tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX Don't require ADMIN permissions to view an administrators group - rather set it to readonly through interfaces like SecurityAdmin

Browse Source 
ENHANCEMENT Modified Group->canEdit() to check for CMS_ACCESS_SecurityAdmin permissions codes (see r70697)
BUGFIX Using canView() instead of canEdit() in Group->AllChildrenIncludingDeleted()

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@71320 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2009-02-03 22:44:11 +00:00
parent 0a0ce99f5c
commit 4822c68947
1 changed files with 38 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
security/Group.php
View File

@ -271,19 +271,46 @@ class Group extends DataObject {
} }
} }
public function canEdit() { /**
if($this->hasMethod('alternateCanEdit')) return $this->alternateCanEdit(); * Checks for permission-code CMS_ACCESS_SecurityAdmin.
else { * If the group has ADMIN permissions, it requires the user to have ADMIN permissions as well.
return Permission::check("ADMIN") *
|| (Member::currentUserID() && !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")); * @param $member Member
* @return boolean
*/
public function canEdit($member = null) {
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
if($this->hasMethod('alternateCanEdit')) {
return $this->alternateCanEdit($member);
} else {
return (
// either we have an ADMIN
(bool)Permission::checkMember($member, "ADMIN")
|| (
// or a privileged CMS user and a group without ADMIN permissions.
// without this check, a user would be able to add himself to an administrators group
// with just access to the "Security" admin interface
Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
!DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
)
);
} }
} }
public function canView() { /**
if($this->hasMethod('alternateCanView')) return $this->alternateCanView(); * Checks for permission-code CMS_ACCESS_SecurityAdmin.
else { *
return Permission::check("ADMIN") * @param $member Member
|| (Member::currentUserID() && !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")); * @return boolean
*/
public function canView($member = null) {
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
if($this->hasMethod('alternateCanView')) {
return $this->alternateCanView($member);
} else {
return (bool)Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin");
} }
} }
@ -296,7 +323,7 @@ class Group extends DataObject {
$filteredChildren = new DataObjectSet(); $filteredChildren = new DataObjectSet();
if($children) foreach($children as $child) { if($children) foreach($children as $child) {
if($child->canEdit()) $filteredChildren->push($child); if($child->canView()) $filteredChildren->push($child);
} }
return $filteredChildren; return $filteredChildren;