tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX Restored old permission code model, broken due to new controller structure. Introduced LeftAndMain::$required_permission_codes as a way to control permissions independently of subclasses, and "cluster" multiple classes under a single code.

Browse Source
This commit is contained in:
Ingo Schommer 2012-03-05 16:07:20 +01:00
parent bfd7adc666
commit 2abb021efb
5 changed files with 65 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
admin/code/CMSProfileController.php
View File

@ -2,6 +2,7 @@
class CMSProfileController extends LeftAndMain { class CMSProfileController extends LeftAndMain {
static $url_segment = 'myprofile'; static $url_segment = 'myprofile';
static $required_permission_codes = false;
public function index($request) { public function index($request) {
$form = $this->Member_ProfileForm(); $form = $this->Member_ProfileForm();

63
admin/code/LeftAndMain.php
View File

@ -9,7 +9,7 @@
* @package cms * @package cms
* @subpackage core * @subpackage core
*/ */
class LeftAndMain extends Controller { class LeftAndMain extends Controller implements PermissionProvider {
/** /**
* The 'base' url for CMS administration areas. * The 'base' url for CMS administration areas.
@ -83,6 +83,15 @@ class LeftAndMain extends Controller {
'BatchActionsForm', 'BatchActionsForm',
'Member_ProfileForm', 'Member_ProfileForm',
); );
/**
* @var Array Codes which are required from the current user to view this controller.
* If multiple codes are provided, all of them are required.
* All CMS controllers require "CMS_ACCESS_LeftAndMain" as a baseline check,
* and fall back to "CMS_ACCESS_<class>" if no permissions are defined here.
* See {@link canView()} for more details on permission checks.
*/
static $required_permission_codes;
/** /**
* Register additional requirements through the {@link Requirements} class. * Register additional requirements through the {@link Requirements} class.
@ -99,13 +108,10 @@ class LeftAndMain extends Controller {
/** /**
* @param Member $member * @param Member $member
*
* @return boolean * @return boolean
*/ */
function canView($member = null) { function canView($member = null) {
if(!$member && $member !== FALSE) { if(!$member && $member !== FALSE) $member = Member::currentUser();
$member = Member::currentUser();
}
// cms menus only for logged-in members // cms menus only for logged-in members
if(!$member) return false; if(!$member) return false;
@ -115,12 +121,18 @@ class LeftAndMain extends Controller {
$alternateAllowed = $this->alternateAccessCheck(); $alternateAllowed = $this->alternateAccessCheck();
if($alternateAllowed === FALSE) return false; if($alternateAllowed === FALSE) return false;
} }
// Default security check for LeftAndMain sub-class permissions // Check for "CMS admin" permission
if(!Permission::checkMember($member, "CMS_ACCESS_$this->class") && if(Permission::checkMember($member, "CMS_ACCESS_LeftAndMain")) return true;
!Permission::checkMember($member, "CMS_ACCESS_LeftAndMain")) {
return false; // Check for LeftAndMain sub-class permissions
$codes = array();
$extraCodes = $this->stat('required_permission_codes');
if($extraCodes !== false) { // allow explicit FALSE to disable subclass check
if($extraCodes) $codes = array_merge($codes, (array)$extraCodes);
else $codes[] = "CMS_ACCESS_$this->class";
} }
foreach($codes as $code) if(!Permission::checkMember($member, $code)) return false;
return true; return true;
} }
@ -1313,6 +1325,37 @@ class LeftAndMain extends Controller {
function Locale() { function Locale() {
return DBField::create('DBLocale', $this->i18nLocale()); return DBField::create('DBLocale', $this->i18nLocale());
} }
function providePermissions() {
$perms = array(
"CMS_ACCESS_LeftAndMain" => array(
'name' => _t('CMSMain.ACCESSALLINTERFACES', 'Access to all CMS sections'),
'category' => _t('Permission.CMS_ACCESS_CATEGORY', 'CMS Access'),
'help' => _t('CMSMain.ACCESSALLINTERFACESHELP', 'Overrules more specific access settings.'),
'sort' => -100
)
);
// Add any custom ModelAdmin subclasses. Can't put this on ModelAdmin itself
// since its marked abstract, and needs to be singleton instanciated.
foreach(ClassInfo::subclassesFor('ModelAdmin') as $i => $class) {
if($class == 'ModelAdmin') continue;
if(ClassInfo::classImplements($class, 'TestOnly')) continue;
$title = _t("{$class}.MENUTITLE", LeftAndMain::menu_title_for_class($class));
$perms["CMS_ACCESS_" . $class] = array(
'name' => sprintf(_t(
'CMSMain.ACCESS',
"Access to '%s' section",
PR_MEDIUM,
"Item in permission selection identifying the admin section. Example: Access to 'Files & Images'"
), $title, null),
'category' => _t('Permission.CMS_ACCESS_CATEGORY', 'CMS Access')
);
}
return $perms;
}
/** /**
* Register the given javascript file as required in the CMS. * Register the given javascript file as required in the CMS.

11
admin/code/SecurityAdmin.php
View File

@ -277,7 +277,16 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
} }
function providePermissions() { function providePermissions() {
$title = _t("SecurityAdmin.MENUTITLE", LeftAndMain::menu_title_for_class($this->class));
return array( return array(
"CMS_ACCESS_SecurityAdmin" => array(
'name' => sprintf(_t('CMSMain.ACCESS', "Access to '%s' section"), $title),
'category' => _t('Permission.CMS_ACCESS_CATEGORY', 'CMS Access'),
'help' => _t(
'SecurityAdmin.ACCESS_HELP',
'Allow viewing, adding and editing users, as well as assigning permissions and roles to them.'
)
),
'EDIT_PERMISSIONS' => array( 'EDIT_PERMISSIONS' => array(
'name' => _t('SecurityAdmin.EDITPERMISSIONS', 'Manage permissions for groups'), 'name' => _t('SecurityAdmin.EDITPERMISSIONS', 'Manage permissions for groups'),
'category' => _t('Permissions.PERMISSIONS_CATEGORY', 'Roles and access permissions'), 'category' => _t('Permissions.PERMISSIONS_CATEGORY', 'Roles and access permissions'),
@ -287,7 +296,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
'APPLY_ROLES' => array( 'APPLY_ROLES' => array(
'name' => _t('SecurityAdmin.APPLY_ROLES', 'Apply roles to groups'), 'name' => _t('SecurityAdmin.APPLY_ROLES', 'Apply roles to groups'),
'category' => _t('Permissions.PERMISSIONS_CATEGORY', 'Roles and access permissions'), 'category' => _t('Permissions.PERMISSIONS_CATEGORY', 'Roles and access permissions'),
'help' => _t('SecurityAdmin.APPLY_ROLES_HELP', 'Ability to edit the roles assigned to a group. Requires the "Access to \'Security\' section" permission.'), 'help' => _t('SecurityAdmin.APPLY_ROLES_HELP', 'Ability to edit the roles assigned to a group. Requires the "Access to \'Users\' section" permission.'),
'sort' => 0 'sort' => 0
) )
); );

2
lang/en_US.php
View File

@ -716,7 +716,7 @@ $lang['en_US']['Security']['PASSWORDSENTHEADER'] = 'Password reset link sent to
$lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! A reset link has been sent to \'%s\', provided an account exists for this email address.'; $lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! A reset link has been sent to \'%s\', provided an account exists for this email address.';
$lang['en_US']['SecurityAdmin']['ADDMEMBER'] = 'Add Member'; $lang['en_US']['SecurityAdmin']['ADDMEMBER'] = 'Add Member';
$lang['en_US']['SecurityAdmin']['APPLY_ROLES'] = 'Apply roles to groups'; $lang['en_US']['SecurityAdmin']['APPLY_ROLES'] = 'Apply roles to groups';
$lang['en_US']['SecurityAdmin']['APPLY_ROLES_HELP'] = 'Ability to edit the roles assigned to a group. Requires the "Access to \'Security\' section" permission.'; $lang['en_US']['SecurityAdmin']['APPLY_ROLES_HELP'] = 'Ability to edit the roles assigned to a group. Requires the "Access to \'Users\' section" permission.';
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups'; $lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups';
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.'; $lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.';
$lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name'; $lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name';

1
security/Group.php
View File

@ -431,7 +431,6 @@ class Group extends DataObject {
$authorGroup->write(); $authorGroup->write();
Permission::grant($authorGroup->ID, 'CMS_ACCESS_CMSMain'); Permission::grant($authorGroup->ID, 'CMS_ACCESS_CMSMain');
Permission::grant($authorGroup->ID, 'CMS_ACCESS_AssetAdmin'); Permission::grant($authorGroup->ID, 'CMS_ACCESS_AssetAdmin');
Permission::grant($authorGroup->ID, 'CMS_ACCESS_CommentAdmin');
Permission::grant($authorGroup->ID, 'CMS_ACCESS_ReportAdmin'); Permission::grant($authorGroup->ID, 'CMS_ACCESS_ReportAdmin');
Permission::grant($authorGroup->ID, 'SITETREE_REORGANISE'); Permission::grant($authorGroup->ID, 'SITETREE_REORGANISE');
} }