silverstripe-framework/security/PermissionRole.php

<?php
/**
 * A PermissionRole represents a collection of permission codes that can be applied to groups.
 *
 * Because permission codes are very granular, this lets website administrators create more
 * business-oriented units of access control - Roles - and assign those to groups.
 *
 * If the <b>OnlyAdminCanApply</b> property is set to TRUE, the role can only be assigned
 * to new groups by a user with ADMIN privileges. This is a simple way to prevent users
 * with access to {@link SecurityAdmin} (but no ADMIN privileges) to get themselves ADMIN access
 * (which might be implied by certain roles).
 *
 * @package framework
 * @subpackage security
 *
 * @property string Title
 * @property string OnlyAdminCanApply
 *
 * @method HasManyList Codes() List of PermissionRoleCode objects
 * @method ManyManyList Groups() List of Group objects
 */
class PermissionRole extends DataObject {
	private static $db = array(
		"Title" => "Varchar",
		"OnlyAdminCanApply" => "Boolean"
	);

	private static $has_many = array(
		"Codes" => "PermissionRoleCode",
	);

	private static $belongs_many_many = array(
		"Groups" => "Group",
	);

	private static $default_sort = '"Title"';

	private static $singular_name = 'Role';

	private static $plural_name = 'Roles';

	public function getCMSFields() {
		$fields = parent::getCMSFields();

		$fields->removeFieldFromTab('Root', 'Codes');
		$fields->removeFieldFromTab('Root', 'Groups');

		$fields->addFieldToTab(
			'Root.Main',
			$permissionField = new PermissionCheckboxSetField(
				'Codes',
				singleton('Permission')->i18n_plural_name(),
				'PermissionRoleCode',
				'RoleID'
			)
		);
		$permissionField->setHiddenPermissions(
			Config::inst()->get('Permission', 'hidden_permissions')
		);

		return $fields;
	}

	public function onAfterDelete() {
		parent::onAfterDelete();

		// Delete associated permission codes
		$codes = $this->Codes();
		foreach ( $codes as $code ) {
			$code->delete();
		}
	}

	public function fieldLabels($includerelations = true) {
		$labels = parent::fieldLabels($includerelations);
		$labels['Title'] = _t('PermissionRole.Title', 'Title');
		$labels['OnlyAdminCanApply'] = _t(
			'PermissionRole.OnlyAdminCanApply',
			'Only admin can apply',
			'Checkbox to limit which user can apply this role'
		);

		return $labels;
	}

	public function canView($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canCreate($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canEdit($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canDelete($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}
}
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`<?php`
			`/**`
			`* A PermissionRole represents a collection of permission codes that can be applied to groups.`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`*`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`* Because permission codes are very granular, this lets website administrators create more`
			`* business-oriented units of access control - Roles - and assign those to groups.`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`*`
MINOR Documentation git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@104610 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-05-11 23:20:13 +02:00			`* If the <b>OnlyAdminCanApply</b> property is set to TRUE, the role can only be assigned`
			`* to new groups by a user with ADMIN privileges. This is a simple way to prevent users`
			`* with access to {@link SecurityAdmin} (but no ADMIN privileges) to get themselves ADMIN access`
			`* (which might be implied by certain roles).`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`*`
MINOR Update @package values to match renaming sapphire 2012-04-12 08:02:46 +02:00			`* @package framework`
MINOR Fixed phpdoc documentation (from r103385) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@103388 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-04-23 02:25:47 +02:00			`* @subpackage security`
Documented magic properties of DataObject 2014-01-26 04:17:17 +01:00			`*`
			`* @property string Title`
			`* @property string OnlyAdminCanApply`
			`*`
			`* @method HasManyList Codes() List of PermissionRoleCode objects`
			`* @method ManyManyList Groups() List of Group objects`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`*/`
			`class PermissionRole extends DataObject {`
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $db = array(`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`"Title" => "Varchar",`
MINOR implement OnlyAdminCanApply git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@90457 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-29 23:07:44 +01:00			`"OnlyAdminCanApply" => "Boolean"`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $has_many = array(`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`"Codes" => "PermissionRoleCode",`
			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $belongs_many_many = array(`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`"Groups" => "Group",`
			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $default_sort = '"Title"';`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $singular_name = 'Role';`
ENHANCEMENT Respecting SecurityAdmin::$hidden_permissions in PermissionRole->getCMSFields() MINOR Setting PermissionRole $singular_name and $plural_name git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@100771 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-03-10 03:23:41 +01:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $plural_name = 'Roles';`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
Method visibility according to coding conventions 2012-09-19 12:07:39 +02:00			`public function getCMSFields() {`
API CHANGE Removed $params argument to DataObject->getCMSFields(), please use FormScaffolder directly (fixes #7135) 2012-04-13 15:46:47 +02:00			`$fields = parent::getCMSFields();`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
FEATURE: Add a simple interface for administrating permission roles. (from r85297) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89189 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:28:11 +02:00			`$fields->removeFieldFromTab('Root', 'Codes');`
			`$fields->removeFieldFromTab('Root', 'Groups');`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
ENHANCEMENT Respecting SecurityAdmin::$hidden_permissions in PermissionRole->getCMSFields() MINOR Setting PermissionRole $singular_name and $plural_name git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@100771 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-03-10 03:23:41 +01:00			`$fields->addFieldToTab(`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`'Root.Main',`
ENHANCEMENT Respecting SecurityAdmin::$hidden_permissions in PermissionRole->getCMSFields() MINOR Setting PermissionRole $singular_name and $plural_name git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@100771 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-03-10 03:23:41 +01:00			`$permissionField = new PermissionCheckboxSetField(`
			`'Codes',`
			`singleton('Permission')->i18n_plural_name(),`
			`'PermissionRoleCode',`
			`'RoleID'`
			`)`
			`);`
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`$permissionField->setHiddenPermissions(`
			`Config::inst()->get('Permission', 'hidden_permissions')`
			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
FEATURE: Add a simple interface for administrating permission roles. (from r85297) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89189 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:28:11 +02:00			`return $fields;`
			`}`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
Method visibility according to coding conventions 2012-09-19 12:07:39 +02:00			`public function onAfterDelete() {`
BUGFIX: adding onAfterDelete hooks to remove the no longer necessary permissions git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@94859 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-10 04:44:35 +01:00			`parent::onAfterDelete();`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
BUGFIX: adding onAfterDelete hooks to remove the no longer necessary permissions git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@94859 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-10 04:44:35 +01:00			`// Delete associated permission codes`
			`$codes = $this->Codes();`
			`foreach ( $codes as $code ) {`
			`$code->delete();`
			`}`
			`}`
Fixed PermissionRole field localization 2012-09-11 13:53:09 +02:00
Method visibility according to coding conventions 2012-09-19 12:07:39 +02:00			`public function fieldLabels($includerelations = true) {`
Fixed PermissionRole field localization 2012-09-11 13:53:09 +02:00			`$labels = parent::fieldLabels($includerelations);`
			`$labels['Title'] = _t('PermissionRole.Title', 'Title');`
			`$labels['OnlyAdminCanApply'] = _t(`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`'PermissionRole.OnlyAdminCanApply',`
Fixed PermissionRole field localization 2012-09-11 13:53:09 +02:00			`'Only admin can apply',`
			`'Checkbox to limit which user can apply this role'`
			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
Fixed PermissionRole field localization 2012-09-11 13:53:09 +02:00			`return $labels;`
			`}`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
			`public function canView($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canCreate($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canEdit($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canDelete($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`
FEATURE: Add a simple interface for administrating permission roles. (from r85297) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89189 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:28:11 +02:00			`}`