public function getEditForm($id = null, $fields = null)
{
// TODO Duplicate record fetching (see parent implementation)
if (!$id) {
$id = $this->currentPageID();
}
$form = parent::getEditForm($id);
// TODO Duplicate record fetching (see parent implementation)
$record = $this->getRecord($id);
if ($record && !$record->canView()) {
return Security::permissionFailure($this);
}
$memberList = GridField::create('Members', false, Member::get(), $memberListConfig = GridFieldConfig_RecordEditor::create()->addComponent(new GridFieldButtonRow('after'))->addComponent(new GridFieldExportButton('buttons-after-left')))->addExtraClass("members_grid");
if ($record && method_exists($record, 'getValidator')) {
$validator = $record->getValidator();
} else {
$validator = Injector::inst()->get('Member')->getValidator();
}
$memberListConfig->getComponentByType('GridFieldDetailForm')->setValidator($validator);
$groupList = GridField::create('Groups', false, Group::get(), GridFieldConfig_RecordEditor::create());
$columns = $groupList->getConfig()->getComponentByType('GridFieldDataColumns');
$columns->setDisplayFields(array('Breadcrumbs' => singleton('Group')->fieldLabel('Title')));
$columns->setFieldFormatting(array('Breadcrumbs' => function ($val, $item) {
return Convert::raw2xml($item->getBreadcrumbs(' > '));
}));
$fields = new FieldList($root = new TabSet('Root', $usersTab = new Tab('Users', _t('SecurityAdmin.Users', 'Users'), $memberList, new LiteralField('MembersCautionText', sprintf('<p class="caution-remove"><strong>%s</strong></p>', _t('SecurityAdmin.MemberListCaution', 'Caution: Removing members from this list will remove them from all groups and the' . ' database')))), $groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(), $groupList)), new HiddenField('ID', false, 0));
// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
if (Permission::check('ADMIN')) {
$fields->addFieldsToTab('Root.Users', array(new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3), new LiteralField('MemberImportFormIframe', sprintf('<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">' . '</iframe>', $this->Link('memberimport')))));
$fields->addFieldsToTab('Root.Groups', array(new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3), new LiteralField('GroupImportFormIframe', sprintf('<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">' . '</iframe>', $this->Link('groupimport')))));
}
// Tab nav in CMS is rendered through separate template
$root->setTemplate('CMSTabSet');
// Add roles editing interface
if (Permission::check('APPLY_ROLES')) {
$rolesField = GridField::create('Roles', false, PermissionRole::get(), GridFieldConfig_RecordEditor::create());
$rolesTab = $fields->findOrMakeTab('Root.Roles', _t('SecurityAdmin.TABROLES', 'Roles'));
$rolesTab->push($rolesField);
}
$actionParam = $this->getRequest()->param('Action');
if ($actionParam == 'groups') {
$groupsTab->addExtraClass('ui-state-active');
} elseif ($actionParam == 'users') {
$usersTab->addExtraClass('ui-state-active');
} elseif ($actionParam == 'roles') {
$rolesTab->addExtraClass('ui-state-active');
}
$actions = new FieldList();
$form = Form::create($this, 'EditForm', $fields, $actions)->setHTMLID('Form_EditForm');
$form->addExtraClass('cms-edit-form');
$form->setTemplate($this->getTemplatesWithSuffix('_EditForm'));
// Tab nav in CMS is rendered through separate template
if ($form->Fields()->hasTabset()) {
$form->Fields()->findOrMakeTab('Root')->setTemplate('CMSTabSet');
}
$form->addExtraClass('center ss-tabset cms-tabset ' . $this->BaseCSSClasses());
$form->setAttribute('data-pjax-fragment', 'CurrentForm');
$this->extend('updateEditForm', $form);
return $form;
}
public static function handle_manipulation($manipulation)
{
$auditLogger = \Injector::inst()->get('AuditLogger');
$currentMember = \Member::currentUser();
if (!($currentMember && $currentMember->exists())) {
return false;
}
foreach ($manipulation as $table => $details) {
if (!in_array($details['command'], array('update', 'insert'))) {
continue;
}
// logging writes to specific tables (just not when logging in, as it's noise)
if (in_array($table, array('Member', 'Group', 'PermissionRole')) && !preg_match('/Security/', @$_SERVER['REQUEST_URI'])) {
$data = $table::get()->byId($details['id']);
if (!$data) {
continue;
}
$actionText = 'modified ' . $table;
$extendedText = '';
if ($table == 'Group') {
$extendedText = sprintf('Effective permissions: %s', implode(array_values($data->Permissions()->map('ID', 'Code')->toArray()), ', '));
}
if ($table == 'PermissionRole') {
$extendedText = sprintf('Effective groups: %s, Effective permissions: %s', implode(array_values($data->Groups()->map('ID', 'Title')->toArray()), ', '), implode(array_values($data->Codes()->map('ID', 'Code')->toArray()), ', '));
}
if ($table == 'Member') {
$extendedText = sprintf('Effective groups: %s', implode(array_values($data->Groups()->map('ID', 'Title')->toArray()), ', '));
}
$auditLogger->info(sprintf('"%s" (ID: %s) %s (ID: %s, ClassName: %s, Title: "%s", %s)', $currentMember->Email ?: $currentMember->Title, $currentMember->ID, $actionText, $details['id'], $data->ClassName, $data->Title, $extendedText));
}
// log PermissionRole being added to a Group
if ($table == 'Group_Roles') {
$role = \PermissionRole::get()->byId($details['fields']['PermissionRoleID']);
$group = \Group::get()->byId($details['fields']['GroupID']);
// if the permission role isn't already applied to the group
if (!\DB::query(sprintf('SELECT "ID" FROM "Group_Roles" WHERE "GroupID" = %s AND "PermissionRoleID" = %s', $details['fields']['GroupID'], $details['fields']['PermissionRoleID']))->value()) {
$auditLogger->info(sprintf('"%s" (ID: %s) added PermissionRole "%s" (ID: %s) to Group "%s" (ID: %s)', $currentMember->Email ?: $currentMember->Title, $currentMember->ID, $role->Title, $role->ID, $group->Title, $group->ID));
}
}
// log Member added to a Group
if ($table == 'Group_Members') {
$member = \Member::get()->byId($details['fields']['MemberID']);
$group = \Group::get()->byId($details['fields']['GroupID']);
// if the user isn't already in the group, log they've been added
if (!\DB::query(sprintf('SELECT "ID" FROM "Group_Members" WHERE "GroupID" = %s AND "MemberID" = %s', $details['fields']['GroupID'], $details['fields']['MemberID']))->value()) {
$auditLogger->info(sprintf('"%s" (ID: %s) added Member "%s" (ID: %s) to Group "%s" (ID: %s)', $currentMember->Email ?: $currentMember->Title, $currentMember->ID, $member->Email ?: $member->Title, $member->ID, $group->Title, $group->ID));
}
}
}
}
public function getEditForm($id = null, $fields = null)
{
// TODO Duplicate record fetching (see parent implementation)
if (!$id) {
$id = $this->currentPageID();
}
$form = parent::getEditForm($id);
// TODO Duplicate record fetching (see parent implementation)
$record = $this->getRecord($id);
if ($record && !$record->canView()) {
return Security::permissionFailure($this);
}
$memberList = GridField::create('Members', false, Member::get(), $memberListConfig = GridFieldConfig_RecordEditor::create()->addComponent(new GridFieldExportButton()))->addExtraClass("members_grid");
$memberListConfig->getComponentByType('GridFieldDetailForm')->setValidator(new Member_Validator());
$groupList = GridField::create('Groups', false, Group::get(), GridFieldConfig_RecordEditor::create());
$columns = $groupList->getConfig()->getComponentByType('GridFieldDataColumns');
$columns->setDisplayFields(array('Breadcrumbs' => singleton('Group')->fieldLabel('Title')));
$fields = new FieldList($root = new TabSet('Root', $usersTab = new Tab('Users', _t('SecurityAdmin.Users', 'Users'), $memberList, new LiteralField('MembersCautionText', sprintf('<p class="caution-remove"><strong>%s</strong></p>', _t('SecurityAdmin.MemberListCaution', 'Caution: Removing members from this list will remove them from all groups and the database'))), new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3), new LiteralField('MemberImportFormIframe', sprintf('<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" border="0"></iframe>', $this->Link('memberimport')))), $groupsTab = new Tab('Groups', singleton('Group')->plural_name(), $groupList, new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3), new LiteralField('GroupImportFormIframe', sprintf('<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" border="0"></iframe>', $this->Link('groupimport'))))), new HiddenField('ID', false, 0));
$root->setTemplate('CMSTabSet');
// Add roles editing interface
if (Permission::check('APPLY_ROLES')) {
$rolesField = GridField::create('Roles', false, PermissionRole::get(), GridFieldConfig_RecordEditor::create());
$rolesTab = $fields->findOrMakeTab('Root.Roles', _t('SecurityAdmin.TABROLES', 'Roles'));
$rolesTab->push($rolesField);
}
$actionParam = $this->request->param('Action');
if ($actionParam == 'groups') {
$groupsTab->addExtraClass('ui-state-selected');
} elseif ($actionParam == 'users') {
$usersTab->addExtraClass('ui-state-selected');
} elseif ($actionParam == 'roles') {
$rolesTab->addExtraClass('ui-state-selected');
}
$actions = new FieldList();
$form = new Form($this, 'EditForm', $fields, $actions);
$form->addExtraClass('cms-edit-form');
$form->setTemplate($this->getTemplatesWithSuffix('_EditForm'));
if ($form->Fields()->hasTabset()) {
$form->Fields()->findOrMakeTab('Root')->setTemplate('CMSTabSet');
}
$form->addExtraClass('center ss-tabset cms-tabset ' . $this->BaseCSSClasses());
$form->setAttribute('data-pjax-fragment', 'CurrentForm');
$this->extend('updateEditForm', $form);
return $form;
}
/**
* Caution: Only call on instances, not through a singleton.
* The "root group" fields will be created through {@link SecurityAdmin->EditForm()}.
*
* @return FieldList
*/
public function getCMSFields()
{
Requirements::javascript(FRAMEWORK_DIR . '/javascript/PermissionCheckboxSetField.js');
$fields = new FieldList(new TabSet("Root", new Tab('Members', _t('SecurityAdmin.MEMBERS', 'Members'), new TextField("Title", $this->fieldLabel('Title')), $parentidfield = DropdownField::create('ParentID', $this->fieldLabel('Parent'), Group::get()->exclude('ID', $this->ID)->map('ID', 'Breadcrumbs'))->setEmptyString(' '), new TextareaField('Description', $this->fieldLabel('Description'))), $permissionsTab = new Tab('Permissions', _t('SecurityAdmin.PERMISSIONS', 'Permissions'), $permissionsField = new PermissionCheckboxSetField('Permissions', false, 'Permission', 'GroupID', $this))));
$parentidfield->setDescription(_t('Group.GroupReminder', 'If you choose a parent group, this group will take all it\'s roles'));
// Filter permissions
// TODO SecurityAdmin coupling, not easy to get to the form fields through GridFieldDetailForm
$permissionsField->setHiddenPermissions((array) Config::inst()->get('SecurityAdmin', 'hidden_permissions'));
if ($this->ID) {
$group = $this;
$config = GridFieldConfig_RelationEditor::create();
$config->addComponent(new GridFieldButtonRow('after'));
$config->addComponents(new GridFieldExportButton('buttons-after-left'));
$config->addComponents(new GridFieldPrintButton('buttons-after-left'));
$config->getComponentByType('GridFieldAddExistingAutocompleter')->setResultsFormat('$Title ($Email)')->setSearchFields(array('FirstName', 'Surname', 'Email'));
$config->getComponentByType('GridFieldDetailForm')->setValidator(new Member_Validator())->setItemEditFormCallback(function ($form, $component) use($group) {
$record = $form->getRecord();
$groupsField = $form->Fields()->dataFieldByName('DirectGroups');
if ($groupsField) {
// If new records are created in a group context,
// set this group by default.
if ($record && !$record->ID) {
$groupsField->setValue($group->ID);
} elseif ($record && $record->ID) {
// TODO Mark disabled once chosen.js supports it
// $groupsField->setDisabledItems(array($group->ID));
$form->Fields()->replaceField('DirectGroups', $groupsField->performReadonlyTransformation());
}
}
});
$memberList = GridField::create('Members', false, $this->DirectMembers(), $config)->addExtraClass('members_grid');
// @todo Implement permission checking on GridField
//$memberList->setPermissions(array('edit', 'delete', 'export', 'add', 'inlineadd'));
$fields->addFieldToTab('Root.Members', $memberList);
}
// Only add a dropdown for HTML editor configurations if more than one is available.
// Otherwise Member->getHtmlEditorConfigForCMS() will default to the 'cms' configuration.
$editorConfigMap = HtmlEditorConfig::get_available_configs_map();
if (count($editorConfigMap) > 1) {
$fields->addFieldToTab('Root.Permissions', new DropdownField('HtmlEditorConfig', 'HTML Editor Configuration', $editorConfigMap), 'Permissions');
}
if (!Permission::check('EDIT_PERMISSIONS')) {
$fields->removeFieldFromTab('Root', 'Permissions');
}
// Only show the "Roles" tab if permissions are granted to edit them,
// and at least one role exists
if (Permission::check('APPLY_ROLES') && DataObject::get('PermissionRole')) {
$fields->findOrMakeTab('Root.Roles', _t('SecurityAdmin.ROLES', 'Roles'));
$fields->addFieldToTab('Root.Roles', new LiteralField("", "<p>" . _t('SecurityAdmin.ROLESDESCRIPTION', "Roles are predefined sets of permissions, and can be assigned to groups.<br />" . "They are inherited from parent groups if required.") . '<br />' . sprintf('<a href="%s" class="add-role">%s</a>', singleton('SecurityAdmin')->Link('show/root#Root_Roles'), _t('Group.RolesAddEditLink', 'Manage roles')) . "</p>"));
// Add roles (and disable all checkboxes for inherited roles)
$allRoles = PermissionRole::get();
if (!Permission::check('ADMIN')) {
$allRoles = $allRoles->filter("OnlyAdminCanApply", 0);
}
if ($this->ID) {
$groupRoles = $this->Roles();
$inheritedRoles = new ArrayList();
$ancestors = $this->getAncestors();
foreach ($ancestors as $ancestor) {
$ancestorRoles = $ancestor->Roles();
if ($ancestorRoles) {
$inheritedRoles->merge($ancestorRoles);
}
}
$groupRoleIDs = $groupRoles->column('ID') + $inheritedRoles->column('ID');
$inheritedRoleIDs = $inheritedRoles->column('ID');
} else {
$groupRoleIDs = array();
$inheritedRoleIDs = array();
}
$rolesField = ListboxField::create('Roles', false, $allRoles->map()->toArray())->setDefaultItems($groupRoleIDs)->setAttribute('data-placeholder', _t('Group.AddRole', 'Add a role for this group'))->setDisabledItems($inheritedRoleIDs);
if (!$allRoles->Count()) {
$rolesField->setAttribute('data-placeholder', _t('Group.NoRoles', 'No roles found'));
}
$fields->addFieldToTab('Root.Roles', $rolesField);
}
$fields->push($idField = new HiddenField("ID"));
$this->extend('updateCMSFields', $fields);
return $fields;
}
/**
* set up a group with permissions, roles, etc...
* also @see EcommerceRole::providePermissions
* also note that this class implements PermissionProvider
* @param String $code code for the group - will always be converted to lowercase
* @param String $name title for the group
* @param Group | String $parentGroup group object that is the parent of the group. You can also provide a string (name / title of group)
* @param String $permissionCode Permission Code for the group (e.g. CMS_DO_THIS_OR_THAT)
* @param String $roleTitle Role Title - e.g. Store Manager
* @param Array $permissionArray Permission Array - list of permission codes applied to the group
* @param Member | String $member Default Member added to the group (e.g. sales@mysite.co.nz). You can also provide an email address
*
*/
public function CreateGroup($code, $name, $parentGroup = null, $permissionCode = "", $roleTitle = "", $permissionArray = array(), $member = null)
{
//changing to lower case seems to be very important
//unidentified bug so far
$code = strtolower($code);
if (!$code) {
user_error("Can't create a group without a {$code} ({$name})");
}
if (!$name) {
user_error("Can't create a group without a {$name} ({$code})");
}
$group = Group::get()->filter(array("Code" => $code))->first();
$groupCount = Group::get()->filter(array("Code" => $code))->count();
$groupStyle = "updated";
if ($groupCount > 1) {
user_error("There is more than one group with the {$name} ({$code}) Code");
}
if (!$group) {
$group = Group::create();
$group->Code = $code;
$groupStyle = "created";
}
$group->Locked = 1;
$group->Title = $name;
$parentGroupStyle = "updated";
if ($parentGroup) {
DB::alteration_message("adding parent group");
if (is_string($parentGroup)) {
$parentGroupName = $parentGroup;
$parentGroup = Group::get()->filter(array("Title" => $parentGroupName))->first();
if (!$parentGroup) {
$parentGroup = Group::create();
$parentGroupStyle = "created";
$parentGroup->Title = $parentGroupName;
$parentGroup->write();
DB::alteration_message("{$parentGroupStyle} {$parentGroupName}", $parentGroupStyle);
}
}
if ($parentGroup) {
$group->ParentID = $parentGroup->ID;
}
}
$group->write();
DB::alteration_message("{$groupStyle} {$name} ({$code}) group", $groupStyle);
$doubleGroups = Group::get()->filter(array("Code" => $code))->exclude(array("ID" => $group->ID));
if ($doubleGroups->count()) {
DB::alteration_message($doubleGroups->count() . " groups with the same name", "deleted");
$realMembers = $group->Members();
foreach ($doubleGroups as $doubleGroup) {
$fakeMembers = $doubleGroup->Members();
foreach ($fakeMembers as $fakeMember) {
DB::alteration_message("adding customers: " . $fakeMember->Email, "created");
$realMembers->add($fakeMember);
}
DB::alteration_message("deleting double group ", "deleted");
$doubleGroup->delete();
}
}
if ($permissionCode) {
$permissionCodeCount = DB::query("SELECT * FROM \"Permission\" WHERE \"GroupID\" = '" . $group->ID . "' AND \"Code\" LIKE '" . $permissionCode . "'")->numRecords();
if ($permissionCodeCount == 0) {
DB::alteration_message("granting " . $name . " permission code {$permissionCode} ", "created");
Permission::grant($group->ID, $permissionCode);
} else {
DB::alteration_message($name . " permission code {$permissionCode} already granted");
}
}
//we unset it here to avoid confusion with the
//other codes we use later on
unset($permissionCode);
if ($roleTitle) {
$permissionRole = PermissionRole::get()->Filter(array("Title" => $roleTitle))->First();
$permissionRoleCount = PermissionRole::get()->Filter(array("Title" => $roleTitle))->Count();
if ($permissionRoleCount > 1) {
db::alteration_message("There is more than one Permission Role with title {$roleTitle} ({$permissionCodeObjectCount})", "deleted");
$permissionRolesToDelete = PermissionRole::get()->Filter(array("Title" => $roleTitle))->Exclude(array("ID" => $permissionRole->ID));
foreach ($permissionRolesToDelete as $permissionRoleToDelete) {
db::alternation_message("DELETING double permission role {$roleTitle}", "deleted");
$permissionRoleToDelete->delete();
}
}
if ($permissionRole) {
//do nothing
DB::alteration_message("{$roleTitle} role in place");
} else {
DB::alteration_message("adding {$roleTitle} role", "created");
$permissionRole = PermissionRole::create();
$permissionRole->Title = $roleTitle;
$permissionRole->OnlyAdminCanApply = true;
$permissionRole->write();
}
if ($permissionRole) {
if (is_array($permissionArray) && count($permissionArray)) {
DB::alteration_message("working with " . implode(", ", $permissionArray));
foreach ($permissionArray as $permissionRoleCode) {
$permissionRoleCodeObject = PermissionRoleCode::get()->Filter(array("Code" => $permissionRoleCode, "RoleID" => $permissionRole->ID))->First();
$permissionRoleCodeObjectCount = PermissionRoleCode::get()->Filter(array("Code" => $permissionRoleCode, "RoleID" => $permissionRole->ID))->Count();
if ($permissionRoleCodeObjectCount > 1) {
$permissionRoleCodeObjectsToDelete = PermissionRoleCode::get()->Filter(array("Code" => $permissionRoleCode, "RoleID" => $permissionRole->ID))->Exclude(array("ID" => $permissionRoleCodeObject->ID));
foreach ($permissionRoleCodeObjectsToDelete as $permissionRoleCodeObjectToDelete) {
db::alteration_message("DELETING double permission code {$permissionRoleCode} for " . $permissionRole->Title, "deleted");
$permissionRoleCodeObjectToDelete->delete();
}
db::alteration_message("There is more than one Permission Role Code in " . $permissionRole->Title . " with Code = {$permissionRoleCode} ({$permissionRoleCodeObjectCount})", "deleted");
}
if ($permissionRoleCodeObject) {
//do nothing
} else {
$permissionRoleCodeObject = PermissionRoleCode::create();
$permissionRoleCodeObject->Code = $permissionRoleCode;
$permissionRoleCodeObject->RoleID = $permissionRole->ID;
}
DB::alteration_message("adding " . $permissionRoleCodeObject->Code . " to " . $permissionRole->Title);
$permissionRoleCodeObject->write();
}
}
if ($group && $permissionRole) {
if (DB::query("SELECT COUNT(*) FROM Group_Roles WHERE GroupID = " . $group->ID . " AND PermissionRoleID = " . $permissionRole->ID)->value() == 0) {
db::alteration_message("ADDING " . $permissionRole->Title . " permission role to " . $group->Title . " group", "created");
$existingGroups = $permissionRole->Groups();
$existingGroups->add($group);
} else {
db::alteration_message("CHECKED " . $permissionRole->Title . " permission role to " . $group->Title . " group");
}
} else {
db::alteration_message("ERROR: missing group or permissionRole", "deleted");
}
}
}
if ($member) {
if (is_string($member)) {
$email = $member;
$member = Member::get()->filter(array("Email" => $email))->first();
if (!$member) {
DB::alteration_message("Creating default user", "created");
$member = Member::create();
$member->FirstName = $code;
$member->Surname = $name;
$member->Email = $email;
$member->write();
}
}
if ($member) {
DB::alteration_message(" adding member " . $member->Email . " to group " . $group->Title, "created");
$member->Groups()->add($group);
}
} else {
DB::alteration_message("No need to add user");
}
}