mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
BUGFIX Don't require ADMIN permissions to view an administrators group - rather set it to readonly through interfaces like SecurityAdmin
ENHANCEMENT Modified Group->canEdit() to check for CMS_ACCESS_SecurityAdmin permissions codes (see r70697) BUGFIX Using canView() instead of canEdit() in Group->AllChildrenIncludingDeleted() git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@71320 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
0a0ce99f5c
commit
4822c68947
@ -271,19 +271,46 @@ class Group extends DataObject {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function canEdit() {
|
/**
|
||||||
if($this->hasMethod('alternateCanEdit')) return $this->alternateCanEdit();
|
* Checks for permission-code CMS_ACCESS_SecurityAdmin.
|
||||||
else {
|
* If the group has ADMIN permissions, it requires the user to have ADMIN permissions as well.
|
||||||
return Permission::check("ADMIN")
|
*
|
||||||
|| (Member::currentUserID() && !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'"));
|
* @param $member Member
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function canEdit($member = null) {
|
||||||
|
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
|
||||||
|
|
||||||
|
if($this->hasMethod('alternateCanEdit')) {
|
||||||
|
return $this->alternateCanEdit($member);
|
||||||
|
} else {
|
||||||
|
return (
|
||||||
|
// either we have an ADMIN
|
||||||
|
(bool)Permission::checkMember($member, "ADMIN")
|
||||||
|
|| (
|
||||||
|
// or a privileged CMS user and a group without ADMIN permissions.
|
||||||
|
// without this check, a user would be able to add himself to an administrators group
|
||||||
|
// with just access to the "Security" admin interface
|
||||||
|
Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
|
||||||
|
!DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
|
||||||
|
)
|
||||||
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function canView() {
|
/**
|
||||||
if($this->hasMethod('alternateCanView')) return $this->alternateCanView();
|
* Checks for permission-code CMS_ACCESS_SecurityAdmin.
|
||||||
else {
|
*
|
||||||
return Permission::check("ADMIN")
|
* @param $member Member
|
||||||
|| (Member::currentUserID() && !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'"));
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function canView($member = null) {
|
||||||
|
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
|
||||||
|
|
||||||
|
if($this->hasMethod('alternateCanView')) {
|
||||||
|
return $this->alternateCanView($member);
|
||||||
|
} else {
|
||||||
|
return (bool)Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -296,7 +323,7 @@ class Group extends DataObject {
|
|||||||
$filteredChildren = new DataObjectSet();
|
$filteredChildren = new DataObjectSet();
|
||||||
|
|
||||||
if($children) foreach($children as $child) {
|
if($children) foreach($children as $child) {
|
||||||
if($child->canEdit()) $filteredChildren->push($child);
|
if($child->canView()) $filteredChildren->push($child);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $filteredChildren;
|
return $filteredChildren;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user