/**
  * @param FieldSet $actions
  * @parma SiteTree $page
  */
 public static function update_cms_actions(&$actions, $page)
 {
     $openRequest = $page->OpenWorkflowRequest();
     // if user doesn't have publish rights
     if (!$page->canPublish() || $openRequest) {
         // authors shouldn't be able to revert, as this republishes the page.
         // they should rather change the page and re-request publication
         $actions->removeByName('action_revert');
     }
     // Remove the one click publish if they are not an admin/workflow admin.
     if (self::$force_publishers_to_use_workflow && !Permission::checkMember(Member::currentUser(), 'IS_WORKFLOW_ADMIN')) {
         $actions->removeByName('action_publish');
     }
     // Remove the save & publish button if you don't have edit rights
     if (!$page->canEdit()) {
         $actions->removeByName('action_publish');
     }
     $liveVersion = Versioned::get_one_by_stage('SiteTree', 'Live', "\"SiteTree_Live\".\"ID\" = {$page->ID}");
     if ($liveVersion && $liveVersion->ExpiryDate != null && $liveVersion->ExpiryDate != '0000-00-00 00:00:00') {
         if ($page->canApprove()) {
             $actions->push(new FormAction('cms_cancelexpiry', _t('WorkflowPublicationRequest.BUTTONCANCELEXPIRY', 'Cancel expiry')));
         }
     }
     // Optional method
     $isPublishable = $page->hasMethod('isPublishable') ? $page->isPublishable() : true;
     if (!$openRequest && $page->canEdit() && $isPublishable && $page->stagesDiffer('Stage', 'Live') && ($page->Version > 1 || $page->Title != "New Page") && !$page->IsDeletedFromStage && (!$page->canPublish() || self::$publisher_can_create_wf_requests)) {
         $actions->push($requestPublicationAction = new FormAction('cms_requestpublication', _t('SiteTreeCMSWorkflow.BUTTONREQUESTPUBLICATION', 'Request Publication')));
         // don't allow creation of a second request by another author
         if (!self::can_create(null, $page)) {
             $actions->makeFieldReadonly($requestPublicationAction->Name());
         }
     }
 }
 /**
  * @param \DNEnvironment $environment
  * @param \Member|null $member
  * @return bool
  */
 public static function can_abort_deployment(\DNEnvironment $environment, \Member $member = null)
 {
     if ($member === null) {
         $member = \Member::currentUser();
     }
     return \Permission::checkMember($member, 'ADMIN');
 }
 public function isAdminUser(Member $user)
 {
     if (Permission::checkMember($user, 'ADMIN')) {
         return true;
     }
     return false;
 }
 public function canEdit($member = null)
 {
     if (!$member) {
         $member = Member::currentUser();
     }
     return Permission::checkMember($member, array('CMS_ACCESS_AssetAdmin', 'CMS_ACCESS_LeftAndMain'));
 }
 /**
  * This function should return true if the current user can publish pages
  * on this site by default
  *
  * @return boolean
  */
 public function canPublish($member = null)
 {
     if (!$member && $member !== FALSE) {
         $member = Member::currentUser();
     }
     if (is_numeric($member)) {
         $member = DataObject::get_by_id('Member', $member);
     }
     // check for admin permission
     if (Permission::checkMember($member, 'ADMIN')) {
         return true;
     }
     // check for workflow admin permission
     if (Permission::checkMember($member, 'IS_WORKFLOW_ADMIN')) {
         return true;
     }
     // check for missing cmsmain permission
     if (!Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) {
         return false;
     }
     // check for empty spec
     if (!$this->owner->CanPublishType || $this->owner->CanPublishType == 'Anyone') {
         return true;
     }
     // check for any logged-in users
     if ($this->owner->CanPublishType == 'LoggedInUsers' && !Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) {
         return false;
     }
     // check for specific groups
     if ($this->owner->CanPublishType == 'OnlyTheseUsers' && (!$member || !$member->inGroups($this->owner->PublisherGroups()))) {
         return false;
     }
     return true;
 }
Esempio n. 6
0
 /**
  * Require basic authentication.  Will request a username and password if none is given.
  * 
  * Used by {@link Controller::init()}.
  * 
  * @param string $realm
  * @param string|array $permissionCode
  * @return Member $member 
  */
 static function requireLogin($realm, $permissionCode)
 {
     if (!Security::database_is_ready() || Director::is_cli()) {
         return true;
     }
     if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
         $member = MemberAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null);
         if ($member) {
             $authenticated = true;
         }
     }
     // If we've failed the authentication mechanism, then show the login form
     if (!isset($authenticated)) {
         header("WWW-Authenticate: Basic realm=\"{$realm}\"");
         header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
         if (isset($_SERVER['PHP_AUTH_USER'])) {
             echo _t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised");
         } else {
             echo _t('BasicAuth.ENTERINFO', "Please enter a username and password.");
         }
         die;
     }
     if (!Permission::checkMember($member->ID, $permissionCode)) {
         header("WWW-Authenticate: Basic realm=\"{$realm}\"");
         header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
         if (isset($_SERVER['PHP_AUTH_USER'])) {
             echo _t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator.");
         }
         die;
     }
     return $member;
 }
 /**
  *	Attempt to regenerate the current security token.
  */
 public function regenerateToken()
 {
     // Restrict this functionality to administrators.
     $user = Member::currentUserID();
     if (Permission::checkMember($user, 'ADMIN')) {
         // Attempt to create a random hash.
         $regeneration = $this->service->generateHash();
         if ($regeneration) {
             // Instantiate the new security token.
             $token = APIwesomeToken::create();
             $token->Hash = $regeneration['hash'];
             $token->AdministratorID = $user;
             $token->write();
             // Temporarily use the session to display the new security token key.
             Session::set('APIwesomeToken', "{$regeneration['key']}:{$regeneration['salt']}");
         } else {
             // Log the failed security token regeneration.
             SS_Log::log('APIwesome security token regeneration failed.', SS_Log::ERR);
             Session::set('APIwesomeToken', -1);
         }
         // Determine where the request came from.
         $from = $this->getRequest()->getVar('from');
         $redirect = $from ? $from : 'admin/json-xml/';
         return $this->redirect($redirect);
     } else {
         return $this->httpError(404);
     }
 }
 /**
  * Has the user been granted access to view the Live Chat tab?
  * @param Member|null $member
  * @return boolean
  */
 public function canView($member = null)
 {
     if (!$member && $member !== FALSE) {
         $member = Member::currentUser();
     }
     return Permission::checkMember($member, "CMS_ACCESS_LiveChatAdmin");
 }
 /**
  * Shop Admins can edit
  * @param Member $member
  * @return Boolean
  */
 function canEdit($member = null)
 {
     if (Permission::checkMember($member, Config::inst()->get("EcommerceRole", "admin_permission_code"))) {
         return true;
     }
     return parent::canEdit($member);
 }
 /**
  * Adds token creation fields to CMS
  * 
  * @param FieldSet $fields
  * @return void
  */
 public function updateCMSFields(FieldSet &$fields)
 {
     // Only modify file objects with parent nodes
     if (!$this->owner instanceof Folder || !$this->owner->ID) {
         return;
     }
     // Only allow ADMIN and SECURE_FILE_SETTINGS members to edit these options
     if (!Permission::checkMember(Member::currentUser(), array('ADMIN', 'SECURE_FILE_SETTINGS'))) {
         return;
     }
     // Update Security Tab
     $secureFilesTab = $fields->findOrMakeTab('Root.' . _t('SecureFiles.SECUREFILETABNAME', 'Security'));
     $secureFilesTab->push(new HeaderField(_t('SecureFiles.TOKENACCESSTITLE', 'Token Access')));
     if (!$this->owner->containsFiles()) {
         $secureFilesTab->push(new ReadonlyField('DummyTokenList', '', _t('SecureFiles.NOFILESINFOLDER', 'There are no files in this folder.')));
         return;
     }
     $secureFilesTab->push($tokenList = new ComplexTableField($this->owner, 'ContainedFileTokens', 'SecureFileAccessToken', null, null, "File.ParentID = '{$this->owner->ID}'", $sourceSort = null, "JOIN File ON FileID = File.ID"));
     $tokenList->setParentIdName('FolderID');
     $tokenList->setRelationAutoSetting(false);
     // Remove add link if there are no files in this folder
     if (!$this->owner->containsFiles()) {
         $tokenList->setPermissions(array('edit', 'delete'));
     }
 }
 /**
  *	Display the current security token (allowing regeneration for an administrator).
  */
 public function updateEditForm(&$form)
 {
     // Determine whether the security section is being used.
     if ($this->owner instanceof SecurityAdmin) {
         $gridfield = null;
         foreach ($form->fields->items[0]->Tabs()->first()->Fields() as $field) {
             if ($field instanceof GridField) {
                 $gridfield = $field;
                 break;
             }
         }
     } else {
         $gridfield = $form->fields->items[0];
     }
     if (isset($gridfield) && $gridfield instanceof GridField) {
         // Restrict the security token to administrators.
         $user = Member::currentUserID();
         if (Permission::checkMember($user, 'ADMIN')) {
             Requirements::css(APIWESOME_PATH . '/css/apiwesome.css');
             // Display a confirmation message when regenerating the security token.
             Requirements::javascript(APIWESOME_PATH . '/javascript/apiwesome.js');
             $configuration = $gridfield->config;
             $configuration->addComponent(new APIwesomeTokenView());
         }
     }
 }
 public function canView($member = null)
 {
     if (!$member) {
         $member = Member::currentUser();
     }
     return Permission::checkMember($member, 'ADMIN');
 }
 /**
  * Adds group select fields to CMS
  * 
  * @param FieldSet $fields
  * @return void
  */
 public function updateCMSFields(FieldSet &$fields)
 {
     // Only modify folder objects with parent nodes
     if (!$this->owner instanceof Folder || !$this->owner->ID) {
         return;
     }
     // Only allow ADMIN and SECURE_FILE_SETTINGS members to edit these options
     if (!Permission::checkMember(Member::currentUser(), array('ADMIN', 'SECURE_FILE_SETTINGS'))) {
         return;
     }
     // Update Security Tab
     $secureFilesTab = $fields->findOrMakeTab('Root.' . _t('SecureFiles.SECUREFILETABNAME', 'Security'));
     $secureFilesTab->push(new HeaderField(_t('SecureFiles.GROUPACCESSTITLE', 'Group Access')));
     $secureFilesTab->push(new TreeMultiselectField('GroupPermissions', _t('SecureFiles.GROUPACCESSFIELD', 'Group Access Permissions')));
     if ($this->owner->InheritSecured()) {
         $permissionGroups = $this->owner->InheritedGroupPermissions();
         if ($permissionGroups->Count()) {
             $fieldText = implode(", ", $permissionGroups->map());
         } else {
             $fieldText = _t('SecureFiles.NONE', "(None)");
         }
         $InheritedGroupsField = new ReadonlyField("InheritedGroupPermissionsText", _t('SecureFiles.GROUPINHERITEDPERMS', 'Inherited Group Permissions'), $fieldText);
         $InheritedGroupsField->addExtraClass('prependUnlock');
         $secureFilesTab->push($InheritedGroupsField);
     }
 }
Esempio n. 14
0
 /**
  * Inherits from the parent blog or can be overwritten using a DataExtension.
  *
  * @param null|Member $member
  *
  * @return bool
  */
 public function canCreate($member = null)
 {
     $extended = $this->extendedCan(__FUNCTION__, $member);
     if ($extended !== null) {
         return $extended;
     }
     $permission = Blog::config()->grant_user_permission;
     return Permission::checkMember($member, $permission);
 }
 function canView($member = null)
 {
     if ($member = Member::currentUser()) {
         if ($member->inGroup("ADMIN") || Permission::checkMember($member, self::$permission_code)) {
             return true;
         }
     }
     return false;
 }
 /**
  * @param  FieldList $fields
  */
 public function updateCMSFields(FieldList $fields)
 {
     // Only admins are allowed to modify this.
     $member = Member::currentUser();
     if (!$member || !Permission::checkMember($member, 'ADMIN')) {
         return;
     }
     $fields->addFieldsToTab('Root.Caching', array(new LiteralField('Instruction', '<p>The following field controls the length of time the page will ' . 'be cached for. You will not be able to see updates to this page for at most the specified ' . 'amount of minutes. Leave empty to set back to the default configured for your site. Set ' . 'to 0 to explicitly disable caching for this page.</p>'), new TextField('MaxAge', 'Custom cache timeout [minutes]')));
 }
 public function testDefaultAdmin()
 {
     $adminMembers = Permission::get_members_by_permission('ADMIN');
     $this->assertEquals(0, $adminMembers->count());
     $admin = Member::default_admin();
     $this->assertInstanceOf('Member', $admin);
     $this->assertTrue(Permission::checkMember($admin, 'ADMIN'));
     $this->assertEquals($admin->Email, Security::default_admin_username());
     $this->assertNull($admin->Password);
 }
Esempio n. 18
0
 function testFindAnAdministratorCreatesNewUser()
 {
     $adminMembers = Permission::get_members_by_permission('ADMIN');
     $this->assertEquals(0, $adminMembers->count());
     $admin = Security::findAnAdministrator();
     $this->assertType('Member', $admin);
     $this->assertTrue(Permission::checkMember($admin, 'ADMIN'));
     $this->assertNull($admin->Email);
     $this->assertNull($admin->Password);
 }
 /**
  * @return mixed
  */
 public function getLanguageField()
 {
     $locale = Translatable::get_current_locale();
     if ($member = Member::currentUser()) {
         if (Permission::checkMember($member, 'VIEW_LANGS')) {
             return $this->getLanguageDropdownField($locale);
         }
     }
     return LiteralField::create('Locale', i18n::get_locale_name($locale));
 }
 public function Layout()
 {
     $page = Director::get_current_page();
     $member = Member::currentUser();
     $access = Permission::checkMember($member, 'CMS_ACCESS');
     $sectionType = get_called_class();
     if ($this->Public || $access) {
         return $page->renderWith($this->Render());
     }
 }
 public function canDelete($member = null)
 {
     if (!$member instanceof Member) {
         $member = Member::currentUser();
     }
     if (Permission::checkMember($member, 'SITETREE_EDIT_ALL')) {
         return true;
     }
     return $this->owner->canEdit($member);
 }
 /**
  * Require basic authentication.  Will request a username and password if none is given.
  *
  * Used by {@link Controller::init()}.
  *
  * @throws SS_HTTPResponse_Exception
  *
  * @param string $realm
  * @param string|array $permissionCode Optional
  * @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the
  *  session log-in if those credentials are disabled.
  * @return Member $member
  */
 public static function requireLogin($realm, $permissionCode = null, $tryUsingSessionLogin = true)
 {
     $isRunningTests = class_exists('SapphireTest', false) && SapphireTest::is_running_test();
     if (!Security::database_is_ready() || Director::is_cli() && !$isRunningTests) {
         return true;
     }
     /*
      * Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache
      * Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
      * REDIRECT_HTTP_AUTHORIZATION
      *
      * The follow rewrite rule must be in the sites .htaccess file to enable this workaround
      * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
      */
     $authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
     $matches = array();
     if ($authHeader && preg_match('/Basic\\s+(.*)$/i', $authHeader, $matches)) {
         list($name, $password) = explode(':', base64_decode($matches[1]));
         $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
         $_SERVER['PHP_AUTH_PW'] = strip_tags($password);
     }
     $member = null;
     if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
         $member = MoreAdminsAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null);
     }
     if (!$member && $tryUsingSessionLogin) {
         $member = Member::currentUser();
     }
     // If we've failed the authentication mechanism, then show the login form
     if (!$member) {
         $response = new SS_HTTPResponse(null, 401);
         $response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\"");
         if (isset($_SERVER['PHP_AUTH_USER'])) {
             $response->setBody(_t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised"));
         } else {
             $response->setBody(_t('BasicAuth.ENTERINFO', "Please enter a username and password."));
         }
         // Exception is caught by RequestHandler->handleRequest() and will halt further execution
         $e = new SS_HTTPResponse_Exception(null, 401);
         $e->setResponse($response);
         throw $e;
     }
     if ($permissionCode && !Permission::checkMember($member->ID, $permissionCode)) {
         $response = new SS_HTTPResponse(null, 401);
         $response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\"");
         if (isset($_SERVER['PHP_AUTH_USER'])) {
             $response->setBody(_t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator."));
         }
         // Exception is caught by RequestHandler->handleRequest() and will halt further execution
         $e = new SS_HTTPResponse_Exception(null, 401);
         $e->setResponse($response);
         throw $e;
     }
     return $member;
 }
 /**
  * Taken from SiteTree
  *
  * @param Member $member
  * @return boolean
  */
 public function canPublish($member = null)
 {
     if (!$member || !is_a($member, 'Member') || is_numeric($member)) {
         $member = Member::currentUser();
     }
     if ($member && Permission::checkMember($member, "ADMIN")) {
         return true;
     }
     // fail over to canEdit()
     return $this->owner->canEdit($member);
 }
 /**
  * Check if the user has verified their email address.
  *
  * @param ValidationResult $result
  * @return ValidationResult
  */
 public function canLogIn(&$result)
 {
     if (!$this->owner->Verified) {
         // Don't require administrators to be verified
         if (Permission::checkMember($this->owner, 'ADMIN')) {
             return $result;
         }
         $result->error(_t('MemberEmailVerification.ERROREMAILNOTVERIFIED', 'Sorry, you need to verify your email address before you can log in.'));
     }
     return $result;
 }
 /**
  * Standard SS Method
  * @param Member $member
  * @var Boolean
  */
 public function canEdit($member = null)
 {
     if (!$member) {
         $member == Member::currentUser();
     }
     $shopAdminCode = EcommerceConfig::get("EcommerceRole", "admin_permission_code");
     if ($member && Permission::checkMember($member, $shopAdminCode)) {
         return true;
     }
     return parent::canEdit($member);
 }
 public function canDelete($member = false)
 {
     if (!$member) {
         $member = Member::currentUser();
     }
     if ($member && Permission::checkMember($member, "FILTERABLE_DELETE")) {
         return true;
     } else {
         return false;
     }
 }
 /**
  *	Toggle a search suggestion's approval.
  */
 public function toggleSuggestionApproved($request)
 {
     // Restrict this functionality appropriately.
     $user = Member::currentUserID();
     if (Permission::checkMember($user, 'EXTENSIBLE_SEARCH_SUGGESTIONS') && ($status = $this->service->toggleSuggestionApproved($request->postVar('suggestion')))) {
         // Display an appropriate CMS notification.
         $this->getResponse()->setStatusDescription($status);
         return $status;
     } else {
         return $this->httpError(404);
     }
 }
Esempio n. 28
0
	public function canEdit($member = null) {
		if(!$member) $member = Member::currentUser();
		if(!$member) return false;
		
		return (
			Permission::checkMember(
				$member, 
				'EDIT_ALL_REFERENCES'
			)
			|| $member->ID == $this->DeveloperID
		);
	}
 public function testRolesAndPermissionsFromParentGroupsAreInherited()
 {
     $member = $this->objFromFixture('Member', 'globalauthor');
     // Check that permissions applied to the group are there
     $this->assertTrue(Permission::checkMember($member, "SITETREE_EDIT_ALL"));
     // Check that roles from parent groups are there
     $this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_MyAdmin"));
     $this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
     // Check that permissions from parent groups are there
     $this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
     // Check that a random permission that shouldn't be there isn't
     $this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
 }
 /**
  * Returns a form with all languages with languages already used appearing first.
  *
  * @return Form
  */
 public function updateSearchForm(Form $form)
 {
     $member = Member::currentUser();
     //check to see if the current user can switch langs or not
     if (Permission::checkMember($member, 'VIEW_LANGS')) {
         $field = new LanguageDropdownField('Locale', _t('CMSMain.LANGUAGEDROPDOWNLABEL', 'Language'), array(), 'SiteTree', 'Locale-English', singleton('SiteTree'));
         $field->setValue(Translatable::get_current_locale())->setForm($form);
     } else {
         // user doesn't have permission to switch langs
         // so just show a string displaying current language
         $field = new LiteralField('Locale', i18n::get_locale_name(Translatable::get_current_locale()));
     }
     $form->Fields()->unshift($field);
 }