/** * Returns a DataObjectSet of all the members that can publish pages * on this site by default */ public function PublisherMembers() { if ($this->owner->CanPublishType == 'OnlyTheseUsers') { $groups = $this->owner->PublisherGroups(); $members = new DataObjectSet(); if ($groups) { foreach ($groups as $group) { $members->merge($group->Members()); } } // Default to ADMINs, if something goes wrong if (!$members->Count()) { $group = Permission::get_groups_by_permission('ADMIN')->first(); $members = $group->Members(); } return $members; } else { if ($this->owner->CanPublishType == 'LoggedInUsers') { // We don't want to return every user in the CMS.... return Permission::get_members_by_permission('CMS_ACCESS_CMSMain'); } else { $group = Permission::get_groups_by_permission('ADMIN')->first(); return $group->Members(); } } }
/** * @param IMarketPlaceType $marketplace_type * @return int|bool */ public function store(IMarketPlaceType $marketplace_type) { $repository = $this->repository; $group_repository = $this->group_repository; $res = false; $this->tx_manager->transaction(function () use(&$res, &$marketplace_type, $repository, $group_repository) { $query = new QueryObject(); $query->addAndCondition(QueryCriteria::equal('Name', $marketplace_type->getName())); $query->addAndCondition(QueryCriteria::equal('Slug', $marketplace_type->getSlug())); $query->addAndCondition(QueryCriteria::notEqual('ID', $marketplace_type->getIdentifier())); $old = $repository->getBy($query); if ($old) { throw new EntityAlreadyExistsException('MarketPlaceType', sprintf('Name %s', $marketplace_type->getName())); } $repository->add($marketplace_type); }); //reload from db... $id = $marketplace_type->getIdentifier(); $marketplace_type = $this->repository->getById($id); $g = $marketplace_type->getAdminGroup(); $permission_code = sprintf('MANAGE_MARKETPLACE_%s', str_replace(' ', '_', strtoupper($marketplace_type->getName()))); $groups = Permission::get_groups_by_permission($permission_code); if (count($groups) == 0) { Permission::grant($g->getIdentifier(), $permission_code); } return $res; }
/** * Returns a DataObjectSet of all the members that can publish this page */ public function PublisherMembers() { if ($this->owner->CanPublishType == 'OnlyTheseUsers') { $groups = $this->owner->PublisherGroups(); $members = new DataObjectSet(); if ($groups) { foreach ($groups as $group) { $members->merge($group->Members()); } } // Default to ADMINs, if something goes wrong if (!$members->Count()) { $group = Permission::get_groups_by_permission('ADMIN')->first(); $members = $group->Members(); } return $members; } elseif ($this->owner->CanPublishType == 'Inherit') { if ($this->owner->Parent()->Exists()) { return $this->owner->Parent()->PublisherMembers(); } else { return SiteConfig::current_site_config()->PublisherMembers(); } } elseif ($this->owner->CanPublishType == 'LoggedInUsers') { return Permission::get_members_by_permission('CMS_ACCESS_CMSMain'); } else { $group = Permission::get_groups_by_permission('ADMIN')->first(); return $group->Members(); } }
/** * Add default records to database. * * This function is called whenever the database is built, after the * database tables have all been created. */ public function requireDefaultRecords() { parent::requireDefaultRecords(); // Add default poster group if it doesn't exist $poster = Group::get()->filter("Code", 'discussions-posters')->first(); if (!$poster) { $poster = new Group(); $poster->Code = 'discussions-posters'; $poster->Title = _t('Discussions.DefaultGroupTitlePosters', 'Discussion Posters'); $poster->Sort = 1; $poster->write(); Permission::grant($poster->ID, 'DISCUSSIONS_REPLY'); DB::alteration_message('Discussion Poster Group Created', 'created'); } // Add default modrator group if none exists $moderator = Permission::get_groups_by_permission('DISCUSSIONS_MODERATION')->first(); if (!$moderator) { $moderator = new Group(); $moderator->Code = 'discussions-moderators'; $moderator->Title = _t('Discussions.DefaultGroupTitleModerators', 'Discussion Moderators'); $moderator->Sort = 0; $moderator->write(); Permission::grant($moderator->ID, 'DISCUSSIONS_MODERATION'); DB::alteration_message('Discussion Moderator Group Created', 'created'); } // Now add these groups to a discussion holder (if one exists) foreach (DiscussionHolder::get() as $page) { if (!$page->PosterGroups()->count()) { $page->PosterGroups()->add($poster); $page->write(); DB::alteration_message('Added Poster Group to Discussions Holder', 'created'); } if (!$page->ModeratorGroups()->count()) { $page->ModeratorGroups()->add($moderator); $page->write(); DB::alteration_message('Added Moderator Group to Discussions Holder', 'created'); } } }
function requireDefaultRecords() { // Default groups should've been built by Group->requireDefaultRecords() already // Find or create ADMIN group $adminGroups = Permission::get_groups_by_permission('ADMIN'); if (!$adminGroups) { singleton('Group')->requireDefaultRecords(); $adminGroups = Permission::get_groups_by_permission('ADMIN'); } $adminGroup = $adminGroups->First(); // Add a default administrator to the first ADMIN group found (most likely the default // group created through Group->requireDefaultRecords()). $admins = Permission::get_members_by_permission('ADMIN'); if (!$admins) { // Leave 'Email' and 'Password' are not set to avoid creating // persistent logins in the database. See Security::setDefaultAdmin(). $admin = Object::create('Member'); $admin->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin'); $admin->write(); $admin->Groups()->add($adminGroup); } }
/** * If any admin groups are requested, deny the whole save operation. * * @param Array $ids Database IDs of Group records * @return boolean */ function onChangeGroups($ids) { // Filter out admin groups to avoid privilege escalation, // unless the current user is an admin already if (!Permission::checkMember($this, 'ADMIN')) { $adminGroups = Permission::get_groups_by_permission('ADMIN'); $adminGroupIDs = $adminGroups ? $adminGroups->column('ID') : array(); return count(array_intersect($ids, $adminGroupIDs)) == 0; } else { return true; } }
/** * Add default records to database. * * This function is called whenever the database is built, after the * database tables have all been created. */ public function requireDefaultRecords() { parent::requireDefaultRecords(); // Add default author group if no other group exists $allGroups = DataObject::get('Group'); if (!$allGroups) { $authorGroup = new Group(); $authorGroup->Code = 'content-authors'; $authorGroup->Title = _t('Group.DefaultGroupTitleContentAuthors', 'Content Authors'); $authorGroup->Sort = 1; $authorGroup->write(); Permission::grant($authorGroup->ID, 'CMS_ACCESS_CMSMain'); Permission::grant($authorGroup->ID, 'CMS_ACCESS_AssetAdmin'); Permission::grant($authorGroup->ID, 'CMS_ACCESS_CommentAdmin'); Permission::grant($authorGroup->ID, 'CMS_ACCESS_ReportAdmin'); Permission::grant($authorGroup->ID, 'SITETREE_REORGANISE'); } // Add default admin group if none with permission code ADMIN exists $adminGroups = Permission::get_groups_by_permission('ADMIN'); if (!$adminGroups) { $adminGroup = new Group(); $adminGroup->Code = 'administrators'; $adminGroup->Title = _t('Group.DefaultGroupTitleAdministrators', 'Administrators'); $adminGroup->Sort = 0; $adminGroup->write(); Permission::grant($adminGroup->ID, 'ADMIN'); } // Members are populated through Member->requireDefaultRecords() }
/** * Return an existing member with administrator privileges, or create one of necessary. * * Will create a default 'Administrators' group if no group is found * with an ADMIN permission. Will create a new 'Admin' member with administrative permissions * if no existing Member with these permissions is found. * * Important: Any newly created administrator accounts will NOT have valid * login credentials (Email/Password properties), which means they can't be used for login * purposes outside of any default credentials set through {@link Security::setDefaultAdmin()}. * * @return Member */ public static function findAnAdministrator() { // coupling to subsites module $origSubsite = null; if (is_callable('Subsite::changeSubsite')) { $origSubsite = Subsite::currentSubsiteID(); Subsite::changeSubsite(0); } $member = null; // find a group with ADMIN permission $adminGroup = Permission::get_groups_by_permission('ADMIN')->First(); if (is_callable('Subsite::changeSubsite')) { Subsite::changeSubsite($origSubsite); } if ($adminGroup) { $member = $adminGroup->Members()->First(); } if (!$adminGroup) { singleton('Group')->requireDefaultRecords(); $adminGroup = Permission::get_groups_by_permission('ADMIN')->First(); } if (!$member) { singleton('Member')->requireDefaultRecords(); $member = Permission::get_members_by_permission('ADMIN')->First(); } if (!$member) { $member = Member::default_admin(); } if (!$member) { // Failover to a blank admin $member = Member::create(); $member->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin'); $member->write(); // Add member to group instead of adding group to member // This bypasses the privilege escallation code in Member_GroupSet $adminGroup->DirectMembers()->add($member); } return $member; }
/** * @todo Find more appropriate place to hook into database building */ function requireDefaultRecords() { // @todo This relies on the Locale attribute being on the base data class, and not any subclasses if ($this->owner->class != ClassInfo::baseDataClass($this->owner->class)) { return false; } // Permissions: If a group doesn't have any specific TRANSLATE_<locale> edit rights, // but has CMS_ACCESS_CMSMain (general CMS access), then assign TRANSLATE_ALL permissions as a default. // Auto-setting permissions based on these intransparent criteria is a bit hacky, // but unavoidable until we can determine when a certain permission code was made available first // (see http://open.silverstripe.org/ticket/4940) $groups = Permission::get_groups_by_permission(array('CMS_ACCESS_CMSMain', 'CMS_ACCESS_LeftAndMain', 'ADMIN')); if ($groups) { foreach ($groups as $group) { $codes = $group->Permissions()->column('Code'); $hasTranslationCode = false; foreach ($codes as $code) { if (preg_match('/^TRANSLATE_/', $code)) { $hasTranslationCode = true; } } // Only add the code if no more restrictive code exists if (!$hasTranslationCode) { Permission::grant($group->ID, 'TRANSLATE_ALL'); } } } // If the Translatable extension was added after the first records were already // created in the database, make sure to update the Locale property if // if wasn't set before $idsWithoutLocale = DB::query(sprintf('SELECT "ID" FROM "%s" WHERE "Locale" IS NULL OR "Locale" = \'\'', ClassInfo::baseDataClass($this->owner->class)))->column(); if (!$idsWithoutLocale) { return; } if ($this->owner->class == 'SiteTree') { foreach (array('Stage', 'Live') as $stage) { foreach ($idsWithoutLocale as $id) { $obj = Versioned::get_one_by_stage($this->owner->class, $stage, sprintf('"SiteTree"."ID" = %d', $id)); if (!$obj) { continue; } $obj->Locale = Translatable::default_locale(); $obj->writeToStage($stage); $obj->addTranslationGroup($obj->ID); $obj->destroy(); unset($obj); } } } else { foreach ($idsWithoutLocale as $id) { $obj = DataObject::get_by_id($this->owner->class, $id); if (!$obj) { continue; } $obj->Locale = Translatable::default_locale(); $obj->write(); $obj->addTranslationGroup($obj->ID); $obj->destroy(); unset($obj); } } DB::alteration_message(sprintf("Added default locale '%s' to table %s", "changed", Translatable::default_locale(), $this->owner->class)); }
/** * Filter out admin groups to avoid privilege escalation, * If any admin groups are requested, deny the whole save operation. * * @param Array $ids Database IDs of Group records * @return boolean True if the change can be accepted */ public function onChangeGroups($ids) { // unless the current user is an admin already OR the logged in user is an admin if (Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) { return true; } // If there are no admin groups in this set then it's ok $adminGroups = Permission::get_groups_by_permission('ADMIN'); $adminGroupIDs = $adminGroups ? $adminGroups->column('ID') : array(); return count(array_intersect($ids, $adminGroupIDs)) == 0; }
/** * Checks if a group is allowed to the project and the permission code * * @param string $permissionCode * @param Group $group * * @return bool */ public function groupAllowed($permissionCode, Group $group) { $viewers = $this->Viewers(); if (!$viewers->find('ID', $group->ID)) { return false; } $groups = Permission::get_groups_by_permission($permissionCode); if (!$groups->find('ID', $group->ID)) { return false; } return true; }
/** * Find target group to record * * @return Group */ protected function findAdminGroup() { singleton('Group')->requireDefaultRecords(); return Permission::get_groups_by_permission('ADMIN')->First(); }