tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

NEW add OnlyTheseMembers Inherited Permission type

Browse Source
This commit is contained in:
Andrew Paxley 2023-06-14 13:48:46 +12:00
parent 66f2df2571
commit 34019426dd
4 changed files with 139 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
src/Security/InheritedPermissions.php
View File

@ -25,37 +25,43 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
/** /**
* Delete permission * Delete permission
*/ */
const DELETE = 'delete'; public const DELETE = 'delete';
/** /**
* View permission * View permission
*/ */
const VIEW = 'view'; public const VIEW = 'view';
/** /**
* Edit permission * Edit permission
*/ */
const EDIT = 'edit'; public const EDIT = 'edit';
/** /**
* Anyone canView permission * Anyone canView permission
*/ */
const ANYONE = 'Anyone'; public const ANYONE = 'Anyone';
/** /**
* Restrict to logged in users * Restrict to logged in users
*/ */
const LOGGED_IN_USERS = 'LoggedInUsers'; public const LOGGED_IN_USERS = 'LoggedInUsers';
/** /**
* @TODO - rename this to ONLY_THESE_GROUPS
* Restrict to specific groups * Restrict to specific groups
*/ */
const ONLY_THESE_USERS = 'OnlyTheseUsers'; public const ONLY_THESE_USERS = 'OnlyTheseUsers';
/**
* Restrict to specific members
*/
public const ONLY_THESE_MEMBERS = 'OnlyTheseMembers';
/** /**
* Inherit from parent * Inherit from parent
*/ */
const INHERIT = 'Inherit'; public const INHERIT = 'Inherit';
/** /**
* Class name * Class name
@ -359,19 +365,27 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
if ($member && $member->ID) { if ($member && $member->ID) {
if (!Permission::checkMember($member, 'ADMIN')) { if (!Permission::checkMember($member, 'ADMIN')) {
// Determine if this member matches any of the group or other rules // Determine if this member matches any of the group or other rules
$groupJoinTable = $this->getJoinTable($type); $groupJoinTable = $this->getGroupJoinTable($type);
$memberJoinTable = $this->getMemberJoinTable($type);
$uninheritedPermissions = $stageRecords $uninheritedPermissions = $stageRecords
->where([ ->where([
"(\"$typeField\" IN (?, ?) OR " . "(\"$typeField\" = ? AND \"$groupJoinTable\".\"{$baseTable}ID\" IS NOT NULL))" "(\"$typeField\" IN (?, ?)"
. " OR (\"$typeField\" = ? AND \"$groupJoinTable\".\"{$baseTable}ID\" IS NOT NULL)"
. " OR (\"$typeField\" = ? AND \"$memberJoinTable\".\"{$baseTable}ID\" IS NOT NULL)"
. ")"
=> [ => [
self::ANYONE, self::ANYONE,
self::LOGGED_IN_USERS, self::LOGGED_IN_USERS,
self::ONLY_THESE_USERS self::ONLY_THESE_USERS,
self::ONLY_THESE_MEMBERS,
] ]
]) ])
->leftJoin( ->leftJoin(
$groupJoinTable, $groupJoinTable,
"\"$groupJoinTable\".\"{$baseTable}ID\" = \"{$baseTable}\".\"ID\" AND " . "\"$groupJoinTable\".\"GroupID\" IN ($groupIDsSQLList)" "\"$groupJoinTable\".\"{$baseTable}ID\" = \"{$baseTable}\".\"ID\" AND " . "\"$groupJoinTable\".\"GroupID\" IN ($groupIDsSQLList)"
)->leftJoin(
$memberJoinTable,
"\"$memberJoinTable\".\"{$baseTable}ID\" = \"{$baseTable}\".\"ID\" AND " . "\"$memberJoinTable\".\"MemberID\" = {$member->ID}"
)->column('ID'); )->column('ID');
} else { } else {
$uninheritedPermissions = $stageRecords->column('ID'); $uninheritedPermissions = $stageRecords->column('ID');
@ -632,6 +646,18 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
* @return string * @return string
*/ */
protected function getJoinTable($type) protected function getJoinTable($type)
{
return $this->getGroupJoinTable($type);
}
/**
* Get group join table for type
* Defaults to those provided by {@see InheritedPermissionsExtension)
*
* @param string $type
* @return string
*/
protected function getGroupJoinTable($type)
{ {
switch ($type) { switch ($type) {
case self::DELETE: case self::DELETE:
@ -645,6 +671,27 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
} }
} }
/**
* Get member join table for type
* Defaults to those provided by {@see InheritedPermissionsExtension)
*
* @param string $type
* @return string
*/
protected function getMemberJoinTable($type)
{
switch ($type) {
case self::DELETE:
// Delete uses edit type - Drop through
case self::EDIT:
return $this->getEditorMembersTable();
case self::VIEW:
return $this->getViewerMembersTable();
default:
throw new InvalidArgumentException("Invalid argument type $type");
}
}
/** /**
* Determine default permission for a givion check * Determine default permission for a givion check
* *
@ -716,6 +763,28 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
return "{$table}_ViewerGroups"; return "{$table}_ViewerGroups";
} }
/**
* Get table to use for editor members relation
*
* @return string
*/
protected function getEditorMembersTable()
{
$table = DataObject::getSchema()->tableName($this->baseClass);
return "{$table}_EditorMembers";
}
/**
* Get table to use for viewer members relation
*
* @return string
*/
protected function getViewerMembersTable()
{
$table = DataObject::getSchema()->tableName($this->baseClass);
return "{$table}_ViewerMembers";
}
/** /**
* Gets the permission from cache * Gets the permission from cache
* *

10
src/Security/InheritedPermissionsExtension.php
View File

@ -12,17 +12,21 @@ use SilverStripe\ORM\ManyManyList;
* @property string $CanEditType * @property string $CanEditType
* @method ManyManyList ViewerGroups() * @method ManyManyList ViewerGroups()
* @method ManyManyList EditorGroups() * @method ManyManyList EditorGroups()
* @method ManyManyList ViewerMembers()
* @method ManyManyList EditorMembers()
*/ */
class InheritedPermissionsExtension extends DataExtension class InheritedPermissionsExtension extends DataExtension
{ {
private static array $db = [ private static array $db = [
'CanViewType' => "Enum('Anyone, LoggedInUsers, OnlyTheseUsers, Inherit', 'Inherit')", 'CanViewType' => "Enum('Anyone, LoggedInUsers, OnlyTheseUsers, OnlyTheseMembers, Inherit', 'Inherit')",
'CanEditType' => "Enum('LoggedInUsers, OnlyTheseUsers, Inherit', 'Inherit')", 'CanEditType' => "Enum('LoggedInUsers, OnlyTheseUsers, OnlyTheseMembers, Inherit', 'Inherit')",
]; ];
private static array $many_many = [ private static array $many_many = [
'ViewerGroups' => Group::class, 'ViewerGroups' => Group::class,
'EditorGroups' => Group::class, 'EditorGroups' => Group::class,
'ViewerMembers' => Member::class,
'EditorMembers' => Member::class,
]; ];
private static array $defaults = [ private static array $defaults = [
@ -33,5 +37,7 @@ class InheritedPermissionsExtension extends DataExtension
private static array $cascade_duplicates = [ private static array $cascade_duplicates = [
'ViewerGroups', 'ViewerGroups',
'EditorGroups', 'EditorGroups',
'ViewerMembers',
'EditorMembers',
]; ];
} }

41
tests/php/Security/InheritedPermissionsTest.php
View File

@ -68,6 +68,7 @@ class InheritedPermissionsTest extends SapphireTest
public function testEditPermissions() public function testEditPermissions()
{ {
$editor = $this->objFromFixture(Member::class, 'editor'); $editor = $this->objFromFixture(Member::class, 'editor');
$freddie = $this->objFromFixture(Member::class, 'oneFileFreddie');
$about = $this->objFromFixture(TestPermissionNode::class, 'about'); $about = $this->objFromFixture(TestPermissionNode::class, 'about');
$aboutStaff = $this->objFromFixture(TestPermissionNode::class, 'about-staff'); $aboutStaff = $this->objFromFixture(TestPermissionNode::class, 'about-staff');
@ -75,10 +76,12 @@ class InheritedPermissionsTest extends SapphireTest
$products = $this->objFromFixture(TestPermissionNode::class, 'products'); $products = $this->objFromFixture(TestPermissionNode::class, 'products');
$product1 = $this->objFromFixture(TestPermissionNode::class, 'products-product1'); $product1 = $this->objFromFixture(TestPermissionNode::class, 'products-product1');
$product4 = $this->objFromFixture(TestPermissionNode::class, 'products-product4'); $product4 = $this->objFromFixture(TestPermissionNode::class, 'products-product4');
$freddiesFile = $this->objFromFixture(TestPermissionNode::class, 'freddies-file');
// Test logged out users cannot edit // Test logged out users cannot edit
Member::actAs(null, function () use ($aboutStaff) { Member::actAs(null, function () use ($aboutStaff, $freddiesFile) {
$this->assertFalse($aboutStaff->canEdit()); $this->assertFalse($aboutStaff->canEdit());
$this->assertFalse($freddiesFile->canEdit());
}); });
// Can't edit a page that is locked to admins // Can't edit a page that is locked to admins
@ -96,6 +99,10 @@ class InheritedPermissionsTest extends SapphireTest
// Test that root node respects root permissions // Test that root node respects root permissions
$this->assertTrue($history->canEdit($editor)); $this->assertTrue($history->canEdit($editor));
// Test that only Freddie can edit Freddie's file
$this->assertFalse($freddiesFile->canEdit($editor));
$this->assertTrue($freddiesFile->canEdit($freddie));
TestPermissionNode::getInheritedPermissions()->clearCache(); TestPermissionNode::getInheritedPermissions()->clearCache();
$this->rootPermissions->setCanEdit(false); $this->rootPermissions->setCanEdit(false);
@ -106,6 +113,7 @@ class InheritedPermissionsTest extends SapphireTest
public function testDeletePermissions() public function testDeletePermissions()
{ {
$editor = $this->objFromFixture(Member::class, 'editor'); $editor = $this->objFromFixture(Member::class, 'editor');
$freddie = $this->objFromFixture(Member::class, 'oneFileFreddie');
$about = $this->objFromFixture(TestPermissionNode::class, 'about'); $about = $this->objFromFixture(TestPermissionNode::class, 'about');
$aboutStaff = $this->objFromFixture(TestPermissionNode::class, 'about-staff'); $aboutStaff = $this->objFromFixture(TestPermissionNode::class, 'about-staff');
@ -113,10 +121,12 @@ class InheritedPermissionsTest extends SapphireTest
$products = $this->objFromFixture(TestPermissionNode::class, 'products'); $products = $this->objFromFixture(TestPermissionNode::class, 'products');
$product1 = $this->objFromFixture(TestPermissionNode::class, 'products-product1'); $product1 = $this->objFromFixture(TestPermissionNode::class, 'products-product1');
$product4 = $this->objFromFixture(TestPermissionNode::class, 'products-product4'); $product4 = $this->objFromFixture(TestPermissionNode::class, 'products-product4');
$freddiesFile = $this->objFromFixture(TestPermissionNode::class, 'freddies-file');
// Test logged out users cannot edit // Test logged out users cannot edit
Member::actAs(null, function () use ($aboutStaff) { Member::actAs(null, function () use ($aboutStaff, $freddiesFile) {
$this->assertFalse($aboutStaff->canDelete()); $this->assertFalse($aboutStaff->canDelete());
$this->assertFalse($freddiesFile->canDelete());
}); });
// Can't edit a page that is locked to admins // Can't edit a page that is locked to admins
@ -134,6 +144,10 @@ class InheritedPermissionsTest extends SapphireTest
// Test that root node respects root permissions // Test that root node respects root permissions
$this->assertTrue($history->canDelete($editor)); $this->assertTrue($history->canDelete($editor));
// Test that only Freddie can delete Freddie's file
$this->assertFalse($freddiesFile->canDelete($editor));
$this->assertTrue($freddiesFile->canDelete($freddie));
TestPermissionNode::getInheritedPermissions()->clearCache(); TestPermissionNode::getInheritedPermissions()->clearCache();
$this->rootPermissions->setCanEdit(false); $this->rootPermissions->setCanEdit(false);
@ -150,14 +164,17 @@ class InheritedPermissionsTest extends SapphireTest
$secretNested = $this->objFromFixture(TestPermissionNode::class, 'secret-nested'); $secretNested = $this->objFromFixture(TestPermissionNode::class, 'secret-nested');
$protected = $this->objFromFixture(TestPermissionNode::class, 'protected'); $protected = $this->objFromFixture(TestPermissionNode::class, 'protected');
$protectedChild = $this->objFromFixture(TestPermissionNode::class, 'protected-child'); $protectedChild = $this->objFromFixture(TestPermissionNode::class, 'protected-child');
$editor = $this->objFromFixture(Member::class, 'editor');
$restricted = $this->objFromFixture(TestPermissionNode::class, 'restricted-page'); $restricted = $this->objFromFixture(TestPermissionNode::class, 'restricted-page');
$freddiesFile = $this->objFromFixture(TestPermissionNode::class, 'freddies-file');
$editor = $this->objFromFixture(Member::class, 'editor');
$admin = $this->objFromFixture(Member::class, 'admin'); $admin = $this->objFromFixture(Member::class, 'admin');
$freddie = $this->objFromFixture(Member::class, 'oneFileFreddie');
// Not logged in user can only access Inherit or Anyone pages // Not logged in user can only access Inherit or Anyone pages
Member::actAs( Member::actAs(
null, null,
function () use ($protectedChild, $secretNested, $protected, $secret, $history, $contact, $contactForm) { function () use ($protectedChild, $secretNested, $protected, $secret, $history, $contact, $contactForm, $freddiesFile) {
$this->assertTrue($history->canView()); $this->assertTrue($history->canView());
$this->assertTrue($contact->canView()); $this->assertTrue($contact->canView());
$this->assertTrue($contactForm->canView()); $this->assertTrue($contactForm->canView());
@ -166,6 +183,7 @@ class InheritedPermissionsTest extends SapphireTest
$this->assertFalse($secretNested->canView()); $this->assertFalse($secretNested->canView());
$this->assertFalse($protected->canView()); $this->assertFalse($protected->canView());
$this->assertFalse($protectedChild->canView()); $this->assertFalse($protectedChild->canView());
$this->assertFalse($freddiesFile->canView());
} }
); );
@ -180,6 +198,10 @@ class InheritedPermissionsTest extends SapphireTest
// Check root permissions // Check root permissions
$this->assertTrue($history->canView($editor)); $this->assertTrue($history->canView($editor));
// Test that only Freddie can view Freddie's file
$this->assertFalse($freddiesFile->canView($editor));
$this->assertTrue($freddiesFile->canView($freddie));
TestPermissionNode::getInheritedPermissions()->clearCache(); TestPermissionNode::getInheritedPermissions()->clearCache();
$this->rootPermissions->setCanView(false); $this->rootPermissions->setCanView(false);
@ -198,12 +220,16 @@ class InheritedPermissionsTest extends SapphireTest
$secretNested = $this->objFromFixture(UnstagedNode::class, 'secret-nested'); $secretNested = $this->objFromFixture(UnstagedNode::class, 'secret-nested');
$protected = $this->objFromFixture(UnstagedNode::class, 'protected'); $protected = $this->objFromFixture(UnstagedNode::class, 'protected');
$protectedChild = $this->objFromFixture(UnstagedNode::class, 'protected-child'); $protectedChild = $this->objFromFixture(UnstagedNode::class, 'protected-child');
$freddiesFile = $this->objFromFixture(UnstagedNode::class, 'freddies-file');
$editor = $this->objFromFixture(Member::class, 'editor'); $editor = $this->objFromFixture(Member::class, 'editor');
$freddie = $this->objFromFixture(Member::class, 'oneFileFreddie');
// Not logged in user can only access Inherit or Anyone pages // Not logged in user can only access Inherit or Anyone pages
Member::actAs( Member::actAs(
null, null,
function () use ($protectedChild, $secretNested, $protected, $secret, $history, $contact, $contactForm) { function () use ($protectedChild, $secretNested, $protected, $secret, $history, $contact, $contactForm, $freddiesFile) {
$this->assertTrue($history->canView()); $this->assertTrue($history->canView());
$this->assertTrue($contact->canView()); $this->assertTrue($contact->canView());
$this->assertTrue($contactForm->canView()); $this->assertTrue($contactForm->canView());
@ -212,6 +238,7 @@ class InheritedPermissionsTest extends SapphireTest
$this->assertFalse($secretNested->canView()); $this->assertFalse($secretNested->canView());
$this->assertFalse($protected->canView()); $this->assertFalse($protected->canView());
$this->assertFalse($protectedChild->canView()); $this->assertFalse($protectedChild->canView());
$this->assertFalse($freddiesFile->canView());
} }
); );
@ -226,6 +253,10 @@ class InheritedPermissionsTest extends SapphireTest
// Check root permissions // Check root permissions
$this->assertTrue($history->canView($editor)); $this->assertTrue($history->canView($editor));
// Test that only Freddie can view Freddie's file
$this->assertFalse($freddiesFile->canView($editor));
$this->assertTrue($freddiesFile->canView($freddie));
UnstagedNode::getInheritedPermissions()->clearCache(); UnstagedNode::getInheritedPermissions()->clearCache();
$this->rootPermissions->setCanView(false); $this->rootPermissions->setCanView(false);

16
tests/php/Security/InheritedPermissionsTest.yml
View File

@ -33,6 +33,10 @@ SilverStripe\Security\Member:
Groups: =>SilverStripe\Security\Group.allsections Groups: =>SilverStripe\Security\Group.allsections
securityadmin: securityadmin:
Groups: =>SilverStripe\Security\Group.securityadmins Groups: =>SilverStripe\Security\Group.securityadmins
oneFileFreddie:
FirstName: Freddie
Surname: Fantastic
Groups: =>SilverStripe\Security\Group.editors
SilverStripe\Security\Tests\InheritedPermissionsTest\TestPermissionNode: SilverStripe\Security\Tests\InheritedPermissionsTest\TestPermissionNode:
about: about:
@ -104,6 +108,12 @@ SilverStripe\Security\Tests\InheritedPermissionsTest\TestPermissionNode:
Title: Restricted Page Title: Restricted Page
CanViewType: OnlyTheseUsers CanViewType: OnlyTheseUsers
ViewerGroups: =>SilverStripe\Security\Group.allsections ViewerGroups: =>SilverStripe\Security\Group.allsections
freddies-file:
Title: Freddies File
CanViewType: OnlyTheseMembers
CanEditType: OnlyTheseMembers
ViewerMembers: =>SilverStripe\Security\Member.oneFileFreddie
EditorMembers: =>SilverStripe\Security\Member.oneFileFreddie
SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode: SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode:
about: about:
@ -175,3 +185,9 @@ SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode:
Title: Restricted Page Title: Restricted Page
CanViewType: OnlyTheseUsers CanViewType: OnlyTheseUsers
ViewerGroups: =>SilverStripe\Security\Group.allsections ViewerGroups: =>SilverStripe\Security\Group.allsections
freddies-file:
Title: Freddies File
CanViewType: OnlyTheseMembers
CanEditType: OnlyTheseMembers
ViewerMembers: =>SilverStripe\Security\Member.oneFileFreddie
EditorMembers: =>SilverStripe\Security\Member.oneFileFreddie