From 173c495afe53802ab415af7501d350c98f337956 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 3 Feb 2009 23:34:14 +0000
Subject: [PATCH] ENHANCEMENT Enforcing Member->can*() and Group->can*()
 permissions in SecurityAdmin

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@71330 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 code/SecurityAdmin.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index f656021c..ff868a4a 100644
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -63,6 +63,11 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$form = new Form($this, "EditForm", $fields, $actions);
 		$form->loadDataFrom($record);
 		
+		if(!$record->canEdit()) {
+			$readonlyFields = $form->Fields()->makeReadonly();
+			$form->setFields($readonlyFields);
+		}
+		
 		return $form;
 	}
 
@@ -90,6 +95,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		if($matches) {
 			$result .= "<ul>";
 			foreach($matches as $match) {
+				if(!$match->canView()) continue;
 
 				$data = $match->FirstName;
 				$data .= ",$match->Surname";
@@ -130,6 +136,11 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 
 			$idField->setValue($id);
 			$groupIDField->setValue($this->currentPageID());
+			
+			if($record && !$record->canEdit()) {
+				$readonlyFields = $form->Fields()->makeReadonly();
+				$form->setFields($readonlyFields);
+			}
 
 			return $form;
 		}
@@ -144,7 +155,9 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 
 		if($id) {
 			$record = DataObject::get_one($className, "\"$className\".\"ID\" = $id");
+			if($record && !$record->canEdit()) return Security::permissionFailure($this);
 		} else {
+			if(!singleton($this->stat('subitem_class'))->canCreate()) return Security::permissionFailure($this);
 			$record = new $className();
 		}
 
@@ -164,6 +177,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		unset($data['ID']);
 		if($className == null) $className = $this->stat('subitem_class');
 
+		if(!singleton($this->stat('subitem_class'))->canCreate()) return Security::permissionFailure($this);
+
 		$record = new $className();
 
 		$record->update($data);
@@ -181,6 +196,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$memberID = $this->urlParams['OtherID'];
 		if(is_numeric($groupID) && is_numeric($memberID)) {
 			$member = DataObject::get_by_id('Member', (int) $memberID);
+			if(!$member->canDelete()) return Security::permissionFailure($this);
+			
 			$member->Groups()->remove($groupID);
 			FormResponse::add("reloadMemberTableField();");
 		} else {
@@ -213,6 +230,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	}
 
 	public function addgroup() {
+		if(!singleton($this->stat('tree_class'))->canCreate()) return Security::permissionFailure($this);
+		
 		$newGroup = Object::create($this->stat('tree_class'));
 		$newGroup->Title = _t('SecurityAdmin.NEWGROUP',"New Group");
 		$newGroup->Code = "new-group";