Apart from the route-based rules defined in permissions.yml, the
following special cases are available:
"overview:$contenttype" - view the overview for the content type. Alias
for "contenttype:$contenttype:view".
"contenttype:$contenttype",
"contenttype:$contenttype:view",
"contenttype:$contenttype:view:$id" - View any item or a particular item
of the specified content type.
"contenttype:$contenttype:edit",
"contenttype:$contenttype:edit:$id" - Edit any item or a particular item
of the specified content type.
"contenttype:$contenttype:create" - Create a new item of the specified
content type. (It doesn't make sense
to provide this permission on a
per-item basis, for obvious reasons)
"contenttype:$contenttype:change-ownership",
"contenttype:$contenttype:change-ownership:$id" - Change the ownership
of the specified content type or item.
/** * When redirecting to the backend dashboard (while logged in), * if the user does not have access change the redirect to the homepage. * * @param \Symfony\Component\HttpFoundation\RedirectResponse $response */ protected function handleNoBackendAccess(RedirectResponse $response) { $authCookie = $this->session->get('authentication'); if (!$this->authentication->isValidSession((string) $authCookie)) { return; } $dashboardPath = $this->urlGenerator->generate('dashboard'); $dashboardAccess = $this->users->isAllowed('dashboard'); if ($response->getTargetUrl() === $dashboardPath && !$dashboardAccess) { $this->session->getFlashBag()->clear(); $response->setTargetUrl($this->urlGenerator->generate('homepage')); } }
/** * Do the edit form for a record. * * @param Content $content A content record * @param array $contentType The contenttype data * @param boolean $duplicate If TRUE create a duplicate record * * @return array */ public function action(Content $content, array $contentType, $duplicate) { $contentTypeSlug = $contentType['slug']; $new = $content->getId() === null ?: false; $oldStatus = $content->getStatus(); $allStatuses = ['published', 'held', 'draft', 'timed']; $allowedStatuses = []; foreach ($allStatuses as $status) { if ($this->users->isContentStatusTransitionAllowed($oldStatus, $status, $contentTypeSlug, $content->getId())) { $allowedStatuses[] = $status; } } // For duplicating a record, clear base field values. if ($duplicate) { $content->setId(''); $content->setSlug(''); $content->setDatecreated(''); $content->setDatepublish(''); $content->setDatedepublish(null); $content->setDatechanged(''); $content->setUsername(''); $content->setOwnerid(''); $this->loggerFlash->info(Trans::__('contenttypes.generic.duplicated-finalize', ['%contenttype%' => $contentTypeSlug])); } // Set the users and the current owner of this content. if ($new || $duplicate) { // For brand-new and duplicated items, the creator becomes the owner. $contentowner = $this->users->getCurrentUser(); } else { // For existing items, we'll just keep the current owner. $contentowner = $this->users->getUser($content->getOwnerid()); } // Build list of incoming non inverted related records. $incomingNotInverted = []; foreach ($content->getRelation()->incoming($content) as $relation) { if ($relation->isInverted()) { continue; } $fromContentType = $relation->getFromContenttype(); $record = $this->em->getContent($fromContentType . '/' . $relation->getFromId()); if ($record) { $incomingNotInverted[$fromContentType][] = $record; } } // Test write access for uploadable fields. $contentType['fields'] = $this->setCanUpload($contentType['fields']); $templateFields = $content->getTemplatefields(); if ($templateFields instanceof TemplateFields && ($templateFieldsData = $templateFields->getContenttype()->getFields())) { $templateFields->getContenttype()['fields'] = $this->setCanUpload($templateFields->getContenttype()->getFields()); } // Build context for Twig. $contextCan = ['upload' => $this->users->isAllowed('files:uploads'), 'publish' => $this->users->isAllowed('contenttype:' . $contentTypeSlug . ':publish:' . $content->getId()), 'depublish' => $this->users->isAllowed('contenttype:' . $contentTypeSlug . ':depublish:' . $content->getId()), 'change_ownership' => $this->users->isAllowed('contenttype:' . $contentTypeSlug . ':change-ownership:' . $content->getId())]; $contextHas = ['incoming_relations' => count($incomingNotInverted) > 0, 'relations' => isset($contentType['relations']), 'tabs' => $contentType['groups'] !== false, 'taxonomy' => isset($contentType['taxonomy']), 'templatefields' => empty($templateFieldsData) ? false : true]; $contextValues = ['datepublish' => $this->getPublishingDate($content->getDatepublish(), true), 'datedepublish' => $this->getPublishingDate($content->getDatedepublish())]; $context = ['incoming_not_inv' => $incomingNotInverted, 'contenttype' => $contentType, 'content' => $content, 'allowed_status' => $allowedStatuses, 'contentowner' => $contentowner, 'fields' => $this->config->fields->fields(), 'fieldtemplates' => $this->getTemplateFieldTemplates($contentType, $content), 'fieldtypes' => $this->getUsedFieldtypes($contentType, $content, $contextHas), 'groups' => $this->createGroupTabs($contentType, $contextHas), 'can' => $contextCan, 'has' => $contextHas, 'values' => $contextValues, 'relations_list' => $this->getRelationsList($contentType)]; return $context; }
public function onRequest(GetResponseEvent $event) { if (!Zone::isBackend($event->getRequest())) { return; } foreach ($this->config->getRolesAdmin() as $role) { if ($this->users->isAllowed($role)) { return; } } throw new AccessDeniedException('Logged in user does not have the correct rights to use this class.'); }
/** * Transition a record's owner if permitted. * * @param Content $entity * @param integer $ownerId */ protected function transistionRecordOwner(Content $entity, $ownerId) { $recordId = $entity->getId(); $contentTypeName = (string) $entity->getContenttype(); $canChangeOwner = $this->users->isAllowed("contenttype:{$contentTypeName}:change-ownership:{$recordId}"); if (!$canChangeOwner) { $this->loggerFlash->error(Trans::__('general.access-denied.content-not-modified', ['%title%' => $entity->getTitle()])); return; } $entity->setOwnerid($ownerId); $entity->_modified = true; }
/** * Set a ContentType record values from a HTTP POST. * * @param Entity\Content $content * @param array $formValues * @param array $contentType * * @throws AccessControlException */ private function setPostedValues(Entity\Content $content, $formValues, $contentType) { // Ensure all fields have valid values $formValues = $this->setSuccessfulControlValues($formValues, $contentType['fields']); $formValues = Input::cleanPostedData($formValues); unset($formValues['contenttype']); $user = $this->users->getCurrentUser(); if ($id = $content->getId()) { // Owner is set explicitly, is current user is allowed to do this? if (isset($formValues['ownerid']) && (int) $formValues['ownerid'] !== $content->getOwnerid()) { if (!$this->users->isAllowed("contenttype:{$contentType['slug']}:change-ownership:{$id}")) { throw new AccessControlException('Changing ownership is not allowed.'); } $content->setOwnerid($formValues['ownerid']); } } else { $content->setOwnerid($user['id']); } // Hack … remove soon $formValues += ['status' => 'draft']; // Make sure we have a proper status. if (!in_array($formValues['status'], ['published', 'timed', 'held', 'draft'])) { if ($status = $content->getStatus()) { $formValues['status'] = $status; } else { $formValues['status'] = 'draft'; } } // Set the object values appropriately foreach ($formValues as $name => $value) { if ($name === 'relation' || $name === 'taxonomy') { continue; } else { $content->set($name, empty($value) ? null : $value); } } $this->setPostedRelations($content, $formValues); $this->setPostedTaxonomies($content, $formValues); }