/** * @param FieldSet $actions * @parma SiteTree $page */ public static function update_cms_actions(&$actions, $page) { $openRequest = $page->OpenWorkflowRequest(); // if user doesn't have publish rights if (!$page->canPublish() || $openRequest) { // authors shouldn't be able to revert, as this republishes the page. // they should rather change the page and re-request publication $actions->removeByName('action_revert'); } // Remove the one click publish if they are not an admin/workflow admin. if (self::$force_publishers_to_use_workflow && !Permission::checkMember(Member::currentUser(), 'IS_WORKFLOW_ADMIN')) { $actions->removeByName('action_publish'); } // Remove the save & publish button if you don't have edit rights if (!$page->canEdit()) { $actions->removeByName('action_publish'); } $liveVersion = Versioned::get_one_by_stage('SiteTree', 'Live', "\"SiteTree_Live\".\"ID\" = {$page->ID}"); if ($liveVersion && $liveVersion->ExpiryDate != null && $liveVersion->ExpiryDate != '0000-00-00 00:00:00') { if ($page->canApprove()) { $actions->push(new FormAction('cms_cancelexpiry', _t('WorkflowPublicationRequest.BUTTONCANCELEXPIRY', 'Cancel expiry'))); } } // Optional method $isPublishable = $page->hasMethod('isPublishable') ? $page->isPublishable() : true; if (!$openRequest && $page->canEdit() && $isPublishable && $page->stagesDiffer('Stage', 'Live') && ($page->Version > 1 || $page->Title != "New Page") && !$page->IsDeletedFromStage && (!$page->canPublish() || self::$publisher_can_create_wf_requests)) { $actions->push($requestPublicationAction = new FormAction('cms_requestpublication', _t('SiteTreeCMSWorkflow.BUTTONREQUESTPUBLICATION', 'Request Publication'))); // don't allow creation of a second request by another author if (!self::can_create(null, $page)) { $actions->makeFieldReadonly($requestPublicationAction->Name()); } } }
/** * @param \DNEnvironment $environment * @param \Member|null $member * @return bool */ public static function can_abort_deployment(\DNEnvironment $environment, \Member $member = null) { if ($member === null) { $member = \Member::currentUser(); } return \Permission::checkMember($member, 'ADMIN'); }
public function isAdminUser(Member $user) { if (Permission::checkMember($user, 'ADMIN')) { return true; } return false; }
public function canEdit($member = null) { if (!$member) { $member = Member::currentUser(); } return Permission::checkMember($member, array('CMS_ACCESS_AssetAdmin', 'CMS_ACCESS_LeftAndMain')); }
/** * This function should return true if the current user can publish pages * on this site by default * * @return boolean */ public function canPublish($member = null) { if (!$member && $member !== FALSE) { $member = Member::currentUser(); } if (is_numeric($member)) { $member = DataObject::get_by_id('Member', $member); } // check for admin permission if (Permission::checkMember($member, 'ADMIN')) { return true; } // check for workflow admin permission if (Permission::checkMember($member, 'IS_WORKFLOW_ADMIN')) { return true; } // check for missing cmsmain permission if (!Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) { return false; } // check for empty spec if (!$this->owner->CanPublishType || $this->owner->CanPublishType == 'Anyone') { return true; } // check for any logged-in users if ($this->owner->CanPublishType == 'LoggedInUsers' && !Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) { return false; } // check for specific groups if ($this->owner->CanPublishType == 'OnlyTheseUsers' && (!$member || !$member->inGroups($this->owner->PublisherGroups()))) { return false; } return true; }
/** * Require basic authentication. Will request a username and password if none is given. * * Used by {@link Controller::init()}. * * @param string $realm * @param string|array $permissionCode * @return Member $member */ static function requireLogin($realm, $permissionCode) { if (!Security::database_is_ready() || Director::is_cli()) { return true; } if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $member = MemberAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null); if ($member) { $authenticated = true; } } // If we've failed the authentication mechanism, then show the login form if (!isset($authenticated)) { header("WWW-Authenticate: Basic realm=\"{$realm}\""); header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized'); if (isset($_SERVER['PHP_AUTH_USER'])) { echo _t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised"); } else { echo _t('BasicAuth.ENTERINFO', "Please enter a username and password."); } die; } if (!Permission::checkMember($member->ID, $permissionCode)) { header("WWW-Authenticate: Basic realm=\"{$realm}\""); header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized'); if (isset($_SERVER['PHP_AUTH_USER'])) { echo _t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator."); } die; } return $member; }
/** * Attempt to regenerate the current security token. */ public function regenerateToken() { // Restrict this functionality to administrators. $user = Member::currentUserID(); if (Permission::checkMember($user, 'ADMIN')) { // Attempt to create a random hash. $regeneration = $this->service->generateHash(); if ($regeneration) { // Instantiate the new security token. $token = APIwesomeToken::create(); $token->Hash = $regeneration['hash']; $token->AdministratorID = $user; $token->write(); // Temporarily use the session to display the new security token key. Session::set('APIwesomeToken', "{$regeneration['key']}:{$regeneration['salt']}"); } else { // Log the failed security token regeneration. SS_Log::log('APIwesome security token regeneration failed.', SS_Log::ERR); Session::set('APIwesomeToken', -1); } // Determine where the request came from. $from = $this->getRequest()->getVar('from'); $redirect = $from ? $from : 'admin/json-xml/'; return $this->redirect($redirect); } else { return $this->httpError(404); } }
/** * Has the user been granted access to view the Live Chat tab? * @param Member|null $member * @return boolean */ public function canView($member = null) { if (!$member && $member !== FALSE) { $member = Member::currentUser(); } return Permission::checkMember($member, "CMS_ACCESS_LiveChatAdmin"); }
/** * Shop Admins can edit * @param Member $member * @return Boolean */ function canEdit($member = null) { if (Permission::checkMember($member, Config::inst()->get("EcommerceRole", "admin_permission_code"))) { return true; } return parent::canEdit($member); }
/** * Adds token creation fields to CMS * * @param FieldSet $fields * @return void */ public function updateCMSFields(FieldSet &$fields) { // Only modify file objects with parent nodes if (!$this->owner instanceof Folder || !$this->owner->ID) { return; } // Only allow ADMIN and SECURE_FILE_SETTINGS members to edit these options if (!Permission::checkMember(Member::currentUser(), array('ADMIN', 'SECURE_FILE_SETTINGS'))) { return; } // Update Security Tab $secureFilesTab = $fields->findOrMakeTab('Root.' . _t('SecureFiles.SECUREFILETABNAME', 'Security')); $secureFilesTab->push(new HeaderField(_t('SecureFiles.TOKENACCESSTITLE', 'Token Access'))); if (!$this->owner->containsFiles()) { $secureFilesTab->push(new ReadonlyField('DummyTokenList', '', _t('SecureFiles.NOFILESINFOLDER', 'There are no files in this folder.'))); return; } $secureFilesTab->push($tokenList = new ComplexTableField($this->owner, 'ContainedFileTokens', 'SecureFileAccessToken', null, null, "File.ParentID = '{$this->owner->ID}'", $sourceSort = null, "JOIN File ON FileID = File.ID")); $tokenList->setParentIdName('FolderID'); $tokenList->setRelationAutoSetting(false); // Remove add link if there are no files in this folder if (!$this->owner->containsFiles()) { $tokenList->setPermissions(array('edit', 'delete')); } }
/** * Display the current security token (allowing regeneration for an administrator). */ public function updateEditForm(&$form) { // Determine whether the security section is being used. if ($this->owner instanceof SecurityAdmin) { $gridfield = null; foreach ($form->fields->items[0]->Tabs()->first()->Fields() as $field) { if ($field instanceof GridField) { $gridfield = $field; break; } } } else { $gridfield = $form->fields->items[0]; } if (isset($gridfield) && $gridfield instanceof GridField) { // Restrict the security token to administrators. $user = Member::currentUserID(); if (Permission::checkMember($user, 'ADMIN')) { Requirements::css(APIWESOME_PATH . '/css/apiwesome.css'); // Display a confirmation message when regenerating the security token. Requirements::javascript(APIWESOME_PATH . '/javascript/apiwesome.js'); $configuration = $gridfield->config; $configuration->addComponent(new APIwesomeTokenView()); } } }
public function canView($member = null) { if (!$member) { $member = Member::currentUser(); } return Permission::checkMember($member, 'ADMIN'); }
/** * Adds group select fields to CMS * * @param FieldSet $fields * @return void */ public function updateCMSFields(FieldSet &$fields) { // Only modify folder objects with parent nodes if (!$this->owner instanceof Folder || !$this->owner->ID) { return; } // Only allow ADMIN and SECURE_FILE_SETTINGS members to edit these options if (!Permission::checkMember(Member::currentUser(), array('ADMIN', 'SECURE_FILE_SETTINGS'))) { return; } // Update Security Tab $secureFilesTab = $fields->findOrMakeTab('Root.' . _t('SecureFiles.SECUREFILETABNAME', 'Security')); $secureFilesTab->push(new HeaderField(_t('SecureFiles.GROUPACCESSTITLE', 'Group Access'))); $secureFilesTab->push(new TreeMultiselectField('GroupPermissions', _t('SecureFiles.GROUPACCESSFIELD', 'Group Access Permissions'))); if ($this->owner->InheritSecured()) { $permissionGroups = $this->owner->InheritedGroupPermissions(); if ($permissionGroups->Count()) { $fieldText = implode(", ", $permissionGroups->map()); } else { $fieldText = _t('SecureFiles.NONE', "(None)"); } $InheritedGroupsField = new ReadonlyField("InheritedGroupPermissionsText", _t('SecureFiles.GROUPINHERITEDPERMS', 'Inherited Group Permissions'), $fieldText); $InheritedGroupsField->addExtraClass('prependUnlock'); $secureFilesTab->push($InheritedGroupsField); } }
/** * Inherits from the parent blog or can be overwritten using a DataExtension. * * @param null|Member $member * * @return bool */ public function canCreate($member = null) { $extended = $this->extendedCan(__FUNCTION__, $member); if ($extended !== null) { return $extended; } $permission = Blog::config()->grant_user_permission; return Permission::checkMember($member, $permission); }
function canView($member = null) { if ($member = Member::currentUser()) { if ($member->inGroup("ADMIN") || Permission::checkMember($member, self::$permission_code)) { return true; } } return false; }
/** * @param FieldList $fields */ public function updateCMSFields(FieldList $fields) { // Only admins are allowed to modify this. $member = Member::currentUser(); if (!$member || !Permission::checkMember($member, 'ADMIN')) { return; } $fields->addFieldsToTab('Root.Caching', array(new LiteralField('Instruction', '<p>The following field controls the length of time the page will ' . 'be cached for. You will not be able to see updates to this page for at most the specified ' . 'amount of minutes. Leave empty to set back to the default configured for your site. Set ' . 'to 0 to explicitly disable caching for this page.</p>'), new TextField('MaxAge', 'Custom cache timeout [minutes]'))); }
public function testDefaultAdmin() { $adminMembers = Permission::get_members_by_permission('ADMIN'); $this->assertEquals(0, $adminMembers->count()); $admin = Member::default_admin(); $this->assertInstanceOf('Member', $admin); $this->assertTrue(Permission::checkMember($admin, 'ADMIN')); $this->assertEquals($admin->Email, Security::default_admin_username()); $this->assertNull($admin->Password); }
function testFindAnAdministratorCreatesNewUser() { $adminMembers = Permission::get_members_by_permission('ADMIN'); $this->assertEquals(0, $adminMembers->count()); $admin = Security::findAnAdministrator(); $this->assertType('Member', $admin); $this->assertTrue(Permission::checkMember($admin, 'ADMIN')); $this->assertNull($admin->Email); $this->assertNull($admin->Password); }
/** * @return mixed */ public function getLanguageField() { $locale = Translatable::get_current_locale(); if ($member = Member::currentUser()) { if (Permission::checkMember($member, 'VIEW_LANGS')) { return $this->getLanguageDropdownField($locale); } } return LiteralField::create('Locale', i18n::get_locale_name($locale)); }
public function Layout() { $page = Director::get_current_page(); $member = Member::currentUser(); $access = Permission::checkMember($member, 'CMS_ACCESS'); $sectionType = get_called_class(); if ($this->Public || $access) { return $page->renderWith($this->Render()); } }
public function canDelete($member = null) { if (!$member instanceof Member) { $member = Member::currentUser(); } if (Permission::checkMember($member, 'SITETREE_EDIT_ALL')) { return true; } return $this->owner->canEdit($member); }
/** * Require basic authentication. Will request a username and password if none is given. * * Used by {@link Controller::init()}. * * @throws SS_HTTPResponse_Exception * * @param string $realm * @param string|array $permissionCode Optional * @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the * session log-in if those credentials are disabled. * @return Member $member */ public static function requireLogin($realm, $permissionCode = null, $tryUsingSessionLogin = true) { $isRunningTests = class_exists('SapphireTest', false) && SapphireTest::is_running_test(); if (!Security::database_is_ready() || Director::is_cli() && !$isRunningTests) { return true; } /* * Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache * Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or * REDIRECT_HTTP_AUTHORIZATION * * The follow rewrite rule must be in the sites .htaccess file to enable this workaround * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] */ $authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null); $matches = array(); if ($authHeader && preg_match('/Basic\\s+(.*)$/i', $authHeader, $matches)) { list($name, $password) = explode(':', base64_decode($matches[1])); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password); } $member = null; if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $member = MoreAdminsAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null); } if (!$member && $tryUsingSessionLogin) { $member = Member::currentUser(); } // If we've failed the authentication mechanism, then show the login form if (!$member) { $response = new SS_HTTPResponse(null, 401); $response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\""); if (isset($_SERVER['PHP_AUTH_USER'])) { $response->setBody(_t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised")); } else { $response->setBody(_t('BasicAuth.ENTERINFO', "Please enter a username and password.")); } // Exception is caught by RequestHandler->handleRequest() and will halt further execution $e = new SS_HTTPResponse_Exception(null, 401); $e->setResponse($response); throw $e; } if ($permissionCode && !Permission::checkMember($member->ID, $permissionCode)) { $response = new SS_HTTPResponse(null, 401); $response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\""); if (isset($_SERVER['PHP_AUTH_USER'])) { $response->setBody(_t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator.")); } // Exception is caught by RequestHandler->handleRequest() and will halt further execution $e = new SS_HTTPResponse_Exception(null, 401); $e->setResponse($response); throw $e; } return $member; }
/** * Taken from SiteTree * * @param Member $member * @return boolean */ public function canPublish($member = null) { if (!$member || !is_a($member, 'Member') || is_numeric($member)) { $member = Member::currentUser(); } if ($member && Permission::checkMember($member, "ADMIN")) { return true; } // fail over to canEdit() return $this->owner->canEdit($member); }
/** * Check if the user has verified their email address. * * @param ValidationResult $result * @return ValidationResult */ public function canLogIn(&$result) { if (!$this->owner->Verified) { // Don't require administrators to be verified if (Permission::checkMember($this->owner, 'ADMIN')) { return $result; } $result->error(_t('MemberEmailVerification.ERROREMAILNOTVERIFIED', 'Sorry, you need to verify your email address before you can log in.')); } return $result; }
/** * Standard SS Method * @param Member $member * @var Boolean */ public function canEdit($member = null) { if (!$member) { $member == Member::currentUser(); } $shopAdminCode = EcommerceConfig::get("EcommerceRole", "admin_permission_code"); if ($member && Permission::checkMember($member, $shopAdminCode)) { return true; } return parent::canEdit($member); }
public function canDelete($member = false) { if (!$member) { $member = Member::currentUser(); } if ($member && Permission::checkMember($member, "FILTERABLE_DELETE")) { return true; } else { return false; } }
/** * Toggle a search suggestion's approval. */ public function toggleSuggestionApproved($request) { // Restrict this functionality appropriately. $user = Member::currentUserID(); if (Permission::checkMember($user, 'EXTENSIBLE_SEARCH_SUGGESTIONS') && ($status = $this->service->toggleSuggestionApproved($request->postVar('suggestion')))) { // Display an appropriate CMS notification. $this->getResponse()->setStatusDescription($status); return $status; } else { return $this->httpError(404); } }
public function canEdit($member = null) { if(!$member) $member = Member::currentUser(); if(!$member) return false; return ( Permission::checkMember( $member, 'EDIT_ALL_REFERENCES' ) || $member->ID == $this->DeveloperID ); }
public function testRolesAndPermissionsFromParentGroupsAreInherited() { $member = $this->objFromFixture('Member', 'globalauthor'); // Check that permissions applied to the group are there $this->assertTrue(Permission::checkMember($member, "SITETREE_EDIT_ALL")); // Check that roles from parent groups are there $this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_MyAdmin")); $this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin")); // Check that permissions from parent groups are there $this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL")); // Check that a random permission that shouldn't be there isn't $this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")); }
/** * Returns a form with all languages with languages already used appearing first. * * @return Form */ public function updateSearchForm(Form $form) { $member = Member::currentUser(); //check to see if the current user can switch langs or not if (Permission::checkMember($member, 'VIEW_LANGS')) { $field = new LanguageDropdownField('Locale', _t('CMSMain.LANGUAGEDROPDOWNLABEL', 'Language'), array(), 'SiteTree', 'Locale-English', singleton('SiteTree')); $field->setValue(Translatable::get_current_locale())->setForm($form); } else { // user doesn't have permission to switch langs // so just show a string displaying current language $field = new LiteralField('Locale', i18n::get_locale_name(Translatable::get_current_locale())); } $form->Fields()->unshift($field); }