silverstripe-framework/Security/PermissionRoleCode.php

<?php

namespace SilverStripe\Security;

use SilverStripe\ORM\DataObject;

/**
 * A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.
 *
 * @property string Code
 * @property int RoleID
 * @method PermissionRole Role()
 */
class PermissionRoleCode extends DataObject {
	private static $db = array(
		"Code" => "Varchar",
	);

	private static $has_one = array(
		"Role" => "SilverStripe\\Security\\PermissionRole",
	);

	private static $table_name = "PermissionRoleCode";

	public function validate() {
		$result = parent::validate();

		// Check that new code doesn't increase privileges, unless an admin is editing.
		$privilegedCodes = Permission::config()->privileged_permissions;
		if(
			$this->Code
			&& in_array($this->Code, $privilegedCodes)
			&& !Permission::check('ADMIN')
		) {
			$result->error(sprintf(
				_t(
					'PermissionRoleCode.PermsError',
					'Can\'t assign code "%s" with privileged permissions (requires ADMIN access)'
				),
				$this->Code
			));
		}

		return $result;
	}

	public function canCreate($member = null, $context = array()) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canEdit($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canDelete($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}
}
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`<?php`
API Apply Framework\ORM Namespace to model 2016-06-15 06:03:16 +02:00
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`namespace SilverStripe\Security;`

API Apply Framework\ORM Namespace to model 2016-06-15 06:03:16 +02:00			`use SilverStripe\ORM\DataObject;`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`/**`
			`* A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`*`
Documented magic properties of DataObject 2014-01-26 04:17:17 +01:00			`* @property string Code`
			`* @property int RoleID`
			`* @method PermissionRole Role()`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`*/`
			`class PermissionRoleCode extends DataObject {`
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $db = array(`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`"Code" => "Varchar",`
			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $has_one = array(`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`"Role" => "SilverStripe\\Security\\PermissionRole",`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`);`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`private static $table_name = "PermissionRoleCode";`

API make DataObject::validate public 2015-06-17 05:51:30 +02:00			`public function validate() {`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00			`$result = parent::validate();`

			`// Check that new code doesn't increase privileges, unless an admin is editing.`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`$privilegedCodes = Permission::config()->privileged_permissions;`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00			`if(`
			`$this->Code`
			`&& in_array($this->Code, $privilegedCodes)`
			`&& !Permission::check('ADMIN')`
			`) {`
			`$result->error(sprintf(`
			`_t(`
			`'PermissionRoleCode.PermsError',`
			`'Can\'t assign code "%s" with privileged permissions (requires ADMIN access)'`
			`),`
			`$this->Code`
			`));`
			`}`

			`return $result;`
			`}`

API Formalise new additional arguments to DataObject::canCreate, DataExtension::augmentSQL, and DataObject::extendedCan 2015-06-09 01:31:07 +02:00			`public function canCreate($member = null, $context = array()) {`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canEdit($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canDelete($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`
MINOR Add newline to end of files without one 2012-03-24 04:04:52 +01:00			`}`