silverstripe-framework/security/PermissionCheckboxSetField.php

332 lines
11 KiB
PHP

<?php
/**
* Shows a categorized list of available permissions (through {@link Permission::get_codes()}).
* Permissions which are assigned to a given {@link Group} record
* (either directly, inherited from parent groups, or through a {@link PermissionRole})
* will be checked automatically. All checkboxes for "inherited" permissions will be readonly.
*
* The field can gets its assignment data either from {@link Group} or {@link PermissionRole} records.
*
* @package framework
* @subpackage security
*/
class PermissionCheckboxSetField extends FormField {
/**
* @var Array Filter certain permission codes from the output.
* Useful to simplify the interface
*/
protected $hiddenPermissions = array();
/**
* @var SS_List
*/
protected $records = null;
/**
* @var array Array Nested array in same notation as {@link CheckboxSetField}.
*/
protected $source = null;
/**
* @param String $name
* @param String $title
* @param String $managedClass
* @param String $filterField
* @param Group|SS_List $records One or more {@link Group} or {@link PermissionRole} records
* used to determine permission checkboxes.
* Caution: saveInto() can only be used with a single record, all inherited permissions will be marked readonly.
* Setting multiple groups only makes sense in a readonly context. (Optional)
*/
public function __construct($name, $title, $managedClass, $filterField, $records = null) {
$this->filterField = $filterField;
$this->managedClass = $managedClass;
if($records instanceof SS_List) {
$this->records = $records;
} elseif($records instanceof Group) {
$this->records = new ArrayList(array($records));
} elseif($records) {
throw new InvalidArgumentException(
'$record should be either a Group record, or a SS_List of Group records');
}
// Get all available codes in the system as a categorized nested array
$this->source = Permission::get_codes(true);
parent::__construct($name, $title);
}
/**
* @param Array $codes
*/
public function setHiddenPermissions($codes) {
$this->hiddenPermissions = $codes;
}
/**
* @return Array
*/
public function getHiddenPermissions() {
return $this->hiddenPermissions;
}
public function Field($properties = array()) {
Requirements::css(FRAMEWORK_DIR . '/css/CheckboxSetField.css');
Requirements::javascript(FRAMEWORK_DIR . '/javascript/PermissionCheckboxSetField.js');
$uninheritedCodes = array();
$inheritedCodes = array();
$records = ($this->records) ? $this->records : new ArrayList();
// Get existing values from the form record (assuming the formfield name is a join field on the record)
if(is_object($this->form)) {
$record = $this->form->getRecord();
if(
$record
&& (is_a($record, 'Group') || is_a($record, 'PermissionRole'))
&& !$records->find('ID', $record->ID)
) {
$records->push($record);
}
}
// Get all 'inherited' codes not directly assigned to the group (which is stored in $values)
foreach($records as $record) {
// Get all uninherited permissions
$relationMethod = $this->name;
foreach($record->$relationMethod() as $permission) {
if(!isset($uninheritedCodes[$permission->Code])) $uninheritedCodes[$permission->Code] = array();
$uninheritedCodes[$permission->Code][] = _t(
'PermissionCheckboxSetField.AssignedTo', 'assigned to "{title}"',
array('title' => $record->Title)
);
}
// Special case for Group records (not PermissionRole):
// Determine inherited assignments
if(is_a($record, 'Group')) {
// Get all permissions from roles
if ($record->Roles()->Count()) {
foreach($record->Roles() as $role) {
foreach($role->Codes() as $code) {
if (!isset($inheritedCodes[$code->Code])) $inheritedCodes[$code->Code] = array();
$inheritedCodes[$code->Code][] = _t(
'PermissionCheckboxSetField.FromRole',
'inherited from role "{title}"',
'A permission inherited from a certain permission role',
array('title' => $role->Title)
);
}
}
}
// Get from parent groups
$parentGroups = $record->getAncestors();
if ($parentGroups) {
foreach ($parentGroups as $parent) {
if (!$parent->Roles()->Count()) continue;
foreach($parent->Roles() as $role) {
if ($role->Codes()) {
foreach($role->Codes() as $code) {
if (!isset($inheritedCodes[$code->Code])) $inheritedCodes[$code->Code] = array();
$inheritedCodes[$code->Code][] = _t(
'PermissionCheckboxSetField.FromRoleOnGroup',
'inherited from role "%s" on group "%s"',
'A permission inherited from a role on a certain group',
array('roletitle' => $role->Title, 'grouptitle' => $parent->Title)
);
}
}
}
if ($parent->Permissions()->Count()) {
foreach($parent->Permissions() as $permission) {
if (!isset($inheritedCodes[$permission->Code])) {
$inheritedCodes[$permission->Code] = array();
}
$inheritedCodes[$permission->Code][] =
_t(
'PermissionCheckboxSetField.FromGroup',
'inherited from group "{title}"',
'A permission inherited from a certain group',
array('title' => $parent->Title)
);
}
}
}
}
}
}
$odd = 0;
$options = '';
$globalHidden = (array)Config::inst()->get('Permission', 'hidden_permissions');
if($this->source) {
$privilegedPermissions = Permission::config()->privileged_permissions;
// loop through all available categorized permissions and see if they're assigned for the given groups
foreach($this->source as $categoryName => $permissions) {
$options .= "<li><h5>$categoryName</h5></li>";
foreach($permissions as $code => $permission) {
if(in_array($code, $this->hiddenPermissions)) continue;
if(in_array($code, $globalHidden)) continue;
$value = $permission['name'];
$odd = ($odd + 1) % 2;
$extraClass = $odd ? 'odd' : 'even';
$extraClass .= ' val' . str_replace(' ', '', $code);
$itemID = $this->id() . '_' . preg_replace('/[^a-zA-Z0-9]+/', '', $code);
$checked = $disabled = $inheritMessage = '';
$checked = (isset($uninheritedCodes[$code]) || isset($inheritedCodes[$code]))
? ' checked="checked"'
: '';
$title = $permission['help']
? 'title="' . htmlentities($permission['help'], ENT_COMPAT, 'UTF-8') . '" '
: '';
if (isset($inheritedCodes[$code])) {
// disable inherited codes, as any saving logic would be too complicate to express in this
// interface
$disabled = ' disabled="true"';
$inheritMessage = ' (' . join(', ', $inheritedCodes[$code]) . ')';
} elseif($this->records && $this->records->Count() > 1 && isset($uninheritedCodes[$code])) {
// If code assignments are collected from more than one "source group",
// show its origin automatically
$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
}
// Disallow modification of "privileged" permissions unless currently logged-in user is an admin
if(!Permission::check('ADMIN') && in_array($code, $privilegedPermissions)) {
$disabled = ' disabled="true"';
}
// If the field is readonly, always mark as "disabled"
if($this->readonly) $disabled = ' disabled="true"';
$inheritMessage = '<small>' . $inheritMessage . '</small>';
$icon = ($checked) ? 'accept' : 'decline';
// If the field is readonly, add a span that will replace the disabled checkbox input
if($this->readonly) {
$options .= "<li class=\"$extraClass\">"
. "<input id=\"$itemID\"$disabled name=\"$this->name[$code]\" type=\"checkbox\""
. " value=\"$code\"$checked class=\"checkbox\" />"
. "<label {$title}for=\"$itemID\">"
. "<span class=\"ui-button-icon-primary ui-icon btn-icon-$icon\"></span>"
. "$value$inheritMessage</label>"
. "</li>\n";
} else {
$options .= "<li class=\"$extraClass\">"
. "<input id=\"$itemID\"$disabled name=\"$this->name[$code]\" type=\"checkbox\""
. " value=\"$code\"$checked class=\"checkbox\" />"
. "<label {$title}for=\"$itemID\">$value$inheritMessage</label>"
. "</li>\n";
}
}
}
}
if($this->readonly) {
return "<ul id=\"{$this->id()}\" class=\"optionset checkboxsetfield{$this->extraClass()}\">\n" .
"<li class=\"help\">" .
_t(
'Permissions.UserPermissionsIntro',
'Assigning groups to this user will adjust the permissions they have.'
. ' See the groups section for details of permissions on individual groups.'
) .
"</li>" .
$options .
"</ul>\n";
} else {
return "<ul id=\"{$this->id()}\" class=\"optionset checkboxsetfield{$this->extraClass()}\">\n" .
$options .
"</ul>\n";
}
}
/**
* Update the permission set associated with $record DataObject
*
* @param DataObject $record
*/
public function saveInto(DataObjectInterface $record) {
$fieldname = $this->name;
$managedClass = $this->managedClass;
// Remove all "privileged" permissions if the currently logged-in user is not an admin
$privilegedPermissions = Permission::config()->privileged_permissions;
if(!Permission::check('ADMIN')) {
foreach($this->value as $id => $bool) {
if(in_array($id, $privilegedPermissions)) {
unset($this->value[$id]);
}
}
}
// remove all permissions and re-add them afterwards
$permissions = $record->$fieldname();
foreach ( $permissions as $permission ) {
$permission->delete();
}
if($fieldname && $record && ($record->has_many($fieldname) || $record->many_many($fieldname))) {
if(!$record->ID) $record->write(); // We need a record ID to write permissions
$idList = array();
if($this->value) foreach($this->value as $id => $bool) {
if($bool) {
$perm = new $managedClass();
$perm->{$this->filterField} = $record->ID;
$perm->Code = $id;
$perm->write();
}
}
}
}
/**
* @return PermissionCheckboxSetField_Readonly
*/
public function performReadonlyTransformation() {
$readonly = new PermissionCheckboxSetField_Readonly(
$this->name,
$this->title,
$this->managedClass,
$this->filterField,
$this->records
);
return $readonly;
}
/**
* Retrieves all permission codes for the currently set records
*
* @return array
*/
public function getAssignedPermissionCodes() {
if(!$this->records) return false;
// TODO
return $codes;
}
}
/**
* Readonly version of a {@link PermissionCheckboxSetField} -
* uses the same structure, but has all checkboxes disabled.
*
* @package framework
* @subpackage security
*/
class PermissionCheckboxSetField_Readonly extends PermissionCheckboxSetField {
protected $readonly = true;
public function saveInto(DataObjectInterface $record) {
return false;
}
}