mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
1fed31cb9e
commit
dd8120aed7
@ -28,6 +28,7 @@ class Group extends DataObject {
|
||||
|
||||
static $many_many = array(
|
||||
"Members" => "Member",
|
||||
"Roles" => "PermissionRole",
|
||||
);
|
||||
|
||||
static $extensions = array(
|
||||
|
@ -232,11 +232,20 @@ class Permission extends DataObject {
|
||||
$groupCSV = implode(", ", $groupList);
|
||||
|
||||
// Raw SQL for efficiency
|
||||
return DB::query("
|
||||
return array_unique(DB::query("
|
||||
SELECT \"Code\"
|
||||
FROM \"Permission\"
|
||||
WHERE \"Type\" = " . self::GRANT_PERMISSION . " AND \"GroupID\" IN ($groupCSV)
|
||||
")->column();
|
||||
|
||||
UNION
|
||||
|
||||
SELECT \"Code\"
|
||||
FROM \"PermissionRoleCode\" AS PRC
|
||||
INNER JOIN \"PermissionRole\" AS PR ON PRC.\"RoleID\" = PR.\"ID\"
|
||||
INNER JOIN \"Group_Roles\" AS GR ON GR.\"PermissionRoleID\" = PR.\"ID\"
|
||||
WHERE \"GroupID\" IN ($groupCSV)
|
||||
")->column());
|
||||
|
||||
} else {
|
||||
return array();
|
||||
}
|
||||
|
21
security/PermissionRole.php
Normal file
21
security/PermissionRole.php
Normal file
@ -0,0 +1,21 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* A PermissionRole represents a collection of permission codes that can be applied to groups.
|
||||
*
|
||||
* Because permission codes are very granular, this lets website administrators create more
|
||||
* business-oriented units of access control - Roles - and assign those to groups.
|
||||
*/
|
||||
class PermissionRole extends DataObject {
|
||||
static $db = array(
|
||||
"Title" => "Varchar",
|
||||
);
|
||||
|
||||
static $has_many = array(
|
||||
"Codes" => "PermissionRoleCode",
|
||||
);
|
||||
|
||||
static $belongs_many_many = array(
|
||||
"Groups" => "Group",
|
||||
);
|
||||
}
|
14
security/PermissionRoleCode.php
Normal file
14
security/PermissionRoleCode.php
Normal file
@ -0,0 +1,14 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.
|
||||
*/
|
||||
class PermissionRoleCode extends DataObject {
|
||||
static $db = array(
|
||||
"Code" => "Varchar",
|
||||
);
|
||||
|
||||
static $has_one = array(
|
||||
"Role" => "PermissionRole",
|
||||
);
|
||||
}
|
44
tests/security/PermissionTest.php
Normal file
44
tests/security/PermissionTest.php
Normal file
@ -0,0 +1,44 @@
|
||||
<?php
|
||||
|
||||
class PermissionTest extends SapphireTest {
|
||||
static $fixture_file = 'sapphire/tests/security/PermissionTest.yml';
|
||||
|
||||
function testDirectlyAppliedPermissions() {
|
||||
$member = $this->objFromFixture('Member', 'author');
|
||||
$this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
|
||||
}
|
||||
|
||||
function testPermissionAreInheritedFromOneRole() {
|
||||
$member = $this->objFromFixture('Member', 'author');
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_CMSMain"));
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
|
||||
$this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
|
||||
}
|
||||
|
||||
function testPermissionAreInheritedFromMultipleRoles() {
|
||||
$member = $this->objFromFixture('Member', 'access');
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_CMSMain"));
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
|
||||
$this->assertTrue(Permission::checkMember($member, "EDIT_PERMISSIONS"));
|
||||
$this->assertFalse(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
|
||||
}
|
||||
|
||||
function testRolesAndPermissionsFromParentGroupsAreInherited() {
|
||||
$member = $this->objFromFixture('Member', 'globalauthor');
|
||||
|
||||
// Check that permissions applied to the group are there
|
||||
$this->assertTrue(Permission::checkMember($member, "SITETREE_EDIT_ALL"));
|
||||
|
||||
// Check that roles from parent groups are there
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_CMSMain"));
|
||||
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
|
||||
|
||||
// Check that permissions from parent groups are there
|
||||
$this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
|
||||
|
||||
// Check that a random permission that shouldn't be there isn't
|
||||
$this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
|
||||
}
|
||||
|
||||
}
|
52
tests/security/PermissionTest.yml
Normal file
52
tests/security/PermissionTest.yml
Normal file
@ -0,0 +1,52 @@
|
||||
PermissionRole:
|
||||
author:
|
||||
Title: Author
|
||||
access:
|
||||
Title: Access Administrator
|
||||
|
||||
PermissionRoleCode:
|
||||
author1:
|
||||
Role: =>PermissionRole.author
|
||||
Code: CMS_ACCESS_CMSMain
|
||||
author2:
|
||||
Role: =>PermissionRole.author
|
||||
Code: CMS_ACCESS_AssetAdmin
|
||||
access1:
|
||||
Role: =>PermissionRole.access
|
||||
Code: CMS_ACCESS_SecurityAdmin
|
||||
access2:
|
||||
Role: =>PermissionRole.access
|
||||
Code: EDIT_PERMISSIONS
|
||||
|
||||
Member:
|
||||
author:
|
||||
FirstName: Test
|
||||
Surname: Author
|
||||
access:
|
||||
FirstName: Test
|
||||
Surname: Access Administrator
|
||||
globalauthor:
|
||||
FirstName: Test
|
||||
Surname: Global Author
|
||||
|
||||
Group:
|
||||
author:
|
||||
Title: Authors
|
||||
Members: =>Member.author
|
||||
Roles: =>PermissionRole.author
|
||||
access:
|
||||
Title: Access Administrators + Authors
|
||||
Members: =>Member.access
|
||||
Roles: =>PermissionRole.access,=>PermissionRole.author
|
||||
globalauthor:
|
||||
Parent: =>Group.author
|
||||
Title: Global Authors
|
||||
Members: =>Member.globalauthor
|
||||
|
||||
Permission:
|
||||
extra1:
|
||||
Code: SITETREE_VIEW_ALL
|
||||
Group: =>Group.author
|
||||
globalauthor:
|
||||
Code: SITETREE_EDIT_ALL
|
||||
Group: =>Group.globalauthor
|
Loading…
Reference in New Issue
Block a user