01:00
|
|
|
$this->cacheService->clear();
|
|
|
|
}
|
|
|
|
|
2017-12-07 04:15:55 +01:00
|
|
|
if ($memberIDs && is_array($memberIDs)) {
|
2017-12-04 02:23:14 +01:00
|
|
|
foreach ([self::VIEW, self::EDIT, self::DELETE] as $type) {
|
2017-12-07 04:15:55 +01:00
|
|
|
foreach ($memberIDs as $memberID) {
|
2017-12-04 02:23:14 +01:00
|
|
|
$key = $this->generateCacheKey($type, $memberID);
|
|
|
|
$this->cacheService->delete($key);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
/**
|
|
|
|
* @param DefaultPermissionChecker $callback
|
|
|
|
* @return $this
|
|
|
|
*/
|
|
|
|
public function setDefaultPermissions(DefaultPermissionChecker $callback)
|
|
|
|
{
|
|
|
|
$this->defaultPermissions = $callback;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Global permissions required to edit
|
|
|
|
*
|
|
|
|
* @param array $permissions
|
|
|
|
* @return $this
|
|
|
|
*/
|
|
|
|
public function setGlobalEditPermissions($permissions)
|
|
|
|
{
|
|
|
|
$this->globalEditPermissions = $permissions;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function getGlobalEditPermissions()
|
|
|
|
{
|
|
|
|
return $this->globalEditPermissions;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get root permissions handler, or null if no handler
|
|
|
|
*
|
|
|
|
* @return DefaultPermissionChecker|null
|
|
|
|
*/
|
|
|
|
public function getDefaultPermissions()
|
|
|
|
{
|
|
|
|
return $this->defaultPermissions;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get base class
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public function getBaseClass()
|
|
|
|
{
|
|
|
|
return $this->baseClass;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Force pre-calculation of a list of permissions for optimisation
|
|
|
|
*
|
|
|
|
* @param string $permission
|
|
|
|
* @param array $ids
|
|
|
|
*/
|
|
|
|
public function prePopulatePermissionCache($permission = 'edit', $ids = [])
|
|
|
|
{
|
|
|
|
switch ($permission) {
|
|
|
|
case self::EDIT:
|
2017-05-20 06:32:25 +02:00
|
|
|
$this->canEditMultiple($ids, Security::getCurrentUser(), false);
|
2017-05-11 11:07:27 +02:00
|
|
|
break;
|
|
|
|
case self::VIEW:
|
2017-05-20 06:32:25 +02:00
|
|
|
$this->canViewMultiple($ids, Security::getCurrentUser(), false);
|
2017-05-11 11:07:27 +02:00
|
|
|
break;
|
|
|
|
case self::DELETE:
|
2017-05-20 06:32:25 +02:00
|
|
|
$this->canDeleteMultiple($ids, Security::getCurrentUser(), false);
|
2017-05-11 11:07:27 +02:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
throw new InvalidArgumentException("Invalid permission type $permission");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* This method is NOT a full replacement for the individual can*() methods, e.g. {@link canEdit()}. Rather than
|
|
|
|
* checking (potentially slow) PHP logic, it relies on the database group associations, e.g. the "CanEditType" field
|
|
|
|
* plus the "SiteTree_EditorGroups" many-many table. By batch checking multiple records, we can combine the queries
|
|
|
|
* efficiently.
|
|
|
|
*
|
|
|
|
* Caches based on $typeField data. To invalidate the cache, use {@link SiteTree::reset()} or set the $useCached
|
|
|
|
* property to FALSE.
|
|
|
|
*
|
|
|
|
* @param string $type Either edit, view, or create
|
|
|
|
* @param array $ids Array of IDs
|
|
|
|
* @param Member $member Member
|
|
|
|
* @param array $globalPermission If the member doesn't have this permission code, don't bother iterating deeper
|
|
|
|
* @param bool $useCached Enables use of cache. Cache will be populated even if this is false.
|
|
|
|
* @return array A map of permissions, keys are ID numbers, and values are boolean permission checks
|
|
|
|
* ID keys to boolean values
|
|
|
|
*/
|
|
|
|
protected function batchPermissionCheck(
|
|
|
|
$type,
|
|
|
|
$ids,
|
|
|
|
Member $member = null,
|
|
|
|
$globalPermission = [],
|
|
|
|
$useCached = true
|
|
|
|
) {
|
|
|
|
// Validate ids
|
2022-04-14 03:12:59 +02:00
|
|
|
$ids = array_filter($ids ?? [], 'is_numeric');
|
2017-05-11 11:07:27 +02:00
|
|
|
if (empty($ids)) {
|
|
|
|
return [];
|
|
|
|
}
|
|
|
|
|
|
|
|
// Default result: nothing editable
|
2022-04-14 03:12:59 +02:00
|
|
|
$result = array_fill_keys($ids ?? [], false);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// Validate member permission
|
|
|
|
// Only VIEW allows anonymous (Anyone) permissions
|
|
|
|
$memberID = $member ? (int)$member->ID : 0;
|
|
|
|
if (!$memberID && $type !== self::VIEW) {
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Look in the cache for values
|
2017-12-04 02:23:14 +01:00
|
|
|
$cacheKey = $this->generateCacheKey($type, $memberID);
|
|
|
|
$cachePermissions = $this->getCachePermissions($cacheKey);
|
|
|
|
if ($useCached && $cachePermissions) {
|
2022-04-14 03:12:59 +02:00
|
|
|
$cachedValues = array_intersect_key($cachePermissions ?? [], $result);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// If we can't find everything in the cache, then look up the remainder separately
|
2022-04-14 03:12:59 +02:00
|
|
|
$uncachedIDs = array_keys(array_diff_key($result ?? [], $cachePermissions));
|
2017-05-11 11:07:27 +02:00
|
|
|
if ($uncachedIDs) {
|
|
|
|
$uncachedValues = $this->batchPermissionCheck($type, $uncachedIDs, $member, $globalPermission, false);
|
|
|
|
return $cachedValues + $uncachedValues;
|
|
|
|
}
|
|
|
|
return $cachedValues;
|
|
|
|
}
|
|
|
|
|
|
|
|
// If a member doesn't have a certain permission then they can't edit anything
|
|
|
|
if ($globalPermission && !Permission::checkMember($member, $globalPermission)) {
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the groups that the given member belongs to
|
|
|
|
$groupIDsSQLList = '0';
|
|
|
|
if ($memberID) {
|
|
|
|
$groupIDs = $member->Groups()->column("ID");
|
|
|
|
$groupIDsSQLList = implode(", ", $groupIDs) ?: '0';
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if record is versioned
|
|
|
|
if ($this->isVersioned()) {
|
|
|
|
// Check all records for each stage and merge
|
|
|
|
$combinedStageResult = [];
|
2017-12-04 02:23:14 +01:00
|
|
|
foreach ([Versioned::DRAFT, Versioned::LIVE] as $stage) {
|
2017-05-11 11:07:27 +02:00
|
|
|
$stageRecords = Versioned::get_by_stage($this->getBaseClass(), $stage)
|
|
|
|
->byIDs($ids);
|
|
|
|
// Exclude previously calculated records from later stage calculations
|
|
|
|
if ($combinedStageResult) {
|
2022-04-14 03:12:59 +02:00
|
|
|
$stageRecords = $stageRecords->exclude('ID', array_keys($combinedStageResult ?? []));
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
|
|
|
$stageResult = $this->batchPermissionCheckForStage(
|
|
|
|
$type,
|
|
|
|
$globalPermission,
|
|
|
|
$stageRecords,
|
|
|
|
$groupIDsSQLList,
|
|
|
|
$member
|
|
|
|
);
|
|
|
|
// Note: Draft stage takes precedence over live, but only if draft exists
|
|
|
|
$combinedStageResult = $combinedStageResult + $stageResult;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Unstaged result
|
|
|
|
$stageRecords = DataObject::get($this->getBaseClass())->byIDs($ids);
|
|
|
|
$combinedStageResult = $this->batchPermissionCheckForStage(
|
|
|
|
$type,
|
|
|
|
$globalPermission,
|
|
|
|
$stageRecords,
|
|
|
|
$groupIDsSQLList,
|
|
|
|
$member
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cache the results
|
|
|
|
if (empty($this->cachePermissions[$cacheKey])) {
|
|
|
|
$this->cachePermissions[$cacheKey] = [];
|
|
|
|
}
|
|
|
|
if ($combinedStageResult) {
|
|
|
|
$this->cachePermissions[$cacheKey] = $combinedStageResult + $this->cachePermissions[$cacheKey];
|
|
|
|
}
|
2017-12-04 02:23:14 +01:00
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
return $combinedStageResult;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param string $type
|
|
|
|
* @param array $globalPermission List of global permissions
|
|
|
|
* @param DataList $stageRecords List of records to check for this stage
|
|
|
|
* @param string $groupIDsSQLList Group IDs this member belongs to
|
|
|
|
* @param Member $member
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
protected function batchPermissionCheckForStage(
|
|
|
|
$type,
|
|
|
|
$globalPermission,
|
|
|
|
DataList $stageRecords,
|
|
|
|
$groupIDsSQLList,
|
|
|
|
Member $member = null
|
|
|
|
) {
|
|
|
|
// Initialise all IDs to false
|
2022-04-14 03:12:59 +02:00
|
|
|
$result = array_fill_keys($stageRecords->column('ID') ?? [], false);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// Get the uninherited permissions
|
|
|
|
$typeField = $this->getPermissionField($type);
|
2018-10-18 07:18:24 +02:00
|
|
|
$baseTable = DataObject::getSchema()->baseDataTable($this->getBaseClass());
|
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
if ($member && $member->ID) {
|
2019-09-16 07:41:21 +02:00
|
|
|
if (!Permission::checkMember($member, 'ADMIN')) {
|
|
|
|
// Determine if this member matches any of the group or other rules
|
|
|
|
$groupJoinTable = $this->getJoinTable($type);
|
|
|
|
$uninheritedPermissions = $stageRecords
|
|
|
|
->where([
|
|
|
|
"(\"$typeField\" IN (?, ?) OR " . "(\"$typeField\" = ? AND \"$groupJoinTable\".\"{$baseTable}ID\" IS NOT NULL))"
|
|
|
|
=> [
|
|
|
|
self::ANYONE,
|
|
|
|
self::LOGGED_IN_USERS,
|
|
|
|
self::ONLY_THESE_USERS
|
|
|
|
]
|
|
|
|
])
|
|
|
|
->leftJoin(
|
|
|
|
$groupJoinTable,
|
|
|
|
"\"$groupJoinTable\".\"{$baseTable}ID\" = \"{$baseTable}\".\"ID\" AND " . "\"$groupJoinTable\".\"GroupID\" IN ($groupIDsSQLList)"
|
|
|
|
)->column('ID');
|
|
|
|
} else {
|
|
|
|
$uninheritedPermissions = $stageRecords->column('ID');
|
|
|
|
}
|
2017-05-11 11:07:27 +02:00
|
|
|
} else {
|
|
|
|
// Only view pages with ViewType = Anyone if not logged in
|
|
|
|
$uninheritedPermissions = $stageRecords
|
|
|
|
->filter($typeField, self::ANYONE)
|
|
|
|
->column('ID');
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($uninheritedPermissions) {
|
|
|
|
// Set all the relevant items in $result to true
|
2022-04-14 03:12:59 +02:00
|
|
|
$result = array_fill_keys($uninheritedPermissions ?? [], true) + $result;
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
|
|
|
|
2018-10-18 07:18:24 +02:00
|
|
|
// This looks for any of our subjects who has their permission set to "inherited" in the CMS.
|
|
|
|
// We group these and run a batch permission check on all parents. This gives us the result
|
|
|
|
// of whether the user has permission to edit this object.
|
2017-05-11 11:07:27 +02:00
|
|
|
$groupedByParent = [];
|
2018-10-18 07:18:24 +02:00
|
|
|
$potentiallyInherited = $stageRecords->filter($typeField, self::INHERIT)
|
|
|
|
->sort("\"{$baseTable}\".\"ID\"")
|
|
|
|
->dataQuery()
|
|
|
|
->query()
|
|
|
|
->setSelect([
|
|
|
|
"\"{$baseTable}\".\"ID\"",
|
|
|
|
"\"{$baseTable}\".\"ParentID\""
|
|
|
|
])
|
|
|
|
->execute();
|
|
|
|
|
2017-05-11 11:07:27 +02:00
|
|
|
foreach ($potentiallyInherited as $item) {
|
|
|
|
/** @var DataObject|Hierarchy $item */
|
2018-10-18 07:18:24 +02:00
|
|
|
if ($item['ParentID']) {
|
|
|
|
if (!isset($groupedByParent[$item['ParentID']])) {
|
|
|
|
$groupedByParent[$item['ParentID']] = [];
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
2018-10-18 07:18:24 +02:00
|
|
|
$groupedByParent[$item['ParentID']][] = $item['ID'];
|
2017-05-11 11:07:27 +02:00
|
|
|
} else {
|
|
|
|
// Fail over to default permission check for Inherit and ParentID = 0
|
2018-10-18 07:18:24 +02:00
|
|
|
$result[$item['ID']] = $this->checkDefaultPermissions($type, $member);
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Copy permissions from parent to child
|
2018-10-18 07:18:24 +02:00
|
|
|
if (!empty($groupedByParent)) {
|
2017-05-11 11:07:27 +02:00
|
|
|
$actuallyInherited = $this->batchPermissionCheck(
|
|
|
|
$type,
|
2022-04-14 03:12:59 +02:00
|
|
|
array_keys($groupedByParent ?? []),
|
2017-05-11 11:07:27 +02:00
|
|
|
$member,
|
|
|
|
$globalPermission
|
|
|
|
);
|
|
|
|
if ($actuallyInherited) {
|
2022-04-14 03:12:59 +02:00
|
|
|
$parentIDs = array_keys(array_filter($actuallyInherited ?? []));
|
2017-05-11 11:07:27 +02:00
|
|
|
foreach ($parentIDs as $parentID) {
|
|
|
|
// Set all the relevant items in $result to true
|
2022-04-14 03:12:59 +02:00
|
|
|
$result = array_fill_keys($groupedByParent[$parentID] ?? [], true) + $result;
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @param array $ids
|
|
|
|
* @param Member|null $member
|
|
|
|
* @param bool $useCached
|
|
|
|
* @return array
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function canEditMultiple($ids, Member $member = null, $useCached = true)
|
|
|
|
{
|
|
|
|
return $this->batchPermissionCheck(
|
|
|
|
self::EDIT,
|
|
|
|
$ids,
|
|
|
|
$member,
|
|
|
|
$this->getGlobalEditPermissions(),
|
|
|
|
$useCached
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @param array $ids
|
|
|
|
* @param Member|null $member
|
|
|
|
* @param bool $useCached
|
|
|
|
* @return array
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function canViewMultiple($ids, Member $member = null, $useCached = true)
|
|
|
|
{
|
|
|
|
return $this->batchPermissionCheck(self::VIEW, $ids, $member, [], $useCached);
|
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @param array $ids
|
|
|
|
* @param Member|null $member
|
|
|
|
* @param bool $useCached
|
|
|
|
* @return array
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function canDeleteMultiple($ids, Member $member = null, $useCached = true)
|
|
|
|
{
|
|
|
|
// Validate ids
|
2022-04-14 03:12:59 +02:00
|
|
|
$ids = array_filter($ids ?? [], 'is_numeric');
|
2017-05-11 11:07:27 +02:00
|
|
|
if (empty($ids)) {
|
|
|
|
return [];
|
|
|
|
}
|
2022-04-14 03:12:59 +02:00
|
|
|
$result = array_fill_keys($ids ?? [], false);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// Validate member permission
|
|
|
|
if (!$member || !$member->ID) {
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
$deletable = [];
|
|
|
|
|
|
|
|
// Look in the cache for values
|
|
|
|
$cacheKey = "delete-{$member->ID}";
|
2017-12-04 02:23:14 +01:00
|
|
|
$cachePermissions = $this->getCachePermissions($cacheKey);
|
|
|
|
if ($useCached && $cachePermissions) {
|
2022-04-14 03:12:59 +02:00
|
|
|
$cachedValues = array_intersect_key($cachePermissions[$cacheKey] ?? [], $result);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// If we can't find everything in the cache, then look up the remainder separately
|
2022-04-14 03:12:59 +02:00
|
|
|
$uncachedIDs = array_keys(array_diff_key($result ?? [], $cachePermissions[$cacheKey]));
|
2017-05-11 11:07:27 +02:00
|
|
|
if ($uncachedIDs) {
|
|
|
|
$uncachedValues = $this->canDeleteMultiple($uncachedIDs, $member, false);
|
|
|
|
return $cachedValues + $uncachedValues;
|
|
|
|
}
|
|
|
|
return $cachedValues;
|
|
|
|
}
|
|
|
|
|
|
|
|
// You can only delete pages that you can edit
|
2022-04-14 03:12:59 +02:00
|
|
|
$editableIDs = array_keys(array_filter($this->canEditMultiple($ids, $member) ?? []));
|
2017-05-11 11:07:27 +02:00
|
|
|
if ($editableIDs) {
|
|
|
|
// You can only delete pages whose children you can delete
|
|
|
|
$childRecords = DataObject::get($this->baseClass)
|
|
|
|
->filter('ParentID', $editableIDs);
|
|
|
|
|
|
|
|
// Find out the children that can be deleted
|
|
|
|
$children = $childRecords->map("ID", "ParentID");
|
|
|
|
$childIDs = $children->keys();
|
|
|
|
if ($childIDs) {
|
|
|
|
$deletableChildren = $this->canDeleteMultiple($childIDs, $member);
|
|
|
|
|
|
|
|
// Get a list of all the parents that have no undeletable children
|
2022-04-14 03:12:59 +02:00
|
|
|
$deletableParents = array_fill_keys($editableIDs ?? [], true);
|
2017-05-11 11:07:27 +02:00
|
|
|
foreach ($deletableChildren as $id => $canDelete) {
|
|
|
|
if (!$canDelete) {
|
|
|
|
unset($deletableParents[$children[$id]]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use that to filter the list of deletable parents that have children
|
2022-04-14 03:12:59 +02:00
|
|
|
$deletableParents = array_keys($deletableParents ?? []);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// Also get the $ids that don't have children
|
2022-04-14 03:12:59 +02:00
|
|
|
$parents = array_unique($children->values() ?? []);
|
|
|
|
$deletableLeafNodes = array_diff($editableIDs ?? [], $parents);
|
2017-05-11 11:07:27 +02:00
|
|
|
|
|
|
|
// Combine the two
|
|
|
|
$deletable = array_merge($deletableParents, $deletableLeafNodes);
|
|
|
|
} else {
|
|
|
|
$deletable = $editableIDs;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Convert the array of deletable IDs into a map of the original IDs with true/false as the value
|
2022-04-14 03:12:59 +02:00
|
|
|
return array_fill_keys($deletable ?? [], true) + array_fill_keys($ids ?? [], false);
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @param int $id
|
|
|
|
* @param Member|null $member
|
|
|
|
* @return bool|mixed
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function canDelete($id, Member $member = null)
|
|
|
|
{
|
|
|
|
// No ID: Check default permission
|
|
|
|
if (!$id) {
|
|
|
|
return $this->checkDefaultPermissions(self::DELETE, $member);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Regular canEdit logic is handled by canEditMultiple
|
|
|
|
$results = $this->canDeleteMultiple(
|
2017-12-04 02:23:14 +01:00
|
|
|
[$id],
|
2017-05-11 11:07:27 +02:00
|
|
|
$member
|
|
|
|
);
|
|
|
|
|
|
|
|
// Check if in result
|
|
|
|
return isset($results[$id]) ? $results[$id] : false;
|
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @param int $id
|
|
|
|
* @param Member|null $member
|
|
|
|
* @return bool|mixed
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function canEdit($id, Member $member = null)
|
|
|
|
{
|
|
|
|
// No ID: Check default permission
|
|
|
|
if (!$id) {
|
|
|
|
return $this->checkDefaultPermissions(self::EDIT, $member);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Regular canEdit logic is handled by canEditMultiple
|
|
|
|
$results = $this->canEditMultiple(
|
2017-12-04 02:23:14 +01:00
|
|
|
[$id],
|
2017-05-11 11:07:27 +02:00
|
|
|
$member
|
|
|
|
);
|
|
|
|
|
|
|
|
// Check if in result
|
|
|
|
return isset($results[$id]) ? $results[$id] : false;
|
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @param int $id
|
|
|
|
* @param Member|null $member
|
|
|
|
* @return bool|mixed
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function canView($id, Member $member = null)
|
|
|
|
{
|
|
|
|
// No ID: Check default permission
|
|
|
|
if (!$id) {
|
|
|
|
return $this->checkDefaultPermissions(self::VIEW, $member);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Regular canView logic is handled by canViewMultiple
|
|
|
|
$results = $this->canViewMultiple(
|
2017-12-04 02:23:14 +01:00
|
|
|
[$id],
|
2017-05-11 11:07:27 +02:00
|
|
|
$member
|
|
|
|
);
|
|
|
|
|
|
|
|
// Check if in result
|
|
|
|
return isset($results[$id]) ? $results[$id] : false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get field to check for permission type for the given check.
|
|
|
|
* Defaults to those provided by {@see InheritedPermissionsExtension)
|
|
|
|
*
|
|
|
|
* @param string $type
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
protected function getPermissionField($type)
|
|
|
|
{
|
|
|
|
switch ($type) {
|
|
|
|
case self::DELETE:
|
|
|
|
// Delete uses edit type - Drop through
|
|
|
|
case self::EDIT:
|
|
|
|
return 'CanEditType';
|
|
|
|
case self::VIEW:
|
|
|
|
return 'CanViewType';
|
|
|
|
default:
|
|
|
|
throw new InvalidArgumentException("Invalid argument type $type");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get join table for type
|
|
|
|
* Defaults to those provided by {@see InheritedPermissionsExtension)
|
|
|
|
*
|
|
|
|
* @param string $type
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
protected function getJoinTable($type)
|
|
|
|
{
|
|
|
|
switch ($type) {
|
|
|
|
case self::DELETE:
|
|
|
|
// Delete uses edit type - Drop through
|
|
|
|
case self::EDIT:
|
|
|
|
return $this->getEditorGroupsTable();
|
|
|
|
case self::VIEW:
|
|
|
|
return $this->getViewerGroupsTable();
|
|
|
|
default:
|
|
|
|
throw new InvalidArgumentException("Invalid argument type $type");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Determine default permission for a givion check
|
|
|
|
*
|
|
|
|
* @param string $type Method to check
|
|
|
|
* @param Member $member
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
protected function checkDefaultPermissions($type, Member $member = null)
|
|
|
|
{
|
|
|
|
$defaultPermissions = $this->getDefaultPermissions();
|
|
|
|
if (!$defaultPermissions) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
switch ($type) {
|
|
|
|
case self::VIEW:
|
|
|
|
return $defaultPermissions->canView($member);
|
|
|
|
case self::EDIT:
|
|
|
|
return $defaultPermissions->canEdit($member);
|
|
|
|
case self::DELETE:
|
|
|
|
return $defaultPermissions->canDelete($member);
|
|
|
|
default:
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this model has versioning
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
protected function isVersioned()
|
|
|
|
{
|
|
|
|
if (!class_exists(Versioned::class)) {
|
|
|
|
return false;
|
|
|
|
}
|
2018-02-19 23:37:27 +01:00
|
|
|
/** @var Versioned|DataObject $singleton */
|
2017-05-11 11:07:27 +02:00
|
|
|
$singleton = DataObject::singleton($this->getBaseClass());
|
2018-02-19 23:37:27 +01:00
|
|
|
return $singleton->hasExtension(Versioned::class) && $singleton->hasStages();
|
2017-05-11 11:07:27 +02:00
|
|
|
}
|
|
|
|
|
2017-12-04 02:23:14 +01:00
|
|
|
/**
|
|
|
|
* @return $this
|
|
|
|
*/
|
2017-05-11 11:07:27 +02:00
|
|
|
public function clearCache()
|
|
|
|
{
|
|
|
|
$this->cachePermissions = [];
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get table to use for editor groups relation
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
protected function getEditorGroupsTable()
|
|
|
|
{
|
|
|
|
$table = DataObject::getSchema()->tableName($this->baseClass);
|
|
|
|
return "{$table}_EditorGroups";
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get table to use for viewer groups relation
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
protected function getViewerGroupsTable()
|
|
|
|
{
|
|
|
|
$table = DataObject::getSchema()->tableName($this->baseClass);
|
|
|
|
return "{$table}_ViewerGroups";
|
|
|
|
}
|
2017-12-04 02:23:14 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Gets the permission from cache
|
|
|
|
*
|
2017-12-11 05:49:23 +01:00
|
|
|
* @param string $cacheKey
|
2017-12-04 02:23:14 +01:00
|
|
|
* @return mixed
|
|
|
|
*/
|
|
|
|
protected function getCachePermissions($cacheKey)
|
|
|
|
{
|
2017-12-11 05:49:23 +01:00
|
|
|
// Check local cache
|
2017-12-04 02:23:14 +01:00
|
|
|
if (isset($this->cachePermissions[$cacheKey])) {
|
|
|
|
return $this->cachePermissions[$cacheKey];
|
|
|
|
}
|
|
|
|
|
2017-12-11 05:49:23 +01:00
|
|
|
// Check persistent cache
|
2017-12-04 02:23:14 +01:00
|
|
|
if ($this->cacheService) {
|
2017-12-11 05:49:23 +01:00
|
|
|
$result = $this->cacheService->get($cacheKey);
|
|
|
|
|
|
|
|
// Warm local cache
|
|
|
|
if ($result) {
|
|
|
|
$this->cachePermissions[$cacheKey] = $result;
|
|
|
|
return $result;
|
|
|
|
}
|
2017-12-04 02:23:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Creates a cache key for a member and type
|
2017-12-11 05:49:23 +01:00
|
|
|
*
|
|
|
|
* @param string $type
|
|
|
|
* @param int $memberID
|
2017-12-04 02:23:14 +01:00
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
protected function generateCacheKey($type, $memberID)
|
|
|
|
{
|
2022-04-14 03:12:59 +02:00
|
|
|
$classKey = str_replace('\\', '-', $this->baseClass ?? '');
|
2019-09-24 01:14:14 +02:00
|
|
|
return "{$type}-{$classKey}-{$memberID}";
|
2017-12-04 02:23:14 +01:00
|
|
|
}
|
2017-12-11 05:49:23 +01:00
|
|
|
}
|