/**
* Returns a DataObjectSet of all the members that can publish pages
* on this site by default
*/
public function PublisherMembers()
{
if ($this->owner->CanPublishType == 'OnlyTheseUsers') {
$groups = $this->owner->PublisherGroups();
$members = new DataObjectSet();
if ($groups) {
foreach ($groups as $group) {
$members->merge($group->Members());
}
}
// Default to ADMINs, if something goes wrong
if (!$members->Count()) {
$group = Permission::get_groups_by_permission('ADMIN')->first();
$members = $group->Members();
}
return $members;
} else {
if ($this->owner->CanPublishType == 'LoggedInUsers') {
// We don't want to return every user in the CMS....
return Permission::get_members_by_permission('CMS_ACCESS_CMSMain');
} else {
$group = Permission::get_groups_by_permission('ADMIN')->first();
return $group->Members();
}
}
}
/**
* @param IMarketPlaceType $marketplace_type
* @return int|bool
*/
public function store(IMarketPlaceType $marketplace_type)
{
$repository = $this->repository;
$group_repository = $this->group_repository;
$res = false;
$this->tx_manager->transaction(function () use(&$res, &$marketplace_type, $repository, $group_repository) {
$query = new QueryObject();
$query->addAndCondition(QueryCriteria::equal('Name', $marketplace_type->getName()));
$query->addAndCondition(QueryCriteria::equal('Slug', $marketplace_type->getSlug()));
$query->addAndCondition(QueryCriteria::notEqual('ID', $marketplace_type->getIdentifier()));
$old = $repository->getBy($query);
if ($old) {
throw new EntityAlreadyExistsException('MarketPlaceType', sprintf('Name %s', $marketplace_type->getName()));
}
$repository->add($marketplace_type);
});
//reload from db...
$id = $marketplace_type->getIdentifier();
$marketplace_type = $this->repository->getById($id);
$g = $marketplace_type->getAdminGroup();
$permission_code = sprintf('MANAGE_MARKETPLACE_%s', str_replace(' ', '_', strtoupper($marketplace_type->getName())));
$groups = Permission::get_groups_by_permission($permission_code);
if (count($groups) == 0) {
Permission::grant($g->getIdentifier(), $permission_code);
}
return $res;
}
/**
* Returns a DataObjectSet of all the members that can publish this page
*/
public function PublisherMembers()
{
if ($this->owner->CanPublishType == 'OnlyTheseUsers') {
$groups = $this->owner->PublisherGroups();
$members = new DataObjectSet();
if ($groups) {
foreach ($groups as $group) {
$members->merge($group->Members());
}
}
// Default to ADMINs, if something goes wrong
if (!$members->Count()) {
$group = Permission::get_groups_by_permission('ADMIN')->first();
$members = $group->Members();
}
return $members;
} elseif ($this->owner->CanPublishType == 'Inherit') {
if ($this->owner->Parent()->Exists()) {
return $this->owner->Parent()->PublisherMembers();
} else {
return SiteConfig::current_site_config()->PublisherMembers();
}
} elseif ($this->owner->CanPublishType == 'LoggedInUsers') {
return Permission::get_members_by_permission('CMS_ACCESS_CMSMain');
} else {
$group = Permission::get_groups_by_permission('ADMIN')->first();
return $group->Members();
}
}
/**
* Add default records to database.
*
* This function is called whenever the database is built, after the
* database tables have all been created.
*/
public function requireDefaultRecords()
{
parent::requireDefaultRecords();
// Add default poster group if it doesn't exist
$poster = Group::get()->filter("Code", 'discussions-posters')->first();
if (!$poster) {
$poster = new Group();
$poster->Code = 'discussions-posters';
$poster->Title = _t('Discussions.DefaultGroupTitlePosters', 'Discussion Posters');
$poster->Sort = 1;
$poster->write();
Permission::grant($poster->ID, 'DISCUSSIONS_REPLY');
DB::alteration_message('Discussion Poster Group Created', 'created');
}
// Add default modrator group if none exists
$moderator = Permission::get_groups_by_permission('DISCUSSIONS_MODERATION')->first();
if (!$moderator) {
$moderator = new Group();
$moderator->Code = 'discussions-moderators';
$moderator->Title = _t('Discussions.DefaultGroupTitleModerators', 'Discussion Moderators');
$moderator->Sort = 0;
$moderator->write();
Permission::grant($moderator->ID, 'DISCUSSIONS_MODERATION');
DB::alteration_message('Discussion Moderator Group Created', 'created');
}
// Now add these groups to a discussion holder (if one exists)
foreach (DiscussionHolder::get() as $page) {
if (!$page->PosterGroups()->count()) {
$page->PosterGroups()->add($poster);
$page->write();
DB::alteration_message('Added Poster Group to Discussions Holder', 'created');
}
if (!$page->ModeratorGroups()->count()) {
$page->ModeratorGroups()->add($moderator);
$page->write();
DB::alteration_message('Added Moderator Group to Discussions Holder', 'created');
}
}
}
function requireDefaultRecords()
{
// Default groups should've been built by Group->requireDefaultRecords() already
// Find or create ADMIN group
$adminGroups = Permission::get_groups_by_permission('ADMIN');
if (!$adminGroups) {
singleton('Group')->requireDefaultRecords();
$adminGroups = Permission::get_groups_by_permission('ADMIN');
}
$adminGroup = $adminGroups->First();
// Add a default administrator to the first ADMIN group found (most likely the default
// group created through Group->requireDefaultRecords()).
$admins = Permission::get_members_by_permission('ADMIN');
if (!$admins) {
// Leave 'Email' and 'Password' are not set to avoid creating
// persistent logins in the database. See Security::setDefaultAdmin().
$admin = Object::create('Member');
$admin->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin');
$admin->write();
$admin->Groups()->add($adminGroup);
}
}
/**
* If any admin groups are requested, deny the whole save operation.
*
* @param Array $ids Database IDs of Group records
* @return boolean
*/
function onChangeGroups($ids)
{
// Filter out admin groups to avoid privilege escalation,
// unless the current user is an admin already
if (!Permission::checkMember($this, 'ADMIN')) {
$adminGroups = Permission::get_groups_by_permission('ADMIN');
$adminGroupIDs = $adminGroups ? $adminGroups->column('ID') : array();
return count(array_intersect($ids, $adminGroupIDs)) == 0;
} else {
return true;
}
}
/**
* Add default records to database.
*
* This function is called whenever the database is built, after the
* database tables have all been created.
*/
public function requireDefaultRecords()
{
parent::requireDefaultRecords();
// Add default author group if no other group exists
$allGroups = DataObject::get('Group');
if (!$allGroups) {
$authorGroup = new Group();
$authorGroup->Code = 'content-authors';
$authorGroup->Title = _t('Group.DefaultGroupTitleContentAuthors', 'Content Authors');
$authorGroup->Sort = 1;
$authorGroup->write();
Permission::grant($authorGroup->ID, 'CMS_ACCESS_CMSMain');
Permission::grant($authorGroup->ID, 'CMS_ACCESS_AssetAdmin');
Permission::grant($authorGroup->ID, 'CMS_ACCESS_CommentAdmin');
Permission::grant($authorGroup->ID, 'CMS_ACCESS_ReportAdmin');
Permission::grant($authorGroup->ID, 'SITETREE_REORGANISE');
}
// Add default admin group if none with permission code ADMIN exists
$adminGroups = Permission::get_groups_by_permission('ADMIN');
if (!$adminGroups) {
$adminGroup = new Group();
$adminGroup->Code = 'administrators';
$adminGroup->Title = _t('Group.DefaultGroupTitleAdministrators', 'Administrators');
$adminGroup->Sort = 0;
$adminGroup->write();
Permission::grant($adminGroup->ID, 'ADMIN');
}
// Members are populated through Member->requireDefaultRecords()
}
/**
* Return an existing member with administrator privileges, or create one of necessary.
*
* Will create a default 'Administrators' group if no group is found
* with an ADMIN permission. Will create a new 'Admin' member with administrative permissions
* if no existing Member with these permissions is found.
*
* Important: Any newly created administrator accounts will NOT have valid
* login credentials (Email/Password properties), which means they can't be used for login
* purposes outside of any default credentials set through {@link Security::setDefaultAdmin()}.
*
* @return Member
*/
public static function findAnAdministrator()
{
// coupling to subsites module
$origSubsite = null;
if (is_callable('Subsite::changeSubsite')) {
$origSubsite = Subsite::currentSubsiteID();
Subsite::changeSubsite(0);
}
$member = null;
// find a group with ADMIN permission
$adminGroup = Permission::get_groups_by_permission('ADMIN')->First();
if (is_callable('Subsite::changeSubsite')) {
Subsite::changeSubsite($origSubsite);
}
if ($adminGroup) {
$member = $adminGroup->Members()->First();
}
if (!$adminGroup) {
singleton('Group')->requireDefaultRecords();
$adminGroup = Permission::get_groups_by_permission('ADMIN')->First();
}
if (!$member) {
singleton('Member')->requireDefaultRecords();
$member = Permission::get_members_by_permission('ADMIN')->First();
}
if (!$member) {
$member = Member::default_admin();
}
if (!$member) {
// Failover to a blank admin
$member = Member::create();
$member->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin');
$member->write();
// Add member to group instead of adding group to member
// This bypasses the privilege escallation code in Member_GroupSet
$adminGroup->DirectMembers()->add($member);
}
return $member;
}
/**
* @todo Find more appropriate place to hook into database building
*/
function requireDefaultRecords()
{
// @todo This relies on the Locale attribute being on the base data class, and not any subclasses
if ($this->owner->class != ClassInfo::baseDataClass($this->owner->class)) {
return false;
}
// Permissions: If a group doesn't have any specific TRANSLATE_<locale> edit rights,
// but has CMS_ACCESS_CMSMain (general CMS access), then assign TRANSLATE_ALL permissions as a default.
// Auto-setting permissions based on these intransparent criteria is a bit hacky,
// but unavoidable until we can determine when a certain permission code was made available first
// (see http://open.silverstripe.org/ticket/4940)
$groups = Permission::get_groups_by_permission(array('CMS_ACCESS_CMSMain', 'CMS_ACCESS_LeftAndMain', 'ADMIN'));
if ($groups) {
foreach ($groups as $group) {
$codes = $group->Permissions()->column('Code');
$hasTranslationCode = false;
foreach ($codes as $code) {
if (preg_match('/^TRANSLATE_/', $code)) {
$hasTranslationCode = true;
}
}
// Only add the code if no more restrictive code exists
if (!$hasTranslationCode) {
Permission::grant($group->ID, 'TRANSLATE_ALL');
}
}
}
// If the Translatable extension was added after the first records were already
// created in the database, make sure to update the Locale property if
// if wasn't set before
$idsWithoutLocale = DB::query(sprintf('SELECT "ID" FROM "%s" WHERE "Locale" IS NULL OR "Locale" = \'\'', ClassInfo::baseDataClass($this->owner->class)))->column();
if (!$idsWithoutLocale) {
return;
}
if ($this->owner->class == 'SiteTree') {
foreach (array('Stage', 'Live') as $stage) {
foreach ($idsWithoutLocale as $id) {
$obj = Versioned::get_one_by_stage($this->owner->class, $stage, sprintf('"SiteTree"."ID" = %d', $id));
if (!$obj) {
continue;
}
$obj->Locale = Translatable::default_locale();
$obj->writeToStage($stage);
$obj->addTranslationGroup($obj->ID);
$obj->destroy();
unset($obj);
}
}
} else {
foreach ($idsWithoutLocale as $id) {
$obj = DataObject::get_by_id($this->owner->class, $id);
if (!$obj) {
continue;
}
$obj->Locale = Translatable::default_locale();
$obj->write();
$obj->addTranslationGroup($obj->ID);
$obj->destroy();
unset($obj);
}
}
DB::alteration_message(sprintf("Added default locale '%s' to table %s", "changed", Translatable::default_locale(), $this->owner->class));
}
/**
* Filter out admin groups to avoid privilege escalation,
* If any admin groups are requested, deny the whole save operation.
*
* @param Array $ids Database IDs of Group records
* @return boolean True if the change can be accepted
*/
public function onChangeGroups($ids)
{
// unless the current user is an admin already OR the logged in user is an admin
if (Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
return true;
}
// If there are no admin groups in this set then it's ok
$adminGroups = Permission::get_groups_by_permission('ADMIN');
$adminGroupIDs = $adminGroups ? $adminGroups->column('ID') : array();
return count(array_intersect($ids, $adminGroupIDs)) == 0;
}
/**
* Checks if a group is allowed to the project and the permission code
*
* @param string $permissionCode
* @param Group $group
*
* @return bool
*/
public function groupAllowed($permissionCode, Group $group)
{
$viewers = $this->Viewers();
if (!$viewers->find('ID', $group->ID)) {
return false;
}
$groups = Permission::get_groups_by_permission($permissionCode);
if (!$groups->find('ID', $group->ID)) {
return false;
}
return true;
}
/**
* Find target group to record
*
* @return Group
*/
protected function findAdminGroup()
{
singleton('Group')->requireDefaultRecords();
return Permission::get_groups_by_permission('ADMIN')->First();
}
