public function canView($member = null) { if (!$member && $member !== false) { $member = Member::currentUser(); } // cms menus only for logged-in members if (!$member) { return false; } // Check they can access the CMS and that they are trying to edit themselves if (Permission::checkMember($member, "CMS_ACCESS") && $member->ID === Member::currentUserID()) { return true; } return false; }
/** * Return a date formatted as per a CMS user's settings. * * @param Member $member * @return boolean | string A date formatted as per user-defined settings. */ public function FormatFromSettings($member = null) { require_once 'Zend/Date.php'; if (!$member) { if (!Member::currentUserID()) { return false; } $member = Member::currentUser(); } $formatD = $member->getDateFormat(); $zendDate = new Zend_Date($this->getValue(), 'y-MM-dd'); return $zendDate->toString($formatD); }
/** * Check that the given member has the given permission. * * @param int|Member memberID The ID of the member to check. Leave blank for the current member. * Alternatively you can use a member object. * @param string|array $code Code of the permission to check (case-sensitive) * @param string $arg Optional argument (e.g. a permissions for a specific page) * @param bool $strict Use "strict" checking (which means a permission * will be granted if the key does not exist at all)? * @return int|bool The ID of the permission record if the permission * exists; FALSE otherwise. If "strict" checking is * disabled, TRUE will be returned if the permission does not exist at all. */ public static function checkMember($member, $code, $arg = "any", $strict = true) { if (!$member) { $memberID = $member = Member::currentUserID(); } else { $memberID = is_object($member) ? $member->ID : $member; } if (!$memberID) { return false; } // Turn the code into an array as we may need to add other permsissions to the set we check if (!is_array($code)) { $code = array($code); } // Check if admin should be treated as holding all permissions $adminImpliesAll = (bool) static::config()->admin_implies_all; if ($arg == 'any') { // Cache the permissions in memory if (!isset(self::$cache_permissions[$memberID])) { self::$cache_permissions[$memberID] = self::permissions_for_member($memberID); } foreach ($code as $permCode) { if ($permCode === 'CMS_ACCESS') { foreach (self::$cache_permissions[$memberID] as $perm) { //if they have admin rights OR they have an explicit access to the CMS then give permission if ($adminImpliesAll && $perm == 'ADMIN' || substr($perm, 0, 11) === 'CMS_ACCESS_') { return true; } } } elseif (substr($permCode, 0, 11) === 'CMS_ACCESS_' && !in_array('CMS_ACCESS_LeftAndMain', $code)) { //cms_access_leftandmain means access to all CMS areas $code[] = 'CMS_ACCESS_LeftAndMain'; } } // if ADMIN has all privileges, then we need to push that code in if ($adminImpliesAll) { $code[] = "ADMIN"; } // Multiple $code values - return true if at least one matches, ie, intersection exists return (bool) array_intersect($code, self::$cache_permissions[$memberID]); } // Code filters $codeParams = is_array($code) ? $code : array($code); $codeClause = DB::placeholders($codeParams); $adminParams = $adminImpliesAll ? array('ADMIN') : array(); $adminClause = $adminImpliesAll ? ", ?" : ''; // The following code should only be used if you're not using the "any" arg. This is kind // of obselete functionality and could possibly be deprecated. $groupParams = self::groupList($memberID); if (empty($groupParams)) { return false; } $groupClause = DB::placeholders($groupParams); // Arg component $argClause = ""; $argParams = array(); switch ($arg) { case "any": break; case "all": $argClause = " AND \"Arg\" = ?"; $argParams = array(-1); break; default: if (is_numeric($arg)) { $argClause = "AND \"Arg\" IN (?, ?) "; $argParams = array(-1, $arg); } else { user_error("Permission::checkMember: bad arg '{$arg}'", E_USER_ERROR); } } // Raw SQL for efficiency $permission = DB::prepared_query("SELECT \"ID\"\n\t\t\tFROM \"Permission\"\n\t\t\tWHERE (\n\t\t\t\t\"Code\" IN ({$codeClause} {$adminClause})\n\t\t\t\tAND \"Type\" = ?\n\t\t\t\tAND \"GroupID\" IN ({$groupClause})\n\t\t\t\t{$argClause}\n\t\t\t)", array_merge($codeParams, $adminParams, array(self::GRANT_PERMISSION), $groupParams, $argParams))->value(); if ($permission) { return $permission; } // Strict checking disabled? if (!static::config()->strict_checking || !$strict) { $hasPermission = DB::prepared_query("SELECT COUNT(*)\n\t\t\t\tFROM \"Permission\"\n\t\t\t\tWHERE (\n\t\t\t\t\t\"Code\" IN ({$codeClause}) AND\n\t\t\t\t\t\"Type\" = ?\n\t\t\t\t)", array_merge($codeParams, array(self::GRANT_PERMISSION)))->value(); if (!$hasPermission) { return false; } } return false; }
/** * Make sure the file has a name */ protected function onBeforeWrite() { // Set default owner if (!$this->isInDB() && !$this->OwnerID) { $this->OwnerID = Member::currentUserID(); } // Set default name if (!$this->getField('Name')) { $this->Name = "new-" . strtolower($this->class); } // Propegate changes to the AssetStore and update the DBFile field $this->updateFilesystem(); parent::onBeforeWrite(); }
/** * Given a successful login, tell the parent frame to close the dialog * * @return SS_HTTPResponse */ public function success() { // Ensure member is properly logged in if (!Member::currentUserID()) { return $this->redirectToExternalLogin(); } // Get redirect url $controller = $this->getResponseController(_t('CMSSecurity.SUCCESS', 'Success')); $backURLs = array($this->getRequest()->requestVar('BackURL'), Session::get('BackURL'), Director::absoluteURL(AdminRootController::config()->url_base, true)); foreach ($backURLs as $backURL) { if ($backURL && Director::is_site_url($backURL)) { break; } } // Show login $controller = $controller->customise(array('Content' => _t('CMSSecurity.SUCCESSCONTENT', '<p>Login success. If you are not automatically redirected ' . '<a target="_top" href="{link}">click here</a></p>', 'Login message displayed in the cms popup once a user has re-authenticated themselves', array('link' => $backURL)))); return $controller->renderWith($this->getTemplatesFor('success')); }
/** * Returns the current logged in user * * @return Member */ public static function currentUser() { $id = Member::currentUserID(); if ($id) { return Member::get()->byID($id); } }
/** * Given a file and filename, ensure that file renaming / replacing rules are satisfied * * If replacing, this method may replace $this->file with an existing record to overwrite. * If renaming, a new value for $filename may be returned * * @param string $filename * @return string $filename A filename safe to write to * @throws Exception */ protected function resolveExistingFile($filename) { // Create a new file record (or try to retrieve an existing one) if (!$this->file) { $fileClass = File::get_class_for_file_extension(File::get_file_extension($filename)); $this->file = Object::create($fileClass); } // Skip this step if not writing File dataobjects if (!$this->file instanceof File) { return $filename; } // Check there is if existing file $existing = File::find($filename); // If replacing (or no file exists) confirm this filename is safe if ($this->replaceFile || !$existing) { // If replacing files, make sure to update the OwnerID if (!$this->file->ID && $this->replaceFile && $existing) { $this->file = $existing; $this->file->OwnerID = Member::currentUserID(); } // Filename won't change if replacing return $filename; } // if filename already exists, version the filename (e.g. test.gif to test-v2.gif, test-v2.gif to test-v3.gif) $renamer = $this->getNameGenerator($filename); foreach ($renamer as $newName) { if (!File::find($newName)) { return $newName; } } // Fail $tries = $renamer->getMaxTries(); throw new Exception("Could not rename {$filename} with {$tries} tries"); }
/** * Returns the current logged in user * * @return Member */ public static function currentUser() { $id = Member::currentUserID(); if ($id) { return DataObject::get_by_id('SilverStripe\\Security\\Member', $id); } return null; }