Added EDIT_PERMISSIONS permission code for SecurityAdmin

Added LeftAndMain::alternateAccessCheck() / alternateMenuDisplayCheck() so that subsite could hook a new security model into the admin
Added support for Group::alternateTreeTitle() to allow subsites to put *s before global groups

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@41098 467b73ca-7a2a-4603-9d3b-597d59a354a9

code/LeftAndMain.php

@@ -14,18 +14,27 @@ abstract class LeftAndMain extends Controller {
 		
 		parent::init();
 		
-		// Security check for LeftAndMain sub-class permissions
-		if(!Permission::check("CMS_ACCESS_$this->class")) {
-			// When access /admin/, we should try a redirect to another part of the admin rather than a 
-			if($this->class == 'CMSMain') {
+		// Allow customisation of the access check by a decorator
+		if($this->hasMethod('alternateAccessCheck')) {
+			$isAllowed = $this->alternateAccessCheck();
+			
+		// Default security check for LeftAndMain sub-class permissions
+		} else {
+			$isAllowed = Permission::check("CMS_ACCESS_$this->class");
+			if(!$isAllowed && $this->class == 'CMSMain') {
+				// When access /admin/, we should try a redirect to another part of the admin rather than be locked out
 				$menu = $this->MainMenu();
 				if(($first = $menu->First()) && $first->Link) {
 					Director::redirect($first->Link);
-					return;
+				}
 			}
 		}
 
+		// Don't continue if there's already been a redirection request.
+		if(Director::redirected_to()) return;
 
+		// Access failure!		
+		if(!$isAllowed) {
 			$messageSet = array(
 				'default' => "Enter your email address and password to access the CMS.",
 				'alreadyLoggedIn' => "I'm sorry, but you can't access that part of the CMS.  If you want to log in as someone else, do so below",
@@ -213,7 +222,15 @@ abstract class LeftAndMain extends Controller {
 		$itemsWithPermission = 0;
 		foreach($menuSrc as $title => $menuItem) {
 			if(is_numeric($title) && isset($menuItem['title'])) $title = $menuItem['title'];
-			if(!isset($menuItem[2]) || Permission::check("CMS_ACCESS_$menuItem[2]")) {
+
+			if(isset($menuItem[2])) {
+				if($this->hasMethod('alternateMenuDisplayCheck')) $isAllowed = $this->alternateMenuDisplayCheck($menuItem[2]);
+				else $isAllowed = Permission::check("CMS_ACCESS_" . $menuItem[2]);
+			} else {
+				$isAllowed = true;
+			}
+
+			if($isAllowed) {
 				// Count up the number of items that have specific permission settings
 				if(isset($menuItem[2])) $itemsWithPermission++;
 

code/SecurityAdmin.php

@@ -1,6 +1,6 @@
 <?php
 
-class SecurityAdmin extends LeftAndMain {
+class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	static $tree_class = "Group";
 	static $subitem_class = "Member";
 
@@ -58,6 +58,8 @@ class SecurityAdmin extends LeftAndMain {
 				)
 			);
 			
+			if(!Permission::check('EDIT_PERMISSIONS')) $fields->removeFieldFromTab('Root', 'Permissions');
+			
 			$memberList->setController($this);
 
 			$fields->push($idField = new HiddenField("ID"));
@@ -220,7 +222,7 @@ class SecurityAdmin extends LeftAndMain {
 		$siteTree = $obj->getChildrenAsUL("", 
 			' "<li id=\"record-$child->ID\" class=\"$child->class " . ($child->Locked ? " nodelete" : "") . ' .
 			' ($extraArg->isCurrentPage($child) ? " current" : "") . "\">" . ' . 
-			' "<a href=\"" . Director::link("admin", "show", $child->ID) . "\" >" . $child->Title . "</a>" ',$this);
+			' "<a href=\"" . Director::link("admin", "show", $child->ID) . "\" >" . $child->TreeTitle() . "</a>" ',$this);
 
 		$siteTree = "<ul id=\"sitetree\" class=\"tree unformatted\">" .
 						"<li id=\"record-0\" class=\"Root\">" .
@@ -329,6 +331,12 @@ class SecurityAdmin extends LeftAndMain {
 		
 		return $memberListField->renderWith('MemberList_Table');
 	}
+	
+	function providePermissions() {
+		return array(
+			'EDIT_PERMISSIONS' => 'Edit Permissions on each Group',
+		);
+	}
 }
 
 ?>