-
Notifications
You must be signed in to change notification settings - Fork 68
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ENH add optional SiteConfig root level permissions
- Loading branch information
1 parent
27000f1
commit e77c0d4
Showing
4 changed files
with
300 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,161 @@ | ||
<?php | ||
|
||
namespace SilverStripe\Assets; | ||
|
||
use SilverStripe\Forms\FieldList; | ||
use SilverStripe\Forms\ListboxField; | ||
use SilverStripe\Forms\OptionsetField; | ||
use SilverStripe\ORM\DataExtension; | ||
use SilverStripe\Security\Group; | ||
use SilverStripe\Security\InheritedPermissions; | ||
use SilverStripe\Security\Member; | ||
use SilverStripe\Security\Permission; | ||
|
||
class RootLevelAccessSiteConfigExtension extends DataExtension | ||
{ | ||
private static $db = [ | ||
"RootAssetsCanViewType" => "Enum('Anyone, LoggedInUsers, OnlyTheseUsers, OnlyTheseMembers', 'Anyone')", | ||
"RootAssetsCanEditType" => "Enum('LoggedInUsers, OnlyTheseUsers, OnlyTheseMembers', 'OnlyTheseUsers')", | ||
]; | ||
|
||
private static $many_many = [ | ||
"RootAssetsViewerGroups" => Group::class, | ||
"RootAssetsEditorGroups" => Group::class, | ||
"RootAssetsViewerMembers" => Member::class, | ||
"RootAssetsEditorMembers" => Member::class, | ||
]; | ||
|
||
private static $defaults = [ | ||
"RootAssetsCanViewType" => "Anyone", | ||
"RootAssetsCanEditType" => "OnlyTheseUsers", | ||
]; | ||
|
||
public function requireDefaultRecords() | ||
{ | ||
parent::requireDefaultRecords(); | ||
if ($this->getOwner()->RootAssetsEditorGroups()->count() < 1) { | ||
$groups = Permission::get_groups_by_permission(File::EDIT_ALL); | ||
foreach ($groups as $group) { | ||
$this->getOwner()->RootAssetsEditorGroups()->add($group); | ||
} | ||
} | ||
} | ||
|
||
public function updateCMSFields(FieldList $fields) | ||
{ | ||
// Lots of logic borrowed from SiteConfig::getCMSFields() | ||
$mapFn = function ($groups = []) { | ||
$map = []; | ||
foreach ($groups as $group) { | ||
// Listboxfield values are escaped, use ASCII char instead of » | ||
$map[$group->ID] = $group->getBreadcrumbs(' > '); | ||
} | ||
asort($map); | ||
return $map; | ||
}; | ||
$groupsMap = $mapFn(Group::get()); | ||
$membersMap = Member::get()->map('ID', 'Name'); | ||
$editAllGroupsMap = $mapFn(Permission::get_groups_by_permission([File::EDIT_ALL, 'ADMIN'])); | ||
|
||
$fields->addFieldsToTab( | ||
'Root.Access', | ||
[ | ||
$viewersOptionsField = OptionsetField::create( | ||
"RootAssetsCanViewType", | ||
_t(self::class . '.ROOTASSETSVIEWHEADER', "Who can view files on this site?") | ||
), | ||
$viewerGroupsField = ListboxField::create( | ||
"RootAssetsViewerGroups", | ||
_t('SilverStripe\\CMS\\Model\\SiteTree.ROOTASSETSVIEWERGROUPS', "File Viewer Groups") | ||
) | ||
->setSource($groupsMap) | ||
->setAttribute( | ||
'data-placeholder', | ||
_t('SilverStripe\\CMS\\Model\\SiteTree.GroupPlaceholder', 'Click to select group') | ||
), | ||
$viewerMembersField = ListboxField::create( | ||
"RootAssetsViewerMembers", | ||
_t(__CLASS__.'.ROOTASSETSVIEWERMEMBERS', "Viewer Users"), | ||
$membersMap, | ||
), | ||
$editorsOptionsField = OptionsetField::create( | ||
"RootAssetsCanEditType", | ||
_t(self::class . '.ROOTASSETSEDITHEADER', "Who can edit files on this site?") | ||
), | ||
$editorGroupsField = ListboxField::create( | ||
"RootAssetsEditorGroups", | ||
_t('SilverStripe\\CMS\\Model\\SiteTree.EDITORGROUPS', "File Editor Groups") | ||
) | ||
->setSource($groupsMap) | ||
->setAttribute( | ||
'data-placeholder', | ||
_t('SilverStripe\\CMS\\Model\\SiteTree.GroupPlaceholder', 'Click to select group') | ||
), | ||
$editorMembersField = ListboxField::create( | ||
"RootAssetsEditorMembers", | ||
_t(__CLASS__.'.ROOTASSETSEDITORMEMBERS', "Editor Users"), | ||
$membersMap | ||
) | ||
] | ||
); | ||
|
||
$viewersOptionsSource = []; | ||
$viewersOptionsSource[InheritedPermissions::ANYONE] = _t('SilverStripe\\CMS\\Model\\SiteTree.ACCESSANYONE', "Anyone"); | ||
$viewersOptionsSource[InheritedPermissions::LOGGED_IN_USERS] = _t( | ||
'SilverStripe\\CMS\\Model\\SiteTree.ACCESSLOGGEDIN', | ||
"Logged-in users" | ||
); | ||
$viewersOptionsSource[InheritedPermissions::ONLY_THESE_USERS] = _t( | ||
'SilverStripe\\CMS\\Model\\SiteTree.ACCESSONLYTHESE', | ||
"Only these groups (choose from list)" | ||
); | ||
$viewersOptionsSource[InheritedPermissions::ONLY_THESE_MEMBERS] = _t( | ||
'SilverStripe\\CMS\\Model\\SiteTree.ACCESSONLYMEMBERS', | ||
"Only these users (choose from list)" | ||
); | ||
$viewersOptionsField->setSource($viewersOptionsSource); | ||
$editorsOptionsSource = $viewersOptionsSource; | ||
unset($editorsOptionsSource[InheritedPermissions::ANYONE]); | ||
$editorsOptionsField->setSource($editorsOptionsSource); | ||
|
||
|
||
if ($editAllGroupsMap) { | ||
$viewerGroupsField->setDescription(_t( | ||
'SilverStripe\\CMS\\Model\\SiteTree.ROOT_ASSETS_VIEWER_GROUPS_FIELD_DESC', | ||
'Groups with global view permissions: {groupList}', | ||
['groupList' => implode(', ', array_values($editAllGroupsMap))] | ||
)); | ||
$editorGroupsField->setDescription(_t( | ||
'SilverStripe\\CMS\\Model\\SiteTree.ROOT_ASSETS_EDITOR_GROUPS_FIELD_DESC', | ||
'Groups with global edit permissions: {groupList}', | ||
['groupList' => implode(', ', array_values($editAllGroupsMap))] | ||
)); | ||
} | ||
|
||
if (!Permission::check(File::GRANT_ACCESS)) { | ||
$fields->makeFieldReadonly($viewersOptionsField); | ||
if ($this->getOwner()->RootAssetsCanViewType === InheritedPermissions::ONLY_THESE_USERS) { | ||
$fields->makeFieldReadonly($viewerGroupsField); | ||
$fields->removeByName('RootAssetsViewerMembers'); | ||
} elseif ($this->getOwner()->RootAssetsCanViewType === InheritedPermissions::ONLY_THESE_MEMBERS) { | ||
$fields->makeFieldReadonly($viewerMembersField); | ||
$fields->removeByName('RootAssetsViewerGroups'); | ||
} else { | ||
$fields->removeByName('RootAssetsViewerGroups'); | ||
$fields->removeByName('RootAssetsViewerMembers'); | ||
} | ||
|
||
$fields->makeFieldReadonly($editorsOptionsField); | ||
if ($this->getOwner()->RootAssetsCanEditType === InheritedPermissions::ONLY_THESE_USERS) { | ||
$fields->makeFieldReadonly($editorGroupsField); | ||
$fields->removeByName('RootAssetsEditorMembers'); | ||
} elseif ($this->getOwner()->RootAssetsCanEditType === InheritedPermissions::ONLY_THESE_MEMBERS) { | ||
$fields->makeFieldReadonly($editorMembersField); | ||
$fields->removeByName('RootAssetsEditorGroups'); | ||
} else { | ||
$fields->removeByName('RootAssetsEditorGroups'); | ||
$fields->removeByName('RootAssetsEditorMembers'); | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
<?php | ||
|
||
namespace SilverStripe\Assets; | ||
|
||
use SilverStripe\Assets\File; | ||
use SilverStripe\Security\DefaultPermissionChecker; | ||
use SilverStripe\Security\InheritedPermissions; | ||
use SilverStripe\Security\Member; | ||
use SilverStripe\Security\Permission; | ||
use SilverStripe\Security\Security; | ||
use SilverStripe\SiteConfig\SiteConfig; | ||
|
||
/** | ||
* Permissions for root files with Can*Type = Inherit | ||
*/ | ||
class SiteConfigFilePermissions implements DefaultPermissionChecker | ||
{ | ||
/** | ||
* Can root be edited? | ||
* | ||
* @param Member $member | ||
* @return bool | ||
*/ | ||
public function canEdit(Member $member = null) | ||
{ | ||
if (!$member) { | ||
$member = Security::getCurrentUser(); | ||
} | ||
|
||
if (Permission::checkMember($member, 'ADMIN') || Permission::check($member, File::EDIT_ALL)) { | ||
return true; | ||
} | ||
|
||
$siteConfig = SiteConfig::current_site_config(); | ||
$canEditType = $siteConfig->RootAssetsCanEditType; | ||
|
||
// Any logged in user can edit root files and folders | ||
if ($canEditType === InheritedPermissions::LOGGED_IN_USERS) { | ||
return $member !== null; | ||
} | ||
|
||
// Specific user groups can edit root files and folders | ||
if ($canEditType === InheritedPermissions::ONLY_THESE_USERS) { | ||
if (!$member) { | ||
return false; | ||
} | ||
return $member->inGroups($siteConfig->RootAssetsEditorGroups()); | ||
} | ||
|
||
// Specific users can edit root files and folders | ||
if ($canEditType === InheritedPermissions::ONLY_THESE_MEMBERS) { | ||
if (!$member) { | ||
return false; | ||
} | ||
return $siteConfig->RootAssetsEditorMembers()->filter('ID', $member->ID)->count() > 0; | ||
} | ||
|
||
// Secure by default | ||
return false; | ||
} | ||
|
||
/** | ||
* Can root be viewed? | ||
* | ||
* @param Member $member | ||
* @return bool | ||
*/ | ||
public function canView($member = null) | ||
{ | ||
if (!$member) { | ||
$member = Security::getCurrentUser(); | ||
} | ||
|
||
if (Permission::checkMember($member, 'ADMIN') || Permission::check($member, File::EDIT_ALL)) { | ||
return true; | ||
} | ||
|
||
$siteConfig = SiteConfig::current_site_config(); | ||
$canViewType = $siteConfig->RootAssetsCanViewType; | ||
|
||
if ($canViewType === InheritedPermissions::ANYONE) { | ||
return true; | ||
} | ||
|
||
// Any logged in user can view root files and folders | ||
if ($canViewType === InheritedPermissions::LOGGED_IN_USERS) { | ||
return $member !== null; | ||
} | ||
|
||
// Specific user groups can view root files and folders | ||
if ($canViewType === InheritedPermissions::ONLY_THESE_USERS) { | ||
if (!$member) { | ||
return false; | ||
} | ||
return $member->inGroups($siteConfig->RootAssetsViewerGroups()); | ||
} | ||
|
||
// Specific users can view root files and folders | ||
if ($canViewType === InheritedPermissions::ONLY_THESE_MEMBERS) { | ||
if (!$member) { | ||
return false; | ||
} | ||
return $siteConfig->RootAssetsViewerMembers()->filter('ID', $member->ID)->count() > 0; | ||
} | ||
|
||
// Secure by default | ||
return false; | ||
} | ||
|
||
/** | ||
* Can root be deleted? | ||
* | ||
* @param Member $member | ||
* @return bool | ||
*/ | ||
public function canDelete(Member $member = null) | ||
{ | ||
return $this->canEdit($member); | ||
} | ||
|
||
/** | ||
* Can root objects be created? | ||
* | ||
* @param Member $member | ||
* @return bool | ||
*/ | ||
public function canCreate(Member $member = null) | ||
{ | ||
return $this->canEdit($member); | ||
} | ||
} |