/** * Handles the add action for the given DataObject. * * @param $gridField GridField * @param $actionName string * @param $arguments mixed * @param $data array * * @return null|SS_HTTPResponse * * @throws UnexpectedValueException */ public function handleAction(GridField $gridField, $actionName, $arguments, $data) { if ($actionName == 'add') { $dbField = $this->getDataObjectField(); $objClass = $gridField->getModelClass(); /** * @var DataObject $obj */ $obj = new $objClass(); if ($obj->hasField($dbField)) { $obj->setCastedField($dbField, $data['gridfieldaddbydbfield'][$obj->ClassName][$dbField]); if ($obj->canCreate()) { $id = $gridField->getList()->add($obj); if (!$id) { $gridField->setError(_t('GridFieldAddByDBField.AddFail', 'Unable to save {class} to the database.', 'Unable to add the DataObject.', array('class' => get_class($obj))), 'error'); } } else { return Security::permissionFailure(Controller::curr(), _t('GridFieldAddByDBField.PermissionFail', 'You don\'t have permission to create a {class}.', 'Unable to add the DataObject.', array('class' => get_class($obj)))); } } else { throw new UnexpectedValueException(sprintf('Invalid field (%s) on %s.', $dbField, $obj->ClassName)); } } return null; }
/** * @return Form */ public function getEditForm($id = null, $fields = null) { if (!$id) { $id = $this->currentPageID(); } $form = parent::getEditForm($id); $record = $this->getRecord($id); if ($record && !$record->canView()) { return Security::permissionFailure($this); } $newComments = Comment::get()->filter('Moderated', 0); $newGrid = new CommentsGridField('NewComments', _t('CommentsAdmin.NewComments', 'New'), $newComments, CommentsGridFieldConfig::create()); $approvedComments = Comment::get()->filter('Moderated', 1)->filter('IsSpam', 0); $approvedGrid = new CommentsGridField('ApprovedComments', _t('CommentsAdmin.ApprovedComments', 'Approved'), $approvedComments, CommentsGridFieldConfig::create()); $spamComments = Comment::get()->filter('Moderated', 1)->filter('IsSpam', 1); $spamGrid = new CommentsGridField('SpamComments', _t('CommentsAdmin.SpamComments', 'Spam'), $spamComments, CommentsGridFieldConfig::create()); $newCount = '(' . count($newComments) . ')'; $approvedCount = '(' . count($approvedComments) . ')'; $spamCount = '(' . count($spamComments) . ')'; $fields = new FieldList($root = new TabSet('Root', new Tab('NewComments', _t('CommentAdmin.NewComments', 'New') . ' ' . $newCount, $newGrid), new Tab('ApprovedComments', _t('CommentAdmin.ApprovedComments', 'Approved') . ' ' . $approvedCount, $approvedGrid), new Tab('SpamComments', _t('CommentAdmin.SpamComments', 'Spam') . ' ' . $spamCount, $spamGrid))); $root->setTemplate('CMSTabSet'); $actions = new FieldList(); $form = new Form($this, 'EditForm', $fields, $actions); $form->addExtraClass('cms-edit-form'); $form->setTemplate($this->getTemplatesWithSuffix('_EditForm')); if ($form->Fields()->hasTabset()) { $form->Fields()->findOrMakeTab('Root')->setTemplate('CMSTabSet'); $form->addExtraClass('center ss-tabset cms-tabset ' . $this->BaseCSSClasses()); } $this->extend('updateEditForm', $form); return $form; }
public function index(SS_HTTPRequest $request) { if (!Director::isDev() && !Permission::check('CMS_ACCESS_CMSMain')) { return Security::permissionFailure($this); } if ($request->latestParam('ID')) { $templates = $this->templateArray(); if (isset($templates[$request->latestParam('ID')])) { $next = false; $previous = false; $useNext = false; foreach ($templates as $k => $v) { if ($useNext) { $next = new ArrayData(array('Name' => $v['Name'], 'Link' => 'patterns/index/' . $k)); break; } if ($k == $request->latestParam('ID')) { // mat $useNext = true; } else { $previous = new ArrayData(array('Name' => $v['Name'], 'Link' => 'patterns/index/' . $k)); } } return $this->customise(new ArrayData(array('ClassName' => 'Pattern', 'IsPatternLab' => true, 'PreviousPattern' => $previous, 'NextPattern' => $next, 'PatternName' => $templates[$request->latestParam('ID')]['Name'], 'Patterns' => $this->renderWith(array($templates[$request->latestParam('ID')]['Template'])))))->renderWith($templates[$request->latestParam('ID')]['Template']); } } return $this->renderWith(array(__CLASS__, 'Page')); }
public function init() { parent::init(); if (!Permission::check('CMS_ACCESS')) { Security::permissionFailure(); } }
public function init() { if (!Permission::check("ADMIN")) { Security::permissionFailure(); } parent::init(); }
/** * @return string */ public function install() { if (!Permission::check('ADMIN')) { return Security::permissionFailure($this); } return $this->customise(array('Title' => 'Install Deploy Tools', 'Content' => '<p>Some instructions would be nice.</p>', 'Form' => $this->InstallForm()))->renderWith(array('Page', 'Page')); }
public function getEditForm($id = null, $fields = null) { // TODO Duplicate record fetching (see parent implementation) if (!$id) { $id = $this->currentPageID(); } $form = parent::getEditForm($id); // TODO Duplicate record fetching (see parent implementation) $record = $this->getRecord($id); if ($record && !$record->canView()) { return Security::permissionFailure($this); } $memberList = GridField::create('Members', false, Member::get(), $memberListConfig = GridFieldConfig_RecordEditor::create()->addComponent(new GridFieldButtonRow('after'))->addComponent(new GridFieldExportButton('buttons-after-left')))->addExtraClass("members_grid"); if ($record && method_exists($record, 'getValidator')) { $validator = $record->getValidator(); } else { $validator = Injector::inst()->get('Member')->getValidator(); } $memberListConfig->getComponentByType('GridFieldDetailForm')->setValidator($validator); $groupList = GridField::create('Groups', false, Group::get(), GridFieldConfig_RecordEditor::create()); $columns = $groupList->getConfig()->getComponentByType('GridFieldDataColumns'); $columns->setDisplayFields(array('Breadcrumbs' => singleton('Group')->fieldLabel('Title'))); $columns->setFieldFormatting(array('Breadcrumbs' => function ($val, $item) { return Convert::raw2xml($item->getBreadcrumbs(' > ')); })); $fields = new FieldList($root = new TabSet('Root', $usersTab = new Tab('Users', _t('SecurityAdmin.Users', 'Users'), $memberList, new LiteralField('MembersCautionText', sprintf('<p class="caution-remove"><strong>%s</strong></p>', _t('SecurityAdmin.MemberListCaution', 'Caution: Removing members from this list will remove them from all groups and the' . ' database')))), $groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(), $groupList)), new HiddenField('ID', false, 0)); // Add import capabilities. Limit to admin since the import logic can affect assigned permissions if (Permission::check('ADMIN')) { $fields->addFieldsToTab('Root.Users', array(new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3), new LiteralField('MemberImportFormIframe', sprintf('<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">' . '</iframe>', $this->Link('memberimport'))))); $fields->addFieldsToTab('Root.Groups', array(new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3), new LiteralField('GroupImportFormIframe', sprintf('<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">' . '</iframe>', $this->Link('groupimport'))))); } // Tab nav in CMS is rendered through separate template $root->setTemplate('CMSTabSet'); // Add roles editing interface if (Permission::check('APPLY_ROLES')) { $rolesField = GridField::create('Roles', false, PermissionRole::get(), GridFieldConfig_RecordEditor::create()); $rolesTab = $fields->findOrMakeTab('Root.Roles', _t('SecurityAdmin.TABROLES', 'Roles')); $rolesTab->push($rolesField); } $actionParam = $this->getRequest()->param('Action'); if ($actionParam == 'groups') { $groupsTab->addExtraClass('ui-state-active'); } elseif ($actionParam == 'users') { $usersTab->addExtraClass('ui-state-active'); } elseif ($actionParam == 'roles') { $rolesTab->addExtraClass('ui-state-active'); } $actions = new FieldList(); $form = Form::create($this, 'EditForm', $fields, $actions)->setHTMLID('Form_EditForm'); $form->addExtraClass('cms-edit-form'); $form->setTemplate($this->getTemplatesWithSuffix('_EditForm')); // Tab nav in CMS is rendered through separate template if ($form->Fields()->hasTabset()) { $form->Fields()->findOrMakeTab('Root')->setTemplate('CMSTabSet'); } $form->addExtraClass('center ss-tabset cms-tabset ' . $this->BaseCSSClasses()); $form->setAttribute('data-pjax-fragment', 'CurrentForm'); $this->extend('updateEditForm', $form); return $form; }
function init() { parent::init(); if (!Permission::check('ADMIN')) { Security::permissionFailure(); } }
public function init() { parent::init(); if (!Permission::check("VIEW_STYLEGUIDE")) { Security::permissionFailure(); } if (!$this->config()->service) { $this->httpError(404); } $this->setService($this->config()->service); $this->pageService = new StyleGuide\PageService($this); // redirect to the first action route if (!$this->request->param('Action')) { $page = $this->pageService->getPages()->first(); $this->redirect($page->Link); } // if no template set on the action route then redirect to the first child if (!$this->request->param('ChildAction') && !$this->pageService->getTemplate()) { $page = $this->pageService->getActivePage(); if (isset($page->Children)) { $childPage = $page->Children->first(); $this->redirect($childPage->Link); } } // set the service $this->setRequirements(); // load the fixture file $this->loadFixture(); }
/** * Uses $this->owner->request (a {@link SS_HTTPRequest} object) to determine which comment we want to unsubscribe * the member from. If the current user isn't logged in, or is logged in as a different user, then we send them to * the login screen. */ public function unsubscribenotification() { $request = $this->owner->getRequest(); $commentID = $request->param('ID'); $member = Member::currentUser(); if (!$commentID) { $this->owner->httpError(403); return; } $comment = Comment::get()->byID($commentID); if (!$comment) { $this->owner->httpError(403); return; } if (!$member || $member->ID != $comment->AuthorID) { return Security::permissionFailure($this->owner, array('default' => _t('CommentingControllerUserNotificationsExtension.DEFAULTFAIL', 'You must login to unsubscribe.'), 'alreadyLoggedIn' => _t('CommentingControllerUserNotificationsExtension.ALREADYLOGGEDINFAIL', 'You must login as the correct user (the user who submitted the comment) to continue.'), 'logInAgain' => _t('CommentingControllerUserNotificationsExtension.LOGINAGAINFAIL', 'You have been logged out. If you would like to login again, enter your credentials below.'))); } // Currently logged in Member's ID matches the author of the comment, so we can unsubscribe them // We want to find all comments posted to this object by this author, and unsubscribe all of them. $allComments = Comment::get()->filter(array('BaseClass' => $comment->BaseClass, 'ParentID' => $comment->ParentID, 'NotifyOfUpdates' => true)); foreach ($allComments as $c) { $c->NotifyOfUpdates = false; $c->write(); } // This sets a session var that can be queried on the page that we redirect the user back to, so that we can // display a nice message to let the user know their unsubscription was successful. Session::set('CommentUserNotificationsUnsubscribed', '1'); $this->owner->redirectBack(); }
public function init() { if (!Member::currentUserID() || !Permission::check($this->config()->access_permission)) { return Security::permissionFailure($this); } parent::init(); }
/** * Controller inititalisation * Check if user is logged in, if not redirect to login form */ public function init() { parent::init(); if (!Member::currentUserID()) { Security::permissionFailure(); } }
function init() { parent::init(); // We allow access to this controller regardless of live-status or ADMIN permission only // if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN. $canAccess = Director::isDev() || Director::is_cli() || Permission::check("ADMIN"); if (!$canAccess) { return Security::permissionFailure($this, "This page is secured and you need administrator rights to access it. " . "Enter your credentials below and we will send you right along."); } // check for valid url mapping // lacking this information can cause really nasty bugs, // e.g. when running Director::test() from a FunctionalTest instance global $_FILE_TO_URL_MAPPING; if (Director::is_cli()) { if (isset($_FILE_TO_URL_MAPPING)) { $fullPath = $testPath = $_SERVER['SCRIPT_FILENAME']; while ($testPath && $testPath != "/" && !preg_match('/^[A-Z]:\\\\$/', $testPath)) { $matched = false; if (isset($_FILE_TO_URL_MAPPING[$testPath])) { $matched = true; break; } $testPath = dirname($testPath); } if (!$matched) { echo 'Warning: You probably want to define ' . 'an entry in $_FILE_TO_URL_MAPPING that covers "' . Director::baseFolder() . '"' . "\n"; } } else { echo 'Warning: You probably want to define $_FILE_TO_URL_MAPPING in ' . 'your _ss_environment.php as instructed on the "sake" page of the doc.silverstripe.com wiki' . "\n"; } } }
function init() { parent::init(); if (!Permission::check("SHOPUSER_ACCOUNT")) { Security::permissionFailure(); } }
public function index($request) { $id = $request->param('ID'); $token = $request->getVar('token'); if (!$id || !ctype_digit($id)) { $this->httpError(404, 'A member ID was not specified.'); } $member = DataObject::get_by_id('Member', $id); if (!$member) { $this->httpError(404, 'The specified member could not be found.'); } if (!$member->canEdit()) { return Security::permissionFailure(); } if ($token != $member->ValidationKey) { $this->httpError(400, 'An invalid token was specified.'); } if (!$member->NeedsApproval) { $title = _t('MemberProfiles.ALREADYAPPROVED', 'Already Approved'); $content = _t('MemberProfiles.ALREADYAPPROVEDNOTE', 'This member has already been approved'); return $this->render(array('Title' => $title, 'Content' => "<p>{$content}</p>")); } $member->NeedsApproval = false; $member->write(); $title = _t('MemberProfiles.MEMBERAPPROVED', 'Member Approved'); $content = _t('MemberProfiles.MEMBERAPPROVEDCONTENT', 'The member "%s" has been approved and can now log in.'); $content = sprintf($content, Convert::raw2xml("{$member->Name} <{$member->Email}>")); return $this->render(array('Title' => $title, 'Content' => $content)); }
/** * @return Form */ public function getEditForm($id = null, $fields = null) { if (!$id) { $id = $this->currentPageID(); } $form = parent::getEditForm($id); $record = $this->getRecord($id); if ($record && !$record->canView()) { return Security::permissionFailure($this); } $commentsConfig = GridFieldConfig::create()->addComponents(new GridFieldFilterHeader(), new GridFieldDataColumns(), new GridFieldSortableHeader(), new GridFieldPaginator(25), new GridFieldDeleteAction(), new GridFieldDetailForm(), new GridFieldExportButton(), new GridFieldEditButton(), new GridFieldDetailForm()); $needs = new GridField('Comments', _t('CommentsAdmin.NeedsModeration', 'Needs Moderation'), Comment::get()->where('Moderated = 0'), $commentsConfig); $moderated = new GridField('CommentsModerated', _t('CommentsAdmin.CommentsModerated'), Comment::get()->where('Moderated = 1'), $commentsConfig); $fields = new FieldList($root = new TabSet('Root', new Tab('NeedsModeration', _t('CommentAdmin.NeedsModeration', 'Needs Moderation'), $needs), new Tab('Comments', _t('CommentAdmin.Moderated', 'Moderated'), $moderated))); $root->setTemplate('CMSTabSet'); $actions = new FieldList(); $form = new Form($this, 'EditForm', $fields, $actions); $form->addExtraClass('cms-edit-form'); $form->setTemplate($this->getTemplatesWithSuffix('_EditForm')); if ($form->Fields()->hasTabset()) { $form->Fields()->findOrMakeTab('Root')->setTemplate('CMSTabSet'); $form->addExtraClass('center ss-tabset cms-tabset ' . $this->BaseCSSClasses()); } $this->extend('updateEditForm', $form); return $form; }
public function transition($request) { if (!Member::currentUserID()) { return Security::permissionFailure($this, _t('AdvancedWorkflowActionController.ACTION_ERROR', "You must be logged in")); } $id = $this->request->requestVar('id'); $transition = $this->request->requestVar('transition'); $instance = DataObject::get_by_id('WorkflowInstance', (int) $id); if ($instance && $instance->canEdit()) { $transition = DataObject::get_by_id('WorkflowTransition', (int) $transition); if ($transition) { if ($this->request->requestVar('comments')) { $action = $instance->CurrentAction(); $action->Comment = $this->request->requestVar('comments'); $action->write(); } singleton('WorkflowService')->executeTransition($instance->getTarget(), $transition->ID); $result = array('success' => true, 'link' => $instance->getTarget()->AbsoluteLink()); if (Director::is_ajax()) { return Convert::raw2json($result); } else { return $this->redirect($instance->getTarget()->Link()); } } } if (Director::is_ajax()) { $result = array('success' => false); return Convert::raw2json($result); } else { $this->redirect($instance->getTarget()->Link()); } }
function init() { parent::init(); if (!(Director::isDev() || Director::is_cli() || Permission::check("ADMIN"))) { return Security::permissionFailure($this); } }
public function init() { parent::init(); if (!Director::is_cli() && !Permission::check("ADMIN") && $_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR']) { return Security::permissionFailure(); } }
function init() { parent::init(); // Special case for dev/build: Defer permission checks to DatabaseAdmin->init() (see #4957) $requestedDevBuild = stripos($this->request->getURL(), 'dev/build') === 0; // We allow access to this controller regardless of live-status or ADMIN permission only // if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN. $canAccess = $requestedDevBuild || Director::isDev() || Director::is_cli() || Permission::check("ADMIN"); if (!$canAccess) { return Security::permissionFailure($this); } // check for valid url mapping // lacking this information can cause really nasty bugs, // e.g. when running Director::test() from a FunctionalTest instance global $_FILE_TO_URL_MAPPING; if (Director::is_cli()) { if (isset($_FILE_TO_URL_MAPPING)) { $fullPath = $testPath = BASE_PATH; while ($testPath && $testPath != "/" && !preg_match('/^[A-Z]:\\\\$/', $testPath)) { $matched = false; if (isset($_FILE_TO_URL_MAPPING[$testPath])) { $matched = true; break; } $testPath = dirname($testPath); } if (!$matched) { echo 'Warning: You probably want to define ' . 'an entry in $_FILE_TO_URL_MAPPING that covers "' . Director::baseFolder() . '"' . "\n"; } } else { echo 'Warning: You probably want to define $_FILE_TO_URL_MAPPING in ' . 'your _ss_environment.php as instructed on the "sake" page of the doc.silverstripe.org wiki' . "\n"; } } }
/** * Loads the requirements, checks perms, etc. If an ID is in the URL, that becomes the * current folder. */ public function init() { parent::init(); if (!Permission::check("ADMIN") && !Permission::check("CMS_ACCESS_BrowseFiles")) { return Security::permissionFailure($this, _t('KickAssets.PERMISSIONFAIL', 'You do not have permission to access this section of the CMS.')); } Requirements::clear(); Requirements::css('kickassets/css/core.css'); Requirements::css('kickassets/css/kickassets.css'); Requirements::javascript('kickassets/javascript/jquery.js'); Requirements::javascript(THIRDPARTY_DIR . '/jquery-livequery/jquery.livequery.js'); Requirements::javascript('kickassets/javascript/apprise/apprise-1.5.full.js'); Requirements::javascript('kickassets/javascript/jquery.tooltip.js'); Requirements::css('kickassets/javascript/apprise/apprise.css'); Requirements::javascript('kickassets/javascript/kickassets_ui.js'); Requirements::javascript('kickassets/javascript/chosen/chosen.jquery.js'); Requirements::css('kickassets/javascript/chosen/chosen.css'); Requirements::javascript('kickassets/javascript/jquery.form.js'); Requirements::javascript('kickassets/javascript/kickassets.js'); Requirements::css('kickassets/css/kickassets_ui.css'); if ($this->getRequest()->param('ID')) { $this->currentFolder = DataObject::get_by_id("Folder", (int) $this->getRequest()->param('ID')); $this->currentPath = KickAssetUtil::relative_asset_dir($this->currentFolder->Filename); } else { $this->currentFolder = singleton('Folder'); $this->currentPath = false; } }
public function edit() { if (!$this->canEditProfile()) { return Security::permissionFailure($this, "You do not have permission to edit this profile."); } return array('Title' => "Edit Profile", 'Content' => '', 'Form' => $this->EditProfileForm()); }
public function preRequest(SS_HTTPRequest $request, Session $session, DataModel $model) { // Bootstrap session so that Session::get() accesses the right instance $dummyController = new Controller(); $dummyController->setSession($session); $dummyController->setRequest($request); $dummyController->pushCurrent(); // Block non-authenticated users from setting the stage mode if (!Versioned::can_choose_site_stage($request)) { $permissionMessage = sprintf(_t("ContentController.DRAFT_SITE_ACCESS_RESTRICTION", 'You must log in with your CMS password in order to view the draft or archived content. ' . '<a href="%s">Click here to go back to the published site.</a>'), Convert::raw2xml(Controller::join_links(Director::baseURL(), $request->getURL(), "?stage=Live"))); // Force output since RequestFilter::preRequest doesn't support response overriding $response = Security::permissionFailure($dummyController, $permissionMessage); $session->inst_save(); $dummyController->popCurrent(); // Prevent output in testing if (class_exists('SapphireTest', false) && SapphireTest::is_running_test()) { throw new SS_HTTPResponse_Exception($response); } $response->output(); die; } Versioned::choose_site_stage(); $dummyController->popCurrent(); return true; }
function init() { if (!Director::is_cli() && !Director::isDev() && !Permission::check("ADMIN")) { Security::permissionFailure(); } parent::init(); }
public function init() { parent::init(); if (!Director::is_cli() && !Permission::check('ADMIN')) { return Security::permissionFailure(); } }
/** * Process all incoming requests passed to this controller, checking * that the file exists and passing the file through if possible. */ public function handleRequest(SS_HTTPRequest $request, DataModel $model) { // Copied from Controller::handleRequest() $this->pushCurrent(); $this->urlParams = $request->allParams(); $this->request = $request; $this->response = new SS_HTTPResponse(); $this->setDataModel($model); $url = array_key_exists('url', $_GET) ? $_GET['url'] : $_SERVER['REQUEST_URI']; // remove any relative base URL and prefixed slash that get appended to the file path // e.g. /mysite/assets/test.txt should become assets/test.txt to match the Filename field on File record $url = Director::makeRelative(ltrim(str_replace(BASE_URL, '', $url), '/')); $file = File::find($url); if ($this->canDownloadFile($file)) { // If we're trying to access a resampled image. if (preg_match('/_resampled\\/[^-]+-/', $url)) { // File::find() will always return the original image, but we still want to serve the resampled version. $file = new Image(); $file->Filename = $url; } $this->extend('onBeforeSendFile', $file); return $this->sendFile($file); } else { if ($file instanceof File) { // Permission failure Security::permissionFailure($this, 'You are not authorised to access this resource. Please log in.'); } else { // File doesn't exist $this->response = new SS_HTTPResponse('File Not Found', 404); } } return $this->response; }
public function init() { parent::init(); if (!Permission::check('ADMIN')) { return Security::permissionFailure($this); } }
public function edit() { if (!$this->canEditOrganisation()) { return Security::permissionFailure($this, "You do not have permission to edit this organisation."); } return array('Title' => 'Editing ' . $this->Title, 'Form' => $this->EditOrganisationForm()); }
public function init() { parent::init(); $res = Permission::check("ADMIN") || Permission::check("ADMIN_SUMMIT_APP") || Permission::check("ADMIN_SUMMIT_APP_SCHEDULE"); if (!$res) { Security::permissionFailure(); } }
function init() { parent::init(); if (!Permission::check('ADMIN')) { return Security::permissionFailure(); } TestRunner::use_test_manifest(); }