/**
* @param FieldSet $actions
* @parma SiteTree $page
*/
public static function update_cms_actions(&$actions, $page)
{
$openRequest = $page->OpenWorkflowRequest();
// if user doesn't have publish rights
if (!$page->canPublish() || $openRequest) {
// authors shouldn't be able to revert, as this republishes the page.
// they should rather change the page and re-request publication
$actions->removeByName('action_revert');
}
// Remove the one click publish if they are not an admin/workflow admin.
if (self::$force_publishers_to_use_workflow && !Permission::checkMember(Member::currentUser(), 'IS_WORKFLOW_ADMIN')) {
$actions->removeByName('action_publish');
}
// Remove the save & publish button if you don't have edit rights
if (!$page->canEdit()) {
$actions->removeByName('action_publish');
}
$liveVersion = Versioned::get_one_by_stage('SiteTree', 'Live', "\"SiteTree_Live\".\"ID\" = {$page->ID}");
if ($liveVersion && $liveVersion->ExpiryDate != null && $liveVersion->ExpiryDate != '0000-00-00 00:00:00') {
if ($page->canApprove()) {
$actions->push(new FormAction('cms_cancelexpiry', _t('WorkflowPublicationRequest.BUTTONCANCELEXPIRY', 'Cancel expiry')));
}
}
// Optional method
$isPublishable = $page->hasMethod('isPublishable') ? $page->isPublishable() : true;
if (!$openRequest && $page->canEdit() && $isPublishable && $page->stagesDiffer('Stage', 'Live') && ($page->Version > 1 || $page->Title != "New Page") && !$page->IsDeletedFromStage && (!$page->canPublish() || self::$publisher_can_create_wf_requests)) {
$actions->push($requestPublicationAction = new FormAction('cms_requestpublication', _t('SiteTreeCMSWorkflow.BUTTONREQUESTPUBLICATION', 'Request Publication')));
// don't allow creation of a second request by another author
if (!self::can_create(null, $page)) {
$actions->makeFieldReadonly($requestPublicationAction->Name());
}
}
}
/**
* @param \DNEnvironment $environment
* @param \Member|null $member
* @return bool
*/
public static function can_abort_deployment(\DNEnvironment $environment, \Member $member = null)
{
if ($member === null) {
$member = \Member::currentUser();
}
return \Permission::checkMember($member, 'ADMIN');
}
public function isAdminUser(Member $user)
{
if (Permission::checkMember($user, 'ADMIN')) {
return true;
}
return false;
}
public function canEdit($member = null)
{
if (!$member) {
$member = Member::currentUser();
}
return Permission::checkMember($member, array('CMS_ACCESS_AssetAdmin', 'CMS_ACCESS_LeftAndMain'));
}
/**
* This function should return true if the current user can publish pages
* on this site by default
*
* @return boolean
*/
public function canPublish($member = null)
{
if (!$member && $member !== FALSE) {
$member = Member::currentUser();
}
if (is_numeric($member)) {
$member = DataObject::get_by_id('Member', $member);
}
// check for admin permission
if (Permission::checkMember($member, 'ADMIN')) {
return true;
}
// check for workflow admin permission
if (Permission::checkMember($member, 'IS_WORKFLOW_ADMIN')) {
return true;
}
// check for missing cmsmain permission
if (!Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) {
return false;
}
// check for empty spec
if (!$this->owner->CanPublishType || $this->owner->CanPublishType == 'Anyone') {
return true;
}
// check for any logged-in users
if ($this->owner->CanPublishType == 'LoggedInUsers' && !Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) {
return false;
}
// check for specific groups
if ($this->owner->CanPublishType == 'OnlyTheseUsers' && (!$member || !$member->inGroups($this->owner->PublisherGroups()))) {
return false;
}
return true;
}
/**
* Require basic authentication. Will request a username and password if none is given.
*
* Used by {@link Controller::init()}.
*
* @param string $realm
* @param string|array $permissionCode
* @return Member $member
*/
static function requireLogin($realm, $permissionCode)
{
if (!Security::database_is_ready() || Director::is_cli()) {
return true;
}
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$member = MemberAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null);
if ($member) {
$authenticated = true;
}
}
// If we've failed the authentication mechanism, then show the login form
if (!isset($authenticated)) {
header("WWW-Authenticate: Basic realm=\"{$realm}\"");
header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
if (isset($_SERVER['PHP_AUTH_USER'])) {
echo _t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised");
} else {
echo _t('BasicAuth.ENTERINFO', "Please enter a username and password.");
}
die;
}
if (!Permission::checkMember($member->ID, $permissionCode)) {
header("WWW-Authenticate: Basic realm=\"{$realm}\"");
header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
if (isset($_SERVER['PHP_AUTH_USER'])) {
echo _t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator.");
}
die;
}
return $member;
}
/**
* Attempt to regenerate the current security token.
*/
public function regenerateToken()
{
// Restrict this functionality to administrators.
$user = Member::currentUserID();
if (Permission::checkMember($user, 'ADMIN')) {
// Attempt to create a random hash.
$regeneration = $this->service->generateHash();
if ($regeneration) {
// Instantiate the new security token.
$token = APIwesomeToken::create();
$token->Hash = $regeneration['hash'];
$token->AdministratorID = $user;
$token->write();
// Temporarily use the session to display the new security token key.
Session::set('APIwesomeToken', "{$regeneration['key']}:{$regeneration['salt']}");
} else {
// Log the failed security token regeneration.
SS_Log::log('APIwesome security token regeneration failed.', SS_Log::ERR);
Session::set('APIwesomeToken', -1);
}
// Determine where the request came from.
$from = $this->getRequest()->getVar('from');
$redirect = $from ? $from : 'admin/json-xml/';
return $this->redirect($redirect);
} else {
return $this->httpError(404);
}
}
/**
* Has the user been granted access to view the Live Chat tab?
* @param Member|null $member
* @return boolean
*/
public function canView($member = null)
{
if (!$member && $member !== FALSE) {
$member = Member::currentUser();
}
return Permission::checkMember($member, "CMS_ACCESS_LiveChatAdmin");
}
/**
* Shop Admins can edit
* @param Member $member
* @return Boolean
*/
function canEdit($member = null)
{
if (Permission::checkMember($member, Config::inst()->get("EcommerceRole", "admin_permission_code"))) {
return true;
}
return parent::canEdit($member);
}
/**
* Adds token creation fields to CMS
*
* @param FieldSet $fields
* @return void
*/
public function updateCMSFields(FieldSet &$fields)
{
// Only modify file objects with parent nodes
if (!$this->owner instanceof Folder || !$this->owner->ID) {
return;
}
// Only allow ADMIN and SECURE_FILE_SETTINGS members to edit these options
if (!Permission::checkMember(Member::currentUser(), array('ADMIN', 'SECURE_FILE_SETTINGS'))) {
return;
}
// Update Security Tab
$secureFilesTab = $fields->findOrMakeTab('Root.' . _t('SecureFiles.SECUREFILETABNAME', 'Security'));
$secureFilesTab->push(new HeaderField(_t('SecureFiles.TOKENACCESSTITLE', 'Token Access')));
if (!$this->owner->containsFiles()) {
$secureFilesTab->push(new ReadonlyField('DummyTokenList', '', _t('SecureFiles.NOFILESINFOLDER', 'There are no files in this folder.')));
return;
}
$secureFilesTab->push($tokenList = new ComplexTableField($this->owner, 'ContainedFileTokens', 'SecureFileAccessToken', null, null, "File.ParentID = '{$this->owner->ID}'", $sourceSort = null, "JOIN File ON FileID = File.ID"));
$tokenList->setParentIdName('FolderID');
$tokenList->setRelationAutoSetting(false);
// Remove add link if there are no files in this folder
if (!$this->owner->containsFiles()) {
$tokenList->setPermissions(array('edit', 'delete'));
}
}
/**
* Display the current security token (allowing regeneration for an administrator).
*/
public function updateEditForm(&$form)
{
// Determine whether the security section is being used.
if ($this->owner instanceof SecurityAdmin) {
$gridfield = null;
foreach ($form->fields->items[0]->Tabs()->first()->Fields() as $field) {
if ($field instanceof GridField) {
$gridfield = $field;
break;
}
}
} else {
$gridfield = $form->fields->items[0];
}
if (isset($gridfield) && $gridfield instanceof GridField) {
// Restrict the security token to administrators.
$user = Member::currentUserID();
if (Permission::checkMember($user, 'ADMIN')) {
Requirements::css(APIWESOME_PATH . '/css/apiwesome.css');
// Display a confirmation message when regenerating the security token.
Requirements::javascript(APIWESOME_PATH . '/javascript/apiwesome.js');
$configuration = $gridfield->config;
$configuration->addComponent(new APIwesomeTokenView());
}
}
}
public function canView($member = null)
{
if (!$member) {
$member = Member::currentUser();
}
return Permission::checkMember($member, 'ADMIN');
}
/**
* Adds group select fields to CMS
*
* @param FieldSet $fields
* @return void
*/
public function updateCMSFields(FieldSet &$fields)
{
// Only modify folder objects with parent nodes
if (!$this->owner instanceof Folder || !$this->owner->ID) {
return;
}
// Only allow ADMIN and SECURE_FILE_SETTINGS members to edit these options
if (!Permission::checkMember(Member::currentUser(), array('ADMIN', 'SECURE_FILE_SETTINGS'))) {
return;
}
// Update Security Tab
$secureFilesTab = $fields->findOrMakeTab('Root.' . _t('SecureFiles.SECUREFILETABNAME', 'Security'));
$secureFilesTab->push(new HeaderField(_t('SecureFiles.GROUPACCESSTITLE', 'Group Access')));
$secureFilesTab->push(new TreeMultiselectField('GroupPermissions', _t('SecureFiles.GROUPACCESSFIELD', 'Group Access Permissions')));
if ($this->owner->InheritSecured()) {
$permissionGroups = $this->owner->InheritedGroupPermissions();
if ($permissionGroups->Count()) {
$fieldText = implode(", ", $permissionGroups->map());
} else {
$fieldText = _t('SecureFiles.NONE', "(None)");
}
$InheritedGroupsField = new ReadonlyField("InheritedGroupPermissionsText", _t('SecureFiles.GROUPINHERITEDPERMS', 'Inherited Group Permissions'), $fieldText);
$InheritedGroupsField->addExtraClass('prependUnlock');
$secureFilesTab->push($InheritedGroupsField);
}
}
/**
* Inherits from the parent blog or can be overwritten using a DataExtension.
*
* @param null|Member $member
*
* @return bool
*/
public function canCreate($member = null)
{
$extended = $this->extendedCan(__FUNCTION__, $member);
if ($extended !== null) {
return $extended;
}
$permission = Blog::config()->grant_user_permission;
return Permission::checkMember($member, $permission);
}
function canView($member = null)
{
if ($member = Member::currentUser()) {
if ($member->inGroup("ADMIN") || Permission::checkMember($member, self::$permission_code)) {
return true;
}
}
return false;
}
/**
* @param FieldList $fields
*/
public function updateCMSFields(FieldList $fields)
{
// Only admins are allowed to modify this.
$member = Member::currentUser();
if (!$member || !Permission::checkMember($member, 'ADMIN')) {
return;
}
$fields->addFieldsToTab('Root.Caching', array(new LiteralField('Instruction', '<p>The following field controls the length of time the page will ' . 'be cached for. You will not be able to see updates to this page for at most the specified ' . 'amount of minutes. Leave empty to set back to the default configured for your site. Set ' . 'to 0 to explicitly disable caching for this page.</p>'), new TextField('MaxAge', 'Custom cache timeout [minutes]')));
}
public function testDefaultAdmin()
{
$adminMembers = Permission::get_members_by_permission('ADMIN');
$this->assertEquals(0, $adminMembers->count());
$admin = Member::default_admin();
$this->assertInstanceOf('Member', $admin);
$this->assertTrue(Permission::checkMember($admin, 'ADMIN'));
$this->assertEquals($admin->Email, Security::default_admin_username());
$this->assertNull($admin->Password);
}
function testFindAnAdministratorCreatesNewUser()
{
$adminMembers = Permission::get_members_by_permission('ADMIN');
$this->assertEquals(0, $adminMembers->count());
$admin = Security::findAnAdministrator();
$this->assertType('Member', $admin);
$this->assertTrue(Permission::checkMember($admin, 'ADMIN'));
$this->assertNull($admin->Email);
$this->assertNull($admin->Password);
}
/**
* @return mixed
*/
public function getLanguageField()
{
$locale = Translatable::get_current_locale();
if ($member = Member::currentUser()) {
if (Permission::checkMember($member, 'VIEW_LANGS')) {
return $this->getLanguageDropdownField($locale);
}
}
return LiteralField::create('Locale', i18n::get_locale_name($locale));
}
public function Layout()
{
$page = Director::get_current_page();
$member = Member::currentUser();
$access = Permission::checkMember($member, 'CMS_ACCESS');
$sectionType = get_called_class();
if ($this->Public || $access) {
return $page->renderWith($this->Render());
}
}
public function canDelete($member = null)
{
if (!$member instanceof Member) {
$member = Member::currentUser();
}
if (Permission::checkMember($member, 'SITETREE_EDIT_ALL')) {
return true;
}
return $this->owner->canEdit($member);
}
/**
* Require basic authentication. Will request a username and password if none is given.
*
* Used by {@link Controller::init()}.
*
* @throws SS_HTTPResponse_Exception
*
* @param string $realm
* @param string|array $permissionCode Optional
* @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the
* session log-in if those credentials are disabled.
* @return Member $member
*/
public static function requireLogin($realm, $permissionCode = null, $tryUsingSessionLogin = true)
{
$isRunningTests = class_exists('SapphireTest', false) && SapphireTest::is_running_test();
if (!Security::database_is_ready() || Director::is_cli() && !$isRunningTests) {
return true;
}
/*
* Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache
* Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
* REDIRECT_HTTP_AUTHORIZATION
*
* The follow rewrite rule must be in the sites .htaccess file to enable this workaround
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
*/
$authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
$matches = array();
if ($authHeader && preg_match('/Basic\\s+(.*)$/i', $authHeader, $matches)) {
list($name, $password) = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
$member = null;
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$member = MoreAdminsAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null);
}
if (!$member && $tryUsingSessionLogin) {
$member = Member::currentUser();
}
// If we've failed the authentication mechanism, then show the login form
if (!$member) {
$response = new SS_HTTPResponse(null, 401);
$response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\"");
if (isset($_SERVER['PHP_AUTH_USER'])) {
$response->setBody(_t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised"));
} else {
$response->setBody(_t('BasicAuth.ENTERINFO', "Please enter a username and password."));
}
// Exception is caught by RequestHandler->handleRequest() and will halt further execution
$e = new SS_HTTPResponse_Exception(null, 401);
$e->setResponse($response);
throw $e;
}
if ($permissionCode && !Permission::checkMember($member->ID, $permissionCode)) {
$response = new SS_HTTPResponse(null, 401);
$response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\"");
if (isset($_SERVER['PHP_AUTH_USER'])) {
$response->setBody(_t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator."));
}
// Exception is caught by RequestHandler->handleRequest() and will halt further execution
$e = new SS_HTTPResponse_Exception(null, 401);
$e->setResponse($response);
throw $e;
}
return $member;
}
/**
* Taken from SiteTree
*
* @param Member $member
* @return boolean
*/
public function canPublish($member = null)
{
if (!$member || !is_a($member, 'Member') || is_numeric($member)) {
$member = Member::currentUser();
}
if ($member && Permission::checkMember($member, "ADMIN")) {
return true;
}
// fail over to canEdit()
return $this->owner->canEdit($member);
}
/**
* Check if the user has verified their email address.
*
* @param ValidationResult $result
* @return ValidationResult
*/
public function canLogIn(&$result)
{
if (!$this->owner->Verified) {
// Don't require administrators to be verified
if (Permission::checkMember($this->owner, 'ADMIN')) {
return $result;
}
$result->error(_t('MemberEmailVerification.ERROREMAILNOTVERIFIED', 'Sorry, you need to verify your email address before you can log in.'));
}
return $result;
}
/**
* Standard SS Method
* @param Member $member
* @var Boolean
*/
public function canEdit($member = null)
{
if (!$member) {
$member == Member::currentUser();
}
$shopAdminCode = EcommerceConfig::get("EcommerceRole", "admin_permission_code");
if ($member && Permission::checkMember($member, $shopAdminCode)) {
return true;
}
return parent::canEdit($member);
}
public function canDelete($member = false)
{
if (!$member) {
$member = Member::currentUser();
}
if ($member && Permission::checkMember($member, "FILTERABLE_DELETE")) {
return true;
} else {
return false;
}
}
/**
* Toggle a search suggestion's approval.
*/
public function toggleSuggestionApproved($request)
{
// Restrict this functionality appropriately.
$user = Member::currentUserID();
if (Permission::checkMember($user, 'EXTENSIBLE_SEARCH_SUGGESTIONS') && ($status = $this->service->toggleSuggestionApproved($request->postVar('suggestion')))) {
// Display an appropriate CMS notification.
$this->getResponse()->setStatusDescription($status);
return $status;
} else {
return $this->httpError(404);
}
}
public function canEdit($member = null) {
if(!$member) $member = Member::currentUser();
if(!$member) return false;
return (
Permission::checkMember(
$member,
'EDIT_ALL_REFERENCES'
)
|| $member->ID == $this->DeveloperID
);
}
public function testRolesAndPermissionsFromParentGroupsAreInherited()
{
$member = $this->objFromFixture('Member', 'globalauthor');
// Check that permissions applied to the group are there
$this->assertTrue(Permission::checkMember($member, "SITETREE_EDIT_ALL"));
// Check that roles from parent groups are there
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_MyAdmin"));
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
// Check that permissions from parent groups are there
$this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
// Check that a random permission that shouldn't be there isn't
$this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
}
/**
* Returns a form with all languages with languages already used appearing first.
*
* @return Form
*/
public function updateSearchForm(Form $form)
{
$member = Member::currentUser();
//check to see if the current user can switch langs or not
if (Permission::checkMember($member, 'VIEW_LANGS')) {
$field = new LanguageDropdownField('Locale', _t('CMSMain.LANGUAGEDROPDOWNLABEL', 'Language'), array(), 'SiteTree', 'Locale-English', singleton('SiteTree'));
$field->setValue(Translatable::get_current_locale())->setForm($form);
} else {
// user doesn't have permission to switch langs
// so just show a string displaying current language
$field = new LiteralField('Locale', i18n::get_locale_name(Translatable::get_current_locale()));
}
$form->Fields()->unshift($field);
}
