2007-07-19 12:40:28 +02:00
|
|
|
<?php
|
2008-02-25 03:10:37 +01:00
|
|
|
/**
|
|
|
|
* Represents a permission assigned to a group.
|
2012-04-12 08:02:46 +02:00
|
|
|
* @package framework
|
2008-02-25 03:10:37 +01:00
|
|
|
* @subpackage security
|
2014-01-26 04:17:17 +01:00
|
|
|
*
|
|
|
|
* @property string Code
|
|
|
|
* @property int Arg
|
|
|
|
* @property int Type
|
|
|
|
*
|
|
|
|
* @property int GroupID
|
|
|
|
*
|
|
|
|
* @method Group Group()
|
2008-02-25 03:10:37 +01:00
|
|
|
*/
|
2012-02-11 03:08:39 +01:00
|
|
|
class Permission extends DataObject implements TemplateGlobalProvider {
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
// the (1) after Type specifies the DB default value which is needed for
|
2007-09-16 16:58:27 +02:00
|
|
|
// upgrades from older SilverStripe versions
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $db = array(
|
2007-07-19 12:40:28 +02:00
|
|
|
"Code" => "Varchar",
|
2007-09-14 19:44:33 +02:00
|
|
|
"Arg" => "Int",
|
2007-09-16 16:58:27 +02:00
|
|
|
"Type" => "Int(1)"
|
2007-07-19 12:40:28 +02:00
|
|
|
);
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $has_one = array(
|
2007-09-16 16:58:27 +02:00
|
|
|
"Group" => "Group"
|
2007-07-19 12:40:28 +02:00
|
|
|
);
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $indexes = array(
|
2007-09-16 16:58:27 +02:00
|
|
|
"Code" => true
|
2007-07-19 12:40:28 +02:00
|
|
|
);
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $defaults = array(
|
2007-09-16 16:58:27 +02:00
|
|
|
"Type" => 1
|
|
|
|
);
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $has_many = array();
|
2009-02-02 00:49:53 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $many_many = array();
|
2009-02-02 00:49:53 +01:00
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $belongs_many_many = array();
|
2007-09-16 16:58:27 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* This is the value to use for the "Type" field if a permission should be
|
|
|
|
* granted.
|
|
|
|
*/
|
|
|
|
const GRANT_PERMISSION = 1;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* This is the value to use for the "Type" field if a permission should be
|
|
|
|
* denied.
|
|
|
|
*/
|
|
|
|
const DENY_PERMISSION = -1;
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
/**
|
2007-09-16 16:58:27 +02:00
|
|
|
* This is the value to use for the "Type" field if a permission should be
|
|
|
|
* inherited.
|
|
|
|
*/
|
|
|
|
const INHERIT_PERMISSION = 0;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Method to globally disable "strict" checking, which means a permission
|
|
|
|
* will be granted if the key does not exist at all.
|
|
|
|
*
|
|
|
|
* @var bool
|
2007-09-16 04:15:16 +02:00
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $declared_permissions = null;
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
/**
|
2007-09-16 16:32:54 +02:00
|
|
|
* Linear list of declared permissions in the system.
|
|
|
|
*
|
|
|
|
* @var array
|
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $declared_permissions_list = null;
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
2013-03-21 19:48:54 +01:00
|
|
|
* @config
|
2007-07-19 12:40:28 +02:00
|
|
|
* @var $strict_checking Boolean Method to globally disable "strict" checking,
|
|
|
|
* which means a permission will be granted if the key does not exist at all.
|
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $strict_checking = true;
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
/**
|
2007-09-16 16:32:54 +02:00
|
|
|
* Set to false to prevent the 'ADMIN' permission from implying all
|
|
|
|
* permissions in the system
|
|
|
|
*
|
2013-03-21 19:48:54 +01:00
|
|
|
* @config
|
2007-09-16 16:32:54 +02:00
|
|
|
* @var bool
|
2007-09-16 04:15:16 +02:00
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $admin_implies_all = true;
|
2009-11-21 02:44:52 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* a list of permission codes which doesn't appear in the Permission list
|
|
|
|
* when make the {@link PermissionCheckboxSetField}
|
2013-03-21 19:48:54 +01:00
|
|
|
* @config
|
2009-11-21 02:44:52 +01:00
|
|
|
* @var array;
|
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $hidden_permissions = array();
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2013-08-30 13:58:37 +02:00
|
|
|
/**
|
|
|
|
* @config These permissions can only be applied by ADMIN users, to prevent
|
|
|
|
* privilege escalation on group assignments and inheritance.
|
|
|
|
* @var array
|
|
|
|
*/
|
2013-09-27 18:56:38 +02:00
|
|
|
private static $privileged_permissions = array(
|
2013-08-30 13:58:37 +02:00
|
|
|
'ADMIN',
|
|
|
|
'APPLY_ROLES',
|
|
|
|
'EDIT_PERMISSIONS'
|
|
|
|
);
|
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
2009-09-10 09:01:52 +02:00
|
|
|
* Check that the current member has the given permission.
|
2007-07-19 12:40:28 +02:00
|
|
|
*
|
2011-08-30 17:34:35 +02:00
|
|
|
* @param string|array $code Code of the permission to check (case-sensitive)
|
2009-09-10 09:01:52 +02:00
|
|
|
* @param string $arg Optional argument (e.g. a permissions for a specific page)
|
2008-09-22 18:04:22 +02:00
|
|
|
* @param int|Member $member Optional member instance or ID. If set to NULL, the permssion
|
2009-09-10 09:01:52 +02:00
|
|
|
* will be checked for the current user
|
2007-09-16 16:32:54 +02:00
|
|
|
* @param bool $strict Use "strict" checking (which means a permission
|
2009-09-10 09:01:52 +02:00
|
|
|
* will be granted if the key does not exist at all)?
|
2007-09-16 16:32:54 +02:00
|
|
|
* @return int|bool The ID of the permission record if the permission
|
2009-09-10 09:01:52 +02:00
|
|
|
* exists; FALSE otherwise. If "strict" checking is
|
|
|
|
* disabled, TRUE will be returned if the permission does not exist at all.
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2008-09-22 18:04:22 +02:00
|
|
|
public static function check($code, $arg = "any", $member = null, $strict = true) {
|
|
|
|
if(!$member) {
|
2009-07-31 07:36:50 +02:00
|
|
|
if(!Member::currentUserID()) {
|
2007-07-19 12:40:28 +02:00
|
|
|
return false;
|
|
|
|
}
|
2009-07-31 07:36:50 +02:00
|
|
|
$member = Member::currentUserID();
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2008-09-22 18:04:22 +02:00
|
|
|
return self::checkMember($member, $code, $arg, $strict);
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
/**
|
|
|
|
* Permissions cache. The format is a map, where the keys are member IDs, and the values are
|
|
|
|
* arrays of permission codes.
|
|
|
|
*/
|
2009-02-02 00:49:53 +01:00
|
|
|
private static $cache_permissions = array();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Flush the permission cache, for example if you have edited group membership or a permission record.
|
|
|
|
* @todo Call this whenever Group_Members is added to or removed from
|
|
|
|
*/
|
|
|
|
public static function flush_permission_cache() {
|
|
|
|
self::$cache_permissions = array();
|
|
|
|
}
|
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
2009-09-10 09:01:52 +02:00
|
|
|
* Check that the given member has the given permission.
|
|
|
|
*
|
2008-08-09 08:53:26 +02:00
|
|
|
* @param int|Member memberID The ID of the member to check. Leave blank for the current member.
|
2009-09-10 09:01:52 +02:00
|
|
|
* Alternatively you can use a member object.
|
|
|
|
* @param string|array $code Code of the permission to check (case-sensitive)
|
|
|
|
* @param string $arg Optional argument (e.g. a permissions for a specific page)
|
2007-09-16 16:32:54 +02:00
|
|
|
* @param bool $strict Use "strict" checking (which means a permission
|
2009-09-10 09:01:52 +02:00
|
|
|
* will be granted if the key does not exist at all)?
|
2007-09-16 16:32:54 +02:00
|
|
|
* @return int|bool The ID of the permission record if the permission
|
2009-09-10 09:01:52 +02:00
|
|
|
* exists; FALSE otherwise. If "strict" checking is
|
|
|
|
* disabled, TRUE will be returned if the permission does not exist at all.
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2008-08-09 08:53:26 +02:00
|
|
|
public static function checkMember($member, $code, $arg = "any", $strict = true) {
|
2009-08-08 05:40:24 +02:00
|
|
|
if(!$member) {
|
|
|
|
$memberID = $member = Member::currentUserID();
|
|
|
|
} else {
|
|
|
|
$memberID = (is_object($member)) ? $member->ID : $member;
|
|
|
|
}
|
2015-08-20 20:53:09 +02:00
|
|
|
|
|
|
|
// If $admin_implies_all was false then this would be inefficient, but that's an edge
|
|
|
|
// case and this keeps the code simpler
|
|
|
|
if(!is_array($code)) $code = array($code);
|
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
if($arg == 'any') {
|
|
|
|
// Cache the permissions in memory
|
|
|
|
if(!isset(self::$cache_permissions[$memberID])) {
|
|
|
|
self::$cache_permissions[$memberID] = self::permissions_for_member($memberID);
|
|
|
|
}
|
2015-08-20 20:53:09 +02:00
|
|
|
foreach ($code as $permCode) {
|
|
|
|
if (substr($permCode, 0, 11) == 'CMS_ACCESS_') {
|
|
|
|
//cms_access_leftandmain means access to all CMS areas
|
|
|
|
$code[] = 'CMS_ACCESS_LeftAndMain';
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2013-03-21 19:48:54 +01:00
|
|
|
if(Config::inst()->get('Permission', 'admin_implies_all')) $code[] = "ADMIN";
|
2009-09-10 09:01:52 +02:00
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
// Multiple $code values - return true if at least one matches, ie, intersection exists
|
|
|
|
return (bool)array_intersect($code, self::$cache_permissions[$memberID]);
|
2009-02-02 00:49:53 +01:00
|
|
|
}
|
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
// The following code should only be used if you're not using the "any" arg. This is kind
|
|
|
|
// of obselete functionality and could possibly be deprecated.
|
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
$groupList = self::groupList($memberID);
|
2008-12-04 23:38:32 +01:00
|
|
|
if(!$groupList) return false;
|
|
|
|
|
|
|
|
$groupCSV = implode(", ", $groupList);
|
2009-07-31 07:36:50 +02:00
|
|
|
|
2008-12-04 23:38:32 +01:00
|
|
|
// Arg component
|
|
|
|
switch($arg) {
|
|
|
|
case "any":
|
|
|
|
$argClause = "";
|
|
|
|
break;
|
|
|
|
case "all":
|
|
|
|
$argClause = " AND \"Arg\" = -1";
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
if(is_numeric($arg)) {
|
|
|
|
$argClause = "AND \"Arg\" IN (-1, $arg) ";
|
|
|
|
} else {
|
|
|
|
user_error("Permission::checkMember: bad arg '$arg'", E_USER_ERROR);
|
2007-09-16 16:40:43 +02:00
|
|
|
}
|
2008-12-04 23:38:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if(is_array($code)) {
|
|
|
|
$SQL_codeList = "'" . implode("', '", Convert::raw2sql($code)) . "'";
|
|
|
|
} else {
|
|
|
|
$SQL_codeList = "'" . Convert::raw2sql($code) . "'";
|
|
|
|
}
|
|
|
|
|
|
|
|
$SQL_code = Convert::raw2sql($code);
|
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
$adminFilter = (Config::inst()->get('Permission', 'admin_implies_all')) ? ",'ADMIN'" : '';
|
2008-12-04 23:38:32 +01:00
|
|
|
|
|
|
|
// Raw SQL for efficiency
|
|
|
|
$permission = DB::query("
|
|
|
|
SELECT \"ID\"
|
|
|
|
FROM \"Permission\"
|
|
|
|
WHERE (
|
|
|
|
\"Code\" IN ($SQL_codeList $adminFilter)
|
|
|
|
AND \"Type\" = " . self::GRANT_PERMISSION . "
|
|
|
|
AND \"GroupID\" IN ($groupCSV)
|
|
|
|
$argClause
|
|
|
|
)
|
|
|
|
")->value();
|
2009-02-02 00:49:53 +01:00
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
if($permission) return $permission;
|
2008-12-04 23:38:32 +01:00
|
|
|
|
|
|
|
// Strict checking disabled?
|
2013-03-21 19:48:54 +01:00
|
|
|
if(!Config::inst()->get('Permission', 'strict_checking') || !$strict) {
|
2008-12-04 23:38:32 +01:00
|
|
|
$hasPermission = DB::query("
|
|
|
|
SELECT COUNT(*)
|
|
|
|
FROM \"Permission\"
|
|
|
|
WHERE (
|
|
|
|
(\"Code\" IN '$SQL_code')'
|
|
|
|
AND (\"Type\" = " . self::GRANT_PERMISSION . ")
|
|
|
|
)
|
|
|
|
")->value();
|
2009-02-02 00:49:53 +01:00
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
if(!$hasPermission) return;
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2009-02-02 00:49:53 +01:00
|
|
|
|
2008-12-04 23:38:32 +01:00
|
|
|
return false;
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2009-07-31 07:36:50 +02:00
|
|
|
/**
|
|
|
|
* Get all the 'any' permission codes available to the given member.
|
2012-07-01 07:55:20 +02:00
|
|
|
*
|
|
|
|
* @return array
|
2009-07-31 07:36:50 +02:00
|
|
|
*/
|
|
|
|
public static function permissions_for_member($memberID) {
|
|
|
|
$groupList = self::groupList($memberID);
|
2012-07-01 07:55:20 +02:00
|
|
|
|
2009-08-08 05:40:24 +02:00
|
|
|
if($groupList) {
|
|
|
|
$groupCSV = implode(", ", $groupList);
|
2009-07-31 07:36:50 +02:00
|
|
|
|
2012-07-01 07:55:20 +02:00
|
|
|
$allowed = array_unique(DB::query("
|
2009-08-08 05:40:24 +02:00
|
|
|
SELECT \"Code\"
|
|
|
|
FROM \"Permission\"
|
|
|
|
WHERE \"Type\" = " . self::GRANT_PERMISSION . " AND \"GroupID\" IN ($groupCSV)
|
2012-07-01 07:55:20 +02:00
|
|
|
|
2009-10-16 00:27:56 +02:00
|
|
|
UNION
|
2012-07-01 07:55:20 +02:00
|
|
|
|
2009-10-16 00:27:56 +02:00
|
|
|
SELECT \"Code\"
|
2010-10-19 02:51:53 +02:00
|
|
|
FROM \"PermissionRoleCode\" PRC
|
|
|
|
INNER JOIN \"PermissionRole\" PR ON PRC.\"RoleID\" = PR.\"ID\"
|
|
|
|
INNER JOIN \"Group_Roles\" GR ON GR.\"PermissionRoleID\" = PR.\"ID\"
|
2009-10-16 00:27:56 +02:00
|
|
|
WHERE \"GroupID\" IN ($groupCSV)
|
|
|
|
")->column());
|
|
|
|
|
2012-07-01 07:55:20 +02:00
|
|
|
$denied = array_unique(DB::query("
|
|
|
|
SELECT \"Code\"
|
|
|
|
FROM \"Permission\"
|
|
|
|
WHERE \"Type\" = " . self::DENY_PERMISSION . " AND \"GroupID\" IN ($groupCSV)
|
|
|
|
")->column());
|
|
|
|
|
|
|
|
return array_diff($allowed, $denied);
|
2009-08-08 05:40:24 +02:00
|
|
|
}
|
2012-07-01 07:55:20 +02:00
|
|
|
|
|
|
|
return array();
|
2009-07-31 07:36:50 +02:00
|
|
|
}
|
|
|
|
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
|
|
|
* Get the list of groups that the given member belongs to.
|
2007-09-16 16:32:54 +02:00
|
|
|
*
|
|
|
|
* Call without an argument to get the groups that the current member
|
|
|
|
* belongs to. In this case, the results will be session-cached.
|
|
|
|
*
|
|
|
|
* @param int $memberID The ID of the member. Leave blank for the current
|
|
|
|
* member.
|
|
|
|
* @return array Returns a list of group IDs to which the member belongs
|
|
|
|
* to or NULL.
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public static function groupList($memberID = null) {
|
2007-07-19 12:40:28 +02:00
|
|
|
// Default to current member, with session-caching
|
|
|
|
if(!$memberID) {
|
|
|
|
$member = Member::currentUser();
|
2007-09-16 16:32:54 +02:00
|
|
|
if($member && isset($_SESSION['Permission_groupList'][$member->ID]))
|
|
|
|
return $_SESSION['Permission_groupList'][$member->ID];
|
2007-07-19 12:40:28 +02:00
|
|
|
} else {
|
|
|
|
$member = DataObject::get_by_id("Member", $memberID);
|
|
|
|
}
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
if($member) {
|
2007-09-16 16:32:54 +02:00
|
|
|
// Build a list of the IDs of the groups. Most of the heavy lifting
|
|
|
|
// is done by Member::Groups
|
|
|
|
// NOTE: This isn't effecient; but it's called once per session so
|
|
|
|
// it's a low priority to fix.
|
2007-07-19 12:40:28 +02:00
|
|
|
$groups = $member->Groups();
|
2007-09-15 01:12:22 +02:00
|
|
|
$groupList = array();
|
|
|
|
|
|
|
|
if($groups) {
|
|
|
|
foreach($groups as $group)
|
|
|
|
$groupList[] = $group->ID;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Session caching
|
2007-07-19 12:40:28 +02:00
|
|
|
if(!$memberID) {
|
|
|
|
$_SESSION['Permission_groupList'][$member->ID] = $groupList;
|
|
|
|
}
|
|
|
|
|
|
|
|
return isset($groupList) ? $groupList : null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
|
|
|
* Grant the given permission code/arg to the given group
|
2007-09-16 16:32:54 +02:00
|
|
|
*
|
|
|
|
* @param int $groupID The ID of the group
|
|
|
|
* @param string $code The permission code
|
|
|
|
* @param string Optional: The permission argument (e.g. a page ID).
|
|
|
|
* @returns Permission Returns the new permission object.
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public static function grant($groupID, $code, $arg = "any") {
|
2007-07-19 12:40:28 +02:00
|
|
|
$perm = new Permission();
|
|
|
|
$perm->GroupID = $groupID;
|
|
|
|
$perm->Code = $code;
|
2007-09-16 16:58:27 +02:00
|
|
|
$perm->Type = self::GRANT_PERMISSION;
|
|
|
|
|
|
|
|
// Arg component
|
|
|
|
switch($arg) {
|
|
|
|
case "any":
|
|
|
|
break;
|
|
|
|
case "all":
|
|
|
|
$perm->Arg = -1;
|
|
|
|
default:
|
|
|
|
if(is_numeric($arg)) {
|
|
|
|
$perm->Arg = $arg;
|
|
|
|
} else {
|
2009-03-25 23:30:29 +01:00
|
|
|
user_error("Permission::checkMember: bad arg '$arg'",
|
2007-09-16 16:58:27 +02:00
|
|
|
E_USER_ERROR);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$perm->write();
|
|
|
|
return $perm;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Deny the given permission code/arg to the given group
|
|
|
|
*
|
|
|
|
* @param int $groupID The ID of the group
|
|
|
|
* @param string $code The permission code
|
|
|
|
* @param string Optional: The permission argument (e.g. a page ID).
|
|
|
|
* @returns Permission Returns the new permission object.
|
|
|
|
*/
|
|
|
|
public static function deny($groupID, $code, $arg = "any") {
|
|
|
|
$perm = new Permission();
|
|
|
|
$perm->GroupID = $groupID;
|
|
|
|
$perm->Code = $code;
|
|
|
|
$perm->Type = self::DENY_PERMISSION;
|
2007-07-19 12:40:28 +02:00
|
|
|
|
|
|
|
// Arg component
|
|
|
|
switch($arg) {
|
2007-09-16 16:32:54 +02:00
|
|
|
case "any":
|
|
|
|
break;
|
|
|
|
case "all":
|
|
|
|
$perm->Arg = -1;
|
|
|
|
default:
|
|
|
|
if(is_numeric($arg)) {
|
|
|
|
$perm->Arg = $arg;
|
|
|
|
} else {
|
2009-03-25 23:30:29 +01:00
|
|
|
user_error("Permission::checkMember: bad arg '$arg'",
|
2007-09-16 16:32:54 +02:00
|
|
|
E_USER_ERROR);
|
|
|
|
}
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$perm->write();
|
|
|
|
return $perm;
|
|
|
|
}
|
2007-09-14 19:44:33 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
|
|
|
* Returns all members for a specific permission.
|
|
|
|
*
|
2007-08-28 03:53:36 +02:00
|
|
|
* @param $code String|array Either a single permission code, or a list of permission codes
|
2011-10-26 08:09:04 +02:00
|
|
|
* @return SS_List Returns a set of member that have the specified
|
2007-09-16 16:32:54 +02:00
|
|
|
* permission.
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public static function get_members_by_permission($code) {
|
2010-04-12 03:45:52 +02:00
|
|
|
$toplevelGroups = self::get_groups_by_permission($code);
|
2011-05-05 12:40:24 +02:00
|
|
|
if (!$toplevelGroups) return new ArrayList();
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2010-04-12 03:45:52 +02:00
|
|
|
$groupIDs = array();
|
2007-07-19 12:40:28 +02:00
|
|
|
foreach($toplevelGroups as $group) {
|
|
|
|
$familyIDs = $group->collateFamilyIDs();
|
|
|
|
if(is_array($familyIDs)) {
|
|
|
|
$groupIDs = array_merge($groupIDs, array_values($familyIDs));
|
|
|
|
}
|
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2011-05-05 12:40:24 +02:00
|
|
|
if(!count($groupIDs)) return new ArrayList();
|
2010-04-12 03:45:52 +02:00
|
|
|
|
2011-10-29 06:11:27 +02:00
|
|
|
$members = DataObject::get('Member')->where("\"Group\".\"ID\" IN (" . implode(",",$groupIDs) . ")")
|
|
|
|
->leftJoin("Group_Members", "\"Member\".\"ID\" = \"Group_Members\".\"MemberID\"")
|
|
|
|
->leftJoin("Group", "\"Group_Members\".\"GroupID\" = \"Group\".\"ID\"");
|
2010-04-12 03:45:52 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
return $members;
|
|
|
|
}
|
2007-09-04 05:55:02 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Return all of the groups that have one of the given permission codes
|
|
|
|
* @param $codes array|string Either a single permission code, or an array of permission codes
|
2011-10-26 08:09:04 +02:00
|
|
|
* @return SS_List The matching group objects
|
2007-09-04 05:55:02 +02:00
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public static function get_groups_by_permission($codes) {
|
2007-09-04 05:55:02 +02:00
|
|
|
if(!is_array($codes)) $codes = array($codes);
|
|
|
|
|
|
|
|
$SQLa_codes = Convert::raw2sql($codes);
|
|
|
|
$SQL_codes = join("','", $SQLa_codes);
|
|
|
|
|
2010-04-12 03:45:52 +02:00
|
|
|
// Via Roles are groups that have the permission via a role
|
2012-09-26 23:34:00 +02:00
|
|
|
return DataObject::get('Group')
|
|
|
|
->where("\"PermissionRoleCode\".\"Code\" IN ('$SQL_codes') OR \"Permission\".\"Code\" IN ('$SQL_codes')")
|
2011-10-29 06:11:27 +02:00
|
|
|
->leftJoin('Permission', "\"Permission\".\"GroupID\" = \"Group\".\"ID\"")
|
|
|
|
->leftJoin('Group_Roles', "\"Group_Roles\".\"GroupID\" = \"Group\".\"ID\"")
|
|
|
|
->leftJoin('PermissionRole', "\"Group_Roles\".\"PermissionRoleID\" = \"PermissionRole\".\"ID\"")
|
|
|
|
->leftJoin('PermissionRoleCode', "\"PermissionRoleCode\".\"RoleID\" = \"PermissionRole\".\"ID\"");
|
2007-09-04 05:55:02 +02:00
|
|
|
}
|
|
|
|
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
/**
|
2010-04-13 01:41:33 +02:00
|
|
|
* Get a list of all available permission codes, both defined through the
|
|
|
|
* {@link PermissionProvider} interface, and all not explicitly defined codes existing
|
|
|
|
* as a {@link Permission} database record. By default, the results are
|
|
|
|
* grouped as denoted by {@link Permission_Group}.
|
2007-09-16 16:32:54 +02:00
|
|
|
*
|
2010-04-13 01:41:33 +02:00
|
|
|
* @param bool $grouped Group results into an array of permission groups.
|
2007-09-16 16:32:54 +02:00
|
|
|
* @return array Returns an array of all available permission codes. The
|
2010-04-13 01:41:33 +02:00
|
|
|
* array indicies are the permission codes as used in
|
|
|
|
* {@link Permission::check()}. The value is a description
|
|
|
|
* suitable for using in an interface.
|
2007-09-16 16:32:54 +02:00
|
|
|
*/
|
2010-04-13 01:41:33 +02:00
|
|
|
public static function get_codes($grouped = true) {
|
2007-07-19 12:40:28 +02:00
|
|
|
$classes = ClassInfo::implementorsOf('PermissionProvider');
|
2007-09-15 23:41:54 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
$allCodes = array();
|
2010-02-22 11:02:10 +01:00
|
|
|
$adminCategory = _t('Permission.AdminGroup', 'Administrator');
|
|
|
|
$allCodes[$adminCategory]['ADMIN'] = array(
|
2009-10-29 00:03:35 +01:00
|
|
|
'name' => _t('Permission.FULLADMINRIGHTS', 'Full administrative rights'),
|
2010-05-25 07:02:08 +02:00
|
|
|
'help' => _t(
|
|
|
|
'Permission.FULLADMINRIGHTS_HELP',
|
|
|
|
'Implies and overrules all other assigned permissions.'
|
|
|
|
),
|
2009-10-29 01:55:20 +01:00
|
|
|
'sort' => 100000
|
2009-10-29 00:03:35 +01:00
|
|
|
);
|
2010-04-12 03:47:48 +02:00
|
|
|
|
2008-02-25 03:10:37 +01:00
|
|
|
if($classes) foreach($classes as $class) {
|
2007-07-19 12:40:28 +02:00
|
|
|
$SNG = singleton($class);
|
2008-10-09 20:16:13 +02:00
|
|
|
if($SNG instanceof TestOnly) continue;
|
2009-10-29 00:03:35 +01:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
$someCodes = $SNG->providePermissions();
|
2009-10-29 00:03:35 +01:00
|
|
|
if($someCodes) {
|
|
|
|
foreach($someCodes as $k => $v) {
|
|
|
|
if (is_array($v)) {
|
|
|
|
// There must be a category and name key.
|
2012-09-26 23:34:00 +02:00
|
|
|
if (!isset($v['category'])) user_error("The permission $k must have a category key",
|
|
|
|
E_USER_WARNING);
|
|
|
|
if (!isset($v['name'])) user_error("The permission $k must have a name key",
|
|
|
|
E_USER_WARNING);
|
2009-10-29 00:03:35 +01:00
|
|
|
|
2009-10-31 01:58:16 +01:00
|
|
|
if (!isset($allCodes[$v['category']])) $allCodes[$v['category']] = array();
|
2009-10-29 00:03:35 +01:00
|
|
|
|
2009-10-31 01:58:16 +01:00
|
|
|
$allCodes[$v['category']][$k] = array(
|
2009-10-29 00:03:35 +01:00
|
|
|
'name' => $v['name'],
|
|
|
|
'help' => isset($v['help']) ? $v['help'] : null,
|
|
|
|
'sort' => isset($v['sort']) ? $v['sort'] : 0
|
|
|
|
);
|
|
|
|
|
|
|
|
} else {
|
|
|
|
$allCodes['Other'][$k] = array(
|
|
|
|
'name' => $v,
|
|
|
|
'help' => null,
|
|
|
|
'sort' => 0
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-10-29 01:55:20 +01:00
|
|
|
$flatCodeArray = array();
|
|
|
|
foreach($allCodes as $category) foreach($category as $code => $permission) $flatCodeArray[] = $code;
|
2010-04-13 01:41:33 +02:00
|
|
|
$otherPerms = DB::query("SELECT DISTINCT \"Code\" From \"Permission\" WHERE \"Code\" != ''")->column();
|
2009-10-29 01:55:20 +01:00
|
|
|
|
2008-02-25 03:10:37 +01:00
|
|
|
if($otherPerms) foreach($otherPerms as $otherPerm) {
|
2009-10-29 01:55:20 +01:00
|
|
|
if(!in_array($otherPerm, $flatCodeArray))
|
|
|
|
$allCodes['Other'][$otherPerm] = array(
|
|
|
|
'name' => $otherPerm,
|
|
|
|
'help' => null,
|
|
|
|
'sort' => 0
|
|
|
|
);
|
2009-10-29 00:03:35 +01:00
|
|
|
}
|
2010-04-12 03:47:48 +02:00
|
|
|
|
|
|
|
// Don't let people hijack ADMIN rights
|
|
|
|
if(!Permission::check("ADMIN")) unset($allCodes['ADMIN']);
|
2009-10-29 00:03:35 +01:00
|
|
|
|
|
|
|
ksort($allCodes);
|
|
|
|
|
2010-04-13 01:41:33 +02:00
|
|
|
$returnCodes = array();
|
2009-10-29 00:03:35 +01:00
|
|
|
foreach($allCodes as $category => $permissions) {
|
2010-04-13 01:41:33 +02:00
|
|
|
if($grouped) {
|
|
|
|
uasort($permissions, array(__CLASS__, 'sort_permissions'));
|
|
|
|
$returnCodes[$category] = $permissions;
|
|
|
|
} else {
|
|
|
|
$returnCodes = array_merge($returnCodes, $permissions);
|
|
|
|
}
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|
2010-04-13 01:41:33 +02:00
|
|
|
return $returnCodes;
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2009-10-29 00:03:35 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Sort permissions based on their sort value, or name
|
|
|
|
*
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public static function sort_permissions($a, $b) {
|
2009-10-29 00:03:35 +01:00
|
|
|
if ($a['sort'] == $b['sort']) {
|
|
|
|
// Same sort value, do alpha instead
|
|
|
|
return strcmp($a['name'], $b['name']);
|
|
|
|
} else {
|
|
|
|
// Just numeric.
|
|
|
|
return $a['sort'] < $b['sort'] ? -1 : 1;
|
|
|
|
}
|
|
|
|
}
|
2009-11-21 02:44:52 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* add a permission represented by the $code to the {@link slef::$hidden_permissions} list
|
|
|
|
*
|
2013-03-21 19:48:54 +01:00
|
|
|
* @deprecated 3.1 Use "Permission.hidden_permissions" config setting instead
|
2009-11-21 02:44:52 +01:00
|
|
|
* @param $code string - the permissions code
|
|
|
|
* @return void
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public static function add_to_hidden_permissions($code){
|
2013-03-21 19:48:54 +01:00
|
|
|
if(is_string($codes)) $codes = array($codes);
|
|
|
|
Deprecation::notice('3.2', 'Use "Permission.hidden_permissions" config setting instead');
|
|
|
|
Config::inst()->update('Permission', 'hidden_permissions', $codes);
|
2009-11-21 02:44:52 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* remove a permission represented by the $code from the {@link slef::$hidden_permissions} list
|
|
|
|
*
|
2013-03-21 19:48:54 +01:00
|
|
|
* @deprecated 3.1 Use "Permission.hidden_permissions" config setting instead
|
2009-11-21 02:44:52 +01:00
|
|
|
* @param $code string - the permissions code
|
|
|
|
* @return void
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public static function remove_from_hidden_permissions($code){
|
2013-03-21 19:48:54 +01:00
|
|
|
if(is_string($codes)) $codes = array($codes);
|
|
|
|
Deprecation::notice('3.2', 'Use "Permission.hidden_permissions" config setting instead');
|
|
|
|
Config::inst()->remove('Permission', 'hidden_permissions', $codes);
|
2009-11-21 02:44:52 +01:00
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
/**
|
2007-09-16 16:32:54 +02:00
|
|
|
* Declare an array of permissions for the system.
|
|
|
|
*
|
|
|
|
* Permissions can be grouped by nesting arrays. Scalar values are always
|
|
|
|
* treated as permissions.
|
|
|
|
*
|
2013-03-21 19:48:54 +01:00
|
|
|
* @deprecated 3.2 Use "Permission.declared_permissions" config setting instead
|
2007-09-16 16:32:54 +02:00
|
|
|
* @param array $permArray A (possibly nested) array of permissions to
|
|
|
|
* declare for the system.
|
2007-09-16 04:15:16 +02:00
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public static function declare_permissions($permArray) {
|
2013-03-21 19:48:54 +01:00
|
|
|
Deprecation::notice('3.2', 'Use "Permission.declared_permissions" config setting instead');
|
|
|
|
self::config()->declared_permissions = $permArray;
|
2007-09-16 04:15:16 +02:00
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
/**
|
|
|
|
* Get a linear list of the permissions in the system.
|
2007-09-16 16:32:54 +02:00
|
|
|
*
|
|
|
|
* @return array Linear list of declared permissions in the system.
|
2007-09-16 04:15:16 +02:00
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public static function get_declared_permissions_list() {
|
2007-09-16 16:32:54 +02:00
|
|
|
if(!self::$declared_permissions)
|
|
|
|
return null;
|
|
|
|
|
|
|
|
if(self::$declared_permissions_list)
|
|
|
|
return self::$declared_permissions_list;
|
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
self::$declared_permissions_list = array();
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
self::traverse_declared_permissions(self::$declared_permissions,
|
|
|
|
self::$declared_permissions_list);
|
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
return self::$declared_permissions_list;
|
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2008-08-11 04:25:44 +02:00
|
|
|
/**
|
|
|
|
* Look up the human-readable title for the permission as defined by <code>Permission::declare_permissions</code>
|
|
|
|
*
|
|
|
|
* @param $perm Permission code
|
|
|
|
* @return Label for the given permission, or the permission itself if the label doesn't exist
|
|
|
|
*/
|
|
|
|
public static function get_label_for_permission($perm) {
|
|
|
|
$list = self::get_declared_permissions_list();
|
|
|
|
if(array_key_exists($perm, $list)) return $list[$perm];
|
|
|
|
return $perm;
|
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
/**
|
2007-09-16 16:32:54 +02:00
|
|
|
* Recursively traverse the nested list of declared permissions and create
|
|
|
|
* a linear list.
|
|
|
|
*
|
|
|
|
* @param aeeay $declared Nested structure of permissions.
|
|
|
|
* @param $list List of permissions in the structure. The result will be
|
|
|
|
* written to this array.
|
2007-09-16 04:15:16 +02:00
|
|
|
*/
|
2012-09-26 23:34:00 +02:00
|
|
|
protected static function traverse_declared_permissions($declared, &$list) {
|
2007-09-16 16:32:54 +02:00
|
|
|
if(!is_array($declared))
|
|
|
|
return;
|
|
|
|
|
2007-09-16 04:15:16 +02:00
|
|
|
foreach($declared as $perm => $value) {
|
|
|
|
if($value instanceof Permission_Group) {
|
|
|
|
$list[] = $value->getName();
|
2007-09-16 16:22:26 +02:00
|
|
|
self::traverse_declared_permissions($value->getPermissions(), $list);
|
2007-09-16 16:32:54 +02:00
|
|
|
} else {
|
|
|
|
$list[$perm] = $value;
|
|
|
|
}
|
2007-09-16 04:15:16 +02:00
|
|
|
}
|
|
|
|
}
|
2009-02-02 00:49:53 +01:00
|
|
|
|
|
|
|
public function onBeforeWrite() {
|
|
|
|
parent::onBeforeWrite();
|
|
|
|
|
|
|
|
// Just in case we've altered someone's permissions
|
|
|
|
Permission::flush_permission_cache();
|
|
|
|
}
|
2012-02-11 03:08:39 +01:00
|
|
|
|
2012-02-21 01:36:34 +01:00
|
|
|
public static function get_template_global_variables() {
|
2012-02-11 03:08:39 +01:00
|
|
|
return array(
|
|
|
|
'HasPerm' => 'check'
|
|
|
|
);
|
|
|
|
}
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Permission_Group class
|
|
|
|
*
|
|
|
|
* This class is used to group permissions together for showing on an
|
|
|
|
* interface.
|
2012-04-12 08:02:46 +02:00
|
|
|
* @package framework
|
2008-02-25 03:10:37 +01:00
|
|
|
* @subpackage security
|
2007-09-16 16:32:54 +02:00
|
|
|
*/
|
2007-09-16 04:15:16 +02:00
|
|
|
class Permission_Group {
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Name of the permission group (can be used as label in an interface)
|
|
|
|
* @var string
|
|
|
|
*/
|
2007-09-16 04:15:16 +02:00
|
|
|
protected $name;
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Associative array of permissions in this permission group. The array
|
|
|
|
* indicies are the permission codes as used in
|
|
|
|
* {@link Permission::check()}. The value is suitable for using in an
|
|
|
|
* interface.
|
|
|
|
* @var string
|
|
|
|
*/
|
2007-09-16 04:15:16 +02:00
|
|
|
protected $permissions = array();
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
|
|
|
* @param string $name Text that could be used as label used in an
|
|
|
|
* interface
|
|
|
|
* @param array $permissions Associative array of permissions in this
|
|
|
|
* permission group. The array indicies are the
|
|
|
|
* permission codes as used in
|
|
|
|
* {@link Permission::check()}. The value is
|
|
|
|
* suitable for using in an interface.
|
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public function __construct($name, $permissions) {
|
2007-09-16 04:15:16 +02:00
|
|
|
$this->name = $name;
|
|
|
|
$this->permissions = $permissions;
|
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the name of the permission group
|
|
|
|
*
|
|
|
|
* @return string Name (label) of the permission group
|
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public function getName() {
|
2007-09-16 04:15:16 +02:00
|
|
|
return $this->name;
|
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get permissions
|
|
|
|
*
|
|
|
|
* @return array Associative array of permissions in this permission
|
|
|
|
* group. The array indicies are the permission codes as
|
|
|
|
* used in {@link Permission::check()}. The value is
|
|
|
|
* suitable for using in an interface.
|
|
|
|
*/
|
2007-09-16 16:42:40 +02:00
|
|
|
public function getPermissions() {
|
2007-09-16 04:15:16 +02:00
|
|
|
return $this->permissions;
|
|
|
|
}
|
|
|
|
}
|
2007-09-16 16:32:54 +02:00
|
|
|
|
2012-02-12 21:22:11 +01:00
|
|
|
|