filterField = $filterField;
$this->managedClass = $managedClass;
if ($records instanceof SS_List) {
$this->records = $records;
} elseif ($records instanceof Group) {
$this->records = new ArrayList(array($records));
} elseif ($records) {
throw new InvalidArgumentException(
'$record should be either a Group record, or a SS_List of Group records'
);
}
// Get all available codes in the system as a categorized nested array
$this->source = Permission::get_codes(true);
parent::__construct($name, $title);
}
/**
* @param array $codes
*/
public function setHiddenPermissions($codes)
{
$this->hiddenPermissions = $codes;
}
/**
* @return array
*/
public function getHiddenPermissions()
{
return $this->hiddenPermissions;
}
/**
* @param array $properties
* @return string
*/
public function Field($properties = array())
{
$uninheritedCodes = array();
$inheritedCodes = array();
$records = ($this->records) ? $this->records : new ArrayList();
// Get existing values from the form record (assuming the formfield name is a join field on the record)
if (is_object($this->form)) {
$record = $this->form->getRecord();
if ($record
&& ($record instanceof Group || $record instanceof PermissionRole)
&& !$records->find('ID', $record->ID)
) {
$records->push($record);
}
}
// Get all 'inherited' codes not directly assigned to the group (which is stored in $values)
foreach ($records as $record) {
// Get all uninherited permissions
$relationMethod = $this->name;
foreach ($record->$relationMethod() as $permission) {
if (!isset($uninheritedCodes[$permission->Code])) {
$uninheritedCodes[$permission->Code] = array();
}
$uninheritedCodes[$permission->Code][] = _t(
'SilverStripe\\Security\\PermissionCheckboxSetField.AssignedTo',
'assigned to "{title}"',
array('title' => $record->dbObject('Title')->forTemplate())
);
}
// Special case for Group records (not PermissionRole):
// Determine inherited assignments
if ($record instanceof Group) {
// Get all permissions from roles
if ($record->Roles()->count()) {
foreach ($record->Roles() as $role) {
/** @var PermissionRole $role */
foreach ($role->Codes() as $code) {
if (!isset($inheritedCodes[$code->Code])) {
$inheritedCodes[$code->Code] = array();
}
$inheritedCodes[$code->Code][] = _t(
'SilverStripe\\Security\\PermissionCheckboxSetField.FromRole',
'inherited from role "{title}"',
'A permission inherited from a certain permission role',
array('title' => $role->dbObject('Title')->forTemplate())
);
}
}
}
// Get from parent groups
$parentGroups = $record->getAncestors();
if ($parentGroups) {
foreach ($parentGroups as $parent) {
if (!$parent->Roles()->Count()) {
continue;
}
foreach ($parent->Roles() as $role) {
if ($role->Codes()) {
foreach ($role->Codes() as $code) {
if (!isset($inheritedCodes[$code->Code])) {
$inheritedCodes[$code->Code] = array();
}
$inheritedCodes[$code->Code][] = _t(
'SilverStripe\\Security\\PermissionCheckboxSetField.FromRoleOnGroup',
'inherited from role "%s" on group "%s"',
'A permission inherited from a role on a certain group',
array('roletitle' => $role->dbObject('Title')->forTemplate(), 'grouptitle' => $parent->dbObject('Title')->forTemplate())
);
}
}
}
if ($parent->Permissions()->Count()) {
foreach ($parent->Permissions() as $permission) {
if (!isset($inheritedCodes[$permission->Code])) {
$inheritedCodes[$permission->Code] = array();
}
$inheritedCodes[$permission->Code][] =
_t(
'SilverStripe\\Security\\PermissionCheckboxSetField.FromGroup',
'inherited from group "{title}"',
'A permission inherited from a certain group',
array('title' => $parent->dbObject('Title')->forTemplate())
);
}
}
}
}
}
}
$odd = 0;
$options = '';
$globalHidden = (array)Config::inst()->get('SilverStripe\\Security\\Permission', 'hidden_permissions');
if ($this->source) {
$privilegedPermissions = Permission::config()->privileged_permissions;
// loop through all available categorized permissions and see if they're assigned for the given groups
foreach ($this->source as $categoryName => $permissions) {
$options .= "$categoryName
";
foreach ($permissions as $code => $permission) {
if (in_array($code, $this->hiddenPermissions)) {
continue;
}
if (in_array($code, $globalHidden)) {
continue;
}
$value = $permission['name'];
$odd = ($odd + 1) % 2;
$extraClass = $odd ? 'odd' : 'even';
$extraClass .= ' val' . str_replace(' ', '', $code);
$itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]+/', '', $code);
$disabled = $inheritMessage = '';
$checked = (isset($uninheritedCodes[$code]) || isset($inheritedCodes[$code]))
? ' checked="checked"'
: '';
$title = $permission['help']
? 'title="' . htmlentities($permission['help'], ENT_COMPAT, 'UTF-8') . '" '
: '';
if (isset($inheritedCodes[$code])) {
// disable inherited codes, as any saving logic would be too complicate to express in this
// interface
$disabled = ' disabled="true"';
$inheritMessage = ' (' . join(', ', $inheritedCodes[$code]) . ')';
} elseif ($this->records && $this->records->Count() > 1 && isset($uninheritedCodes[$code])) {
// If code assignments are collected from more than one "source group",
// show its origin automatically
$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
}
// Disallow modification of "privileged" permissions unless currently logged-in user is an admin
if (!Permission::check('ADMIN') && in_array($code, $privilegedPermissions)) {
$disabled = ' disabled="true"';
}
// If the field is readonly, always mark as "disabled"
if ($this->readonly) {
$disabled = ' disabled="true"';
}
$inheritMessage = '' . $inheritMessage . '';
$icon = ($checked) ? 'check-mark-circle' : 'cancel-circled';
// Inherited codes are shown as a gray x
if (Permission::check('ADMIN') && $code != 'ADMIN') {
$icon = 'disable-circled';
}
// If the field is readonly, add a span that will replace the disabled checkbox input
if ($this->readonly) {
$options .= "\n";
} else {
$options .= "\n";
}
}
}
}
if ($this->readonly) {
return
"ID()}\" class=\"optionset checkboxsetfield{$this->extraClass()}\">\n" .
"- " .
_t(
'SilverStripe\\Security\\Permission.UserPermissionsIntro',
'Assigning groups to this user will adjust the permissions they have.'
. ' See the groups section for details of permissions on individual groups.'
) .
"
" .
$options .
"
\n";
} else {
return
"ID()}\" class=\"optionset checkboxsetfield{$this->extraClass()}\">\n" .
$options .
"
\n";
}
}
/**
* Update the permission set associated with $record DataObject
*
* @param DataObjectInterface $record
*/
public function saveInto(DataObjectInterface $record)
{
$fieldname = $this->name;
$managedClass = $this->managedClass;
// Remove all "privileged" permissions if the currently logged-in user is not an admin
$privilegedPermissions = Permission::config()->privileged_permissions;
if (!Permission::check('ADMIN')) {
foreach ($this->value as $id => $bool) {
if (in_array($id, $privilegedPermissions)) {
unset($this->value[$id]);
}
}
}
// remove all permissions and re-add them afterwards
$permissions = $record->$fieldname();
foreach ($permissions as $permission) {
$permission->delete();
}
$schema = DataObject::getSchema();
if ($fieldname && $record && (
$schema->hasManyComponent(get_class($record), $fieldname)
|| $schema->manyManyComponent(get_class($record), $fieldname)
)) {
if (!$record->ID) {
$record->write(); // We need a record ID to write permissions
}
if ($this->value) {
foreach ($this->value as $id => $bool) {
if ($bool) {
$perm = new $managedClass();
$perm->{$this->filterField} = $record->ID;
$perm->Code = $id;
$perm->write();
}
}
}
}
}
/**
* @return PermissionCheckboxSetField_Readonly
*/
public function performReadonlyTransformation()
{
$readonly = new PermissionCheckboxSetField_Readonly(
$this->name,
$this->title,
$this->managedClass,
$this->filterField,
$this->records
);
return $readonly;
}
}