silverstripe-framework/src/Security/PermissionRole.php

116 lines
3.3 KiB
PHP
Raw Normal View History

<?php
2016-06-23 01:37:22 +02:00
namespace SilverStripe\Security;
use SilverStripe\ORM\DataObject;
2016-06-23 01:37:22 +02:00
use SilverStripe\ORM\HasManyList;
use SilverStripe\ORM\ManyManyList;
/**
* A PermissionRole represents a collection of permission codes that can be applied to groups.
2014-08-15 08:53:05 +02:00
*
* Because permission codes are very granular, this lets website administrators create more
* business-oriented units of access control - Roles - and assign those to groups.
2014-08-15 08:53:05 +02:00
*
* If the <b>OnlyAdminCanApply</b> property is set to TRUE, the role can only be assigned
* to new groups by a user with ADMIN privileges. This is a simple way to prevent users
* with access to {@link SecurityAdmin} (but no ADMIN privileges) to get themselves ADMIN access
* (which might be implied by certain roles).
2014-08-15 08:53:05 +02:00
*
* @property string Title
* @property string OnlyAdminCanApply
*
* @method HasManyList Codes() List of PermissionRoleCode objects
* @method ManyManyList Groups() List of Group objects
*/
2016-11-29 00:31:16 +01:00
class PermissionRole extends DataObject
{
private static $db = [
2016-11-29 00:31:16 +01:00
"Title" => "Varchar",
"OnlyAdminCanApply" => "Boolean"
];
2016-11-29 00:31:16 +01:00
private static $has_many = [
2016-11-29 00:31:16 +01:00
"Codes" => "SilverStripe\\Security\\PermissionRoleCode",
];
2016-11-29 00:31:16 +01:00
private static $belongs_many_many = [
2016-11-29 00:31:16 +01:00
"Groups" => "SilverStripe\\Security\\Group",
];
2016-11-29 00:31:16 +01:00
private static $table_name = "PermissionRole";
private static $default_sort = '"Title"';
private static $singular_name = 'Role';
private static $plural_name = 'Roles';
public function getCMSFields()
{
$fields = parent::getCMSFields();
$fields->removeFieldFromTab('Root', 'Codes');
$fields->removeFieldFromTab('Root', 'Groups');
$fields->addFieldToTab(
'Root.Main',
$permissionField = new PermissionCheckboxSetField(
'Codes',
Permission::singleton()->i18n_plural_name(),
'SilverStripe\\Security\\PermissionRoleCode',
'RoleID'
)
);
$permissionField->setHiddenPermissions(
Permission::config()->hidden_permissions
);
return $fields;
}
public function onAfterDelete()
{
parent::onAfterDelete();
// Delete associated permission codes
$codes = $this->Codes();
foreach ($codes as $code) {
$code->delete();
}
}
public function fieldLabels($includerelations = true)
{
$labels = parent::fieldLabels($includerelations);
2017-04-20 03:15:24 +02:00
$labels['Title'] = _t('SilverStripe\\Security\\PermissionRole.Title', 'Title');
2016-11-29 00:31:16 +01:00
$labels['OnlyAdminCanApply'] = _t(
2017-04-20 03:15:24 +02:00
'SilverStripe\\Security\\PermissionRole.OnlyAdminCanApply',
2016-11-29 00:31:16 +01:00
'Only admin can apply',
'Checkbox to limit which user can apply this role'
);
return $labels;
}
public function canView($member = null)
{
return Permission::check('APPLY_ROLES', 'any', $member);
}
public function canCreate($member = null, $context = [])
2016-11-29 00:31:16 +01:00
{
return Permission::check('APPLY_ROLES', 'any', $member);
}
public function canEdit($member = null)
{
return Permission::check('APPLY_ROLES', 'any', $member);
}
public function canDelete($member = null)
{
return Permission::check('APPLY_ROLES', 'any', $member);
}
}