<?php
/**
 * A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.
 * 
 * @package framework
 * @subpackage security
 *
 * @property string Code
 *
 * @property int RoleID
 *
 * @method PermissionRole Role()
 */
class PermissionRoleCode extends DataObject {
	private static $db = array(
		"Code" => "Varchar",
	);
	
	private static $has_one = array(
		"Role" => "PermissionRole",
	);

	protected function validate() {
		$result = parent::validate();

		// Check that new code doesn't increase privileges, unless an admin is editing.
		$privilegedCodes = Config::inst()->get('Permission', 'privileged_permissions');
		if(
			$this->Code
			&& in_array($this->Code, $privilegedCodes)
			&& !Permission::check('ADMIN')
		) {
			$result->error(sprintf(
				_t(
					'PermissionRoleCode.PermsError',
					'Can\'t assign code "%s" with privileged permissions (requires ADMIN access)'
				),
				$this->Code
			));
		}

		return $result;
	}

	public function canCreate($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canEdit($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}

	public function canDelete($member = null) {
		return Permission::check('APPLY_ROLES', 'any', $member);
	}
}