From 5f337db5534e30da0977fba16b72d95d232b5f92 Mon Sep 17 00:00:00 2001 From: Mateusz Uzdowski Date: Wed, 5 Oct 2011 15:02:57 +1300 Subject: [PATCH] BUGFIX: make sure non-admins can access the main site via group role --- code/LeftAndMainSubsites.php | 5 +++-- code/Subsite.php | 37 ++++++++++++++++++++++++++---------- tests/SubsiteTest.php | 18 ++++++++++++++++-- tests/SubsiteTest.yml | 17 ++++++++++++++++- 4 files changed, 62 insertions(+), 15 deletions(-) diff --git a/code/LeftAndMainSubsites.php b/code/LeftAndMainSubsites.php index 9d467f2..24740b5 100644 --- a/code/LeftAndMainSubsites.php +++ b/code/LeftAndMainSubsites.php @@ -127,7 +127,8 @@ class LeftAndMainSubsites extends Extension { $member = Member::currentUser(); if ($member && $member->isAdmin()) return true; //admin can access all subsites - $sites = Subsite::accessible_sites("CMS_ACCESS_{$this->owner->class}")->toDropdownMap(); + $sites = Subsite::accessible_sites("CMS_ACCESS_{$this->owner->class}", true)->toDropdownMap(); + if($sites && !isset($sites[Subsite::currentSubsiteID()])) { $siteIDs = array_keys($sites); Subsite::changeSubsite($siteIDs[0]); @@ -139,7 +140,7 @@ class LeftAndMainSubsites extends Extension { foreach($menu as $candidate) { if($candidate->controller != $this->owner->class) { - $sites = Subsite::accessible_sites("CMS_ACCESS_{$candidate->controller}")->toDropdownMap(); + $sites = Subsite::accessible_sites("CMS_ACCESS_{$candidate->controller}", true)->toDropdownMap(); if($sites && !isset($sites[Subsite::currentSubsiteID()])) { $siteIDs = array_keys($sites); Subsite::changeSubsite($siteIDs[0]); diff --git a/code/Subsite.php b/code/Subsite.php index 88bed05..49b32f0 100644 --- a/code/Subsite.php +++ b/code/Subsite.php @@ -347,6 +347,7 @@ JS; $SQL_perms = join("','", $SQLa_perm); $memberID = (int)$member->ID; + // Count this user's groups which can access the main site $groupCount = DB::query(" SELECT COUNT(\"Permission\".\"ID\") FROM \"Permission\" @@ -356,8 +357,21 @@ JS; AND \"MemberID\" = {$memberID} ")->value(); - return ($groupCount > 0); - + // Count this user's groups which have a role that can access the main site + $roleCount = DB::query(" + SELECT COUNT(\"PermissionRoleCode\".\"ID\") + FROM \"Group\" + INNER JOIN \"Group_Members\" ON \"Group_Members\".\"GroupID\" = \"Group\".\"ID\" + INNER JOIN \"Group_Roles\" ON \"Group_Roles\".\"GroupID\"=\"Group\".\"ID\" + INNER JOIN \"PermissionRole\" ON \"Group_Roles\".\"PermissionRoleID\"=\"PermissionRole\".\"ID\" + INNER JOIN \"PermissionRoleCode\" ON \"PermissionRole\".\"ID\"=\"PermissionRoleCode\".\"RoleID\" + WHERE \"PermissionRoleCode\".\"Code\" IN ('$SQL_perms') + AND \"Group\".\"AccessAllSubsites\" = 1 + AND \"MemberID\" = {$memberID} + ")->value(); + + // There has to be at least one that allows access. + return ($groupCount + $roleCount > 0); } /** @@ -419,6 +433,7 @@ JS; $templateClassList = "'" . implode("', '", ClassInfo::subclassesFor("Subsite_Template")) . "'"; + // Get all subsites accessible via a group $subsites = DataObject::get( 'Subsite', "\"Subsite\".\"Title\" != ''", @@ -434,7 +449,9 @@ JS; ON \"Group\".\"ID\"=\"Permission\".\"GroupID\" AND \"Permission\".\"Code\" IN ($SQL_codes, 'ADMIN')" ); + if (!$subsites) $subsites = new DataObjectSet(); + // Get all subsites accessible via a role $rolesSubsites = DataObject::get( 'Subsite', "\"Subsite\".\"Title\" != ''", @@ -454,17 +471,17 @@ JS; ON \"PermissionRole\".\"ID\"=\"PermissionRoleCode\".\"RoleID\" AND \"PermissionRoleCode\".\"Code\" IN ($SQL_codes, 'ADMIN')" ); - - if(!$subsites && $rolesSubsites) return $rolesSubsites; - - if($rolesSubsites) foreach($rolesSubsites as $subsite) { - if(!$subsites->containsIDs(array($subsite->ID))) { - $subsites->push($subsite); + + // Merge subsites + if($rolesSubsites) { + if($rolesSubsites) foreach($rolesSubsites as $subsite) { + if(!$subsites->containsIDs(array($subsite->ID))) { + $subsites->push($subsite); + } } } - // Include the main site - if(!$subsites) $subsites = new DataObjectSet(); + // Include the main site, if requested if($includeMainSite) { if(!is_array($permCode)) $permCode = array($permCode); if(self::hasMainSitePermission($member, $permCode)) { diff --git a/tests/SubsiteTest.php b/tests/SubsiteTest.php index 9faa80e..92314f8 100644 --- a/tests/SubsiteTest.php +++ b/tests/SubsiteTest.php @@ -109,7 +109,7 @@ class SubsiteTest extends SapphireTest { $this->objFromFixture('Member', 'subsite1member')); $member1SiteTitles = $member1Sites->column("Title"); sort($member1SiteTitles); - $this->assertEquals(array('Subsite1 Template'), $member1SiteTitles); + $this->assertEquals('Subsite1 Template', $member1SiteTitles[0], 'Member can get to a subsite via a group'); $adminSites = Subsite::accessible_sites("CMS_ACCESS_CMSMain", false, null, $this->objFromFixture('Member', 'admin')); @@ -123,6 +123,20 @@ class SubsiteTest extends SapphireTest { 'Test 2', 'Test 3', ), $adminSiteTitles); + + $member2Sites = Subsite::accessible_sites("CMS_ACCESS_CMSMain", false, null, + $this->objFromFixture('Member', 'subsite1member2')); + $member2SiteTitles = $member2Sites->column("Title"); + sort($member2SiteTitles); + $this->assertEquals('Subsite1 Template', $member2SiteTitles[0], 'Member can get to subsite via a group role'); + } + + function testHasMainSitePermission() { + $canAccess = Subsite::hasMainSitePermission($this->objFromFixture('Member', 'subsite1member'), array("CMS_ACCESS_CMSMain")); + $this->assertTrue($canAccess, 'Member has access to Main site via a group'); + + $canAccess = Subsite::hasMainSitePermission($this->objFromFixture('Member', 'subsite1member2'), array("CMS_ACCESS_CMSMain")); + $this->assertTrue($canAccess, 'Member has access to Main site via a group role'); } function testDuplicateSubsite() { @@ -150,4 +164,4 @@ class SubsiteTest extends SapphireTest { $subsite2->activate(); $this->assertEquals('MyNewAwesomePage', DataObject::get_by_id('Page', $page2->ID)->Title); } -} \ No newline at end of file +} diff --git a/tests/SubsiteTest.yml b/tests/SubsiteTest.yml index 6caed8c..33bb00c 100644 --- a/tests/SubsiteTest.yml +++ b/tests/SubsiteTest.yml @@ -75,6 +75,13 @@ SiteTree: Title: Contact Us (Subsite 2) SubsiteID: =>Subsite_Template.subsite2 +PermissionRoleCode: + roleCode1: + Code: CMS_ACCESS_CMSMain +PermissionRole: + role1: + Title: role1 + Codes: =>PermissionRoleCode.roleCode1 Group: admin: Title: Admin @@ -87,13 +94,18 @@ Group: subsite1_group: Title: subsite1_group Code: subsite1_group - AccessAllSubsites: 0 + AccessAllSubsites: 1 Subsites: =>Subsite_Template.subsite1 subsite2_group: Title: subsite2_group Code: subsite2_group AccessAllSubsites: 0 Subsites: =>Subsite_Template.subsite2 + subsite1_group_via_role: + Title: subsite1_group_via_role + Code: subsite1_group_via_role + AccessAllSubsites: 1 + Roles: =>PermissionRole.role1 Permission: admin: Code: ADMIN @@ -139,3 +151,6 @@ Member: subsite2member: Email: subsite2member@test.com Groups: =>Group.subsite2_group + subsite1member2: + Email: subsite1member2@test.com + Groups: =>Group.subsite1_group_via_role