OnlyAdminCanApply property is set to TRUE, the role can only be assigned * to new groups by a user with ADMIN privileges. This is a simple way to prevent users * with access to {@link SecurityAdmin} (but no ADMIN privileges) to get themselves ADMIN access * (which might be implied by certain roles). * * @package sapphire * @subpackage security */ class PermissionRole extends DataObject { static $db = array( "Title" => "Varchar", "OnlyAdminCanApply" => "Boolean" ); static $has_many = array( "Codes" => "PermissionRoleCode", ); static $belongs_many_many = array( "Groups" => "Group", ); static $default_sort = '"Title"'; static $singular_name = 'Role'; static $plural_name = 'Roles'; function getCMSFields() { $fields = parent::getCMSFields(); $fields->removeFieldFromTab('Root', 'Codes'); $fields->removeFieldFromTab('Root', 'Groups'); $fields->addFieldToTab( 'Root.Main', $permissionField = new PermissionCheckboxSetField( 'Codes', singleton('Permission')->i18n_plural_name(), 'PermissionRoleCode', 'RoleID' ) ); $permissionField->setHiddenPermissions(SecurityAdmin::$hidden_permissions); return $fields; } function onAfterDelete() { parent::onAfterDelete(); // Delete associated permission codes $codes = $this->Codes(); foreach ( $codes as $code ) { $code->delete(); } } public function canCreate($member = null) { return Permission::check('APPLY_ROLES', 'any', $member); } public function canEdit($member = null) { return Permission::check('APPLY_ROLES', 'any', $member); } public function canDelete($member = null) { return Permission::check('APPLY_ROLES', 'any', $member); } }