silverstripe-framework/security/PermissionRoleCode.php

<?php
/**
 * A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.
 *
 * @package framework
 * @subpackage security
 *
 * @property string Code
 *
 * @property int RoleID
 *
 * @method PermissionRole Role()
 */
class PermissionRoleCode extends DataObject {
	private static $db = array(
		"Code" => "Varchar",
	);

	private static $has_one = array(
		"Role" => "PermissionRole",
	);

	public function validate() {
		$result = parent::validate();

		// Check that new code doesn't increase privileges, unless an admin is editing.
		$privilegedCodes = Config::inst()->get('Permission', 'privileged_permissions');
		if(
			$this->Code
			&& in_array($this->Code, $privilegedCodes)
			&& !Permission::check('ADMIN')
		) {
			$result->error(sprintf(
				_t(
					'PermissionRoleCode.PermsError',
					'Can\'t assign code "%s" with privileged permissions (requires ADMIN access)'
				),
				$this->Code
			));
		}

		return $result;
	}

	public function canCreate($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canEdit($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canDelete($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}
}
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`<?php`
			`/**`
			`* A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00			`*`
MINOR Update @package values to match renaming sapphire 2012-04-12 08:02:46 +02:00			`* @package framework`
MINOR Fixed phpdoc documentation git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@103390 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-04-23 03:04:16 +02:00			`* @subpackage security`
Documented magic properties of DataObject 2014-01-26 04:17:17 +01:00			`*`
			`* @property string Code`
			`*`
			`* @property int RoleID`
			`*`
			`* @method PermissionRole Role()`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`*/`
			`class PermissionRoleCode extends DataObject {`
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $db = array(`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`"Code" => "Varchar",`
			`);`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`private static $has_one = array(`
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-10-16 00:27:56 +02:00			`"Role" => "PermissionRole",`
			`);`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
API DataObject::validate() visibility changed to public (issue #1659) DataObject::validate() is currently set to protected, but this means you can't call validate() from outside the context of itself unless you overload the method to use a public visibility and then call parent::validate() As it would turn out, most classes that overload this method already set the visibility to public, so it would make sense the parent matches that as well. 2013-12-19 04:27:54 +01:00			`public function validate() {`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00			`$result = parent::validate();`

			`// Check that new code doesn't increase privileges, unless an admin is editing.`
			`$privilegedCodes = Config::inst()->get('Permission', 'privileged_permissions');`
			`if(`
			`$this->Code`
			`&& in_array($this->Code, $privilegedCodes)`
			`&& !Permission::check('ADMIN')`
			`) {`
			`$result->error(sprintf(`
			`_t(`
			`'PermissionRoleCode.PermsError',`
			`'Can\'t assign code "%s" with privileged permissions (requires ADMIN access)'`
			`),`
			`$this->Code`
			`));`
			`}`

			`return $result;`
			`}`

			`public function canCreate($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canEdit($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`

			`public function canDelete($member = null) {`
			`return Permission::check('APPLY_ROLES', 'any', $member);`
			`}`
MINOR Add newline to end of files without one 2012-03-24 04:04:52 +01:00			`}`