protected function init() { parent::init(); if (!Director::is_cli() && !Permission::check('ADMIN')) { return Security::permissionFailure(); } }
public function testModelAdminOpens() { $this->autoFollowRedirection = false; $this->logInAs('admin'); $this->assertTrue((bool) Permission::check("ADMIN")); $this->assertEquals(200, $this->get('ModelAdminTest_Admin')->getStatusCode()); }
public function init() { parent::init(); if (!Permission::check('ADMIN')) { return Security::permissionFailure($this); } }
public function init() { parent::init(); $canAccess = Director::isDev() || Director::is_cli() || Permission::check("ADMIN"); if (!$canAccess) { return Security::permissionFailure($this); } }
protected function init() { parent::init(); // Unless called from the command line, all CliControllers need ADMIN privileges if (!Director::is_cli() && !Permission::check("ADMIN")) { return Security::permissionFailure(); } }
protected function init() { parent::init(); $isRunningTests = class_exists('SilverStripe\\Dev\\SapphireTest', false) && SapphireTest::is_running_test(); $canAccess = Director::isDev() || Director::is_cli() && !$isRunningTests || Permission::check("ADMIN"); if (!$canAccess) { Security::permissionFailure($this); } }
public function run($request) { if (!Permission::check('ADMIN') && !Director::is_cli()) { $response = Security::permissionFailure(); if ($response) { $response->output(); } die; } SapphireTest::delete_all_temp_dbs(); }
protected function init() { parent::init(); // We allow access to this controller regardless of live-status or ADMIN permission only // if on CLI or with the database not ready. The latter makes it less errorprone to do an // initial schema build without requiring a default-admin login. // Access to this controller is always allowed in "dev-mode", or of the user is ADMIN. $isRunningTests = class_exists('SapphireTest', false) && SapphireTest::is_running_test(); $canAccess = Director::isDev() || !Security::database_is_ready() || Director::is_cli() && !$isRunningTests || Permission::check("ADMIN"); if (!$canAccess) { return Security::permissionFailure($this, "This page is secured and you need administrator rights to access it. " . "Enter your credentials below and we will send you right along."); } }
protected function init() { parent::init(); // Special case for dev/build: Defer permission checks to DatabaseAdmin->init() (see #4957) $requestedDevBuild = stripos($this->getRequest()->getURL(), 'dev/build') === 0 && stripos($this->getRequest()->getURL(), 'dev/build/defaults') === false; // We allow access to this controller regardless of live-status or ADMIN permission only // if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN. $canAccess = $requestedDevBuild || Director::isDev() || Director::is_cli() || Permission::check("ADMIN"); if (!$canAccess) { Security::permissionFailure($this); return; } // check for valid url mapping // lacking this information can cause really nasty bugs, // e.g. when running Director::test() from a FunctionalTest instance global $_FILE_TO_URL_MAPPING; if (Director::is_cli()) { if (isset($_FILE_TO_URL_MAPPING)) { $testPath = BASE_PATH; $matched = false; while ($testPath && $testPath != "/" && !preg_match('/^[A-Z]:\\\\$/', $testPath)) { if (isset($_FILE_TO_URL_MAPPING[$testPath])) { $matched = true; break; } $testPath = dirname($testPath); } if (!$matched) { echo 'Warning: You probably want to define ' . 'an entry in $_FILE_TO_URL_MAPPING that covers "' . Director::baseFolder() . '"' . "\n"; } } else { echo 'Warning: You probably want to define $_FILE_TO_URL_MAPPING in ' . 'your _ss_environment.php as instructed on the "sake" page of the doc.silverstripe.org wiki' . "\n"; } } // Backwards compat: Default to "draft" stage, which is important // for tasks like dev/build which call DataObject->requireDefaultRecords(), // but also for other administrative tasks which have assumptions about the default stage. Versioned::set_stage(Versioned::DRAFT); }
/** * @param Member $member * @param array $context Additional context-specific data which might * affect whether (or where) this object could be created. * @return boolean */ public function canCreate($member = null, $context = array()) { $extended = $this->extendedCan(__FUNCTION__, $member, $context); if ($extended !== null) { return $extended; } return Permission::check('ADMIN', 'any', $member); }
require_once 'core/Core.php'; // Connect to database global $databaseConfig; if ($databaseConfig) { DB::connect($databaseConfig); } // Check if a token is requesting a redirect if (!$reloadToken) { return; } // Otherwise, we start up the session if needed if (!isset($_SESSION) && Session::request_contains_session_id()) { Session::start(); } // Next, check if we're in dev mode, or the database doesn't have any security data, or we are admin if (Director::isDev() || !Security::database_is_ready() || Permission::check('ADMIN')) { return $reloadToken->reloadWithToken(); } // Fail and redirect the user to the login page $loginPage = Director::absoluteURL(Security::config()->login_url); $loginPage .= "?BackURL=" . urlencode($_SERVER['REQUEST_URI']); header('location: ' . $loginPage, true, 302); die; })->thenIfErrored(function () use($reloadToken) { if ($reloadToken) { $reloadToken->reloadWithToken(); } })->execute(); global $databaseConfig; // Redirect to the installer if no database is selected if (!isset($databaseConfig) || !isset($databaseConfig['database']) || !$databaseConfig['database']) {
public function canDelete($member = null) { return Permission::check('APPLY_ROLES', 'any', $member); }
public function testCoreGlobalVariableCalls() { $this->assertEquals(Director::absoluteBaseURL(), $this->render('{$absoluteBaseURL}'), 'Director::absoluteBaseURL can be called from within template'); $this->assertEquals(Director::absoluteBaseURL(), $this->render('{$AbsoluteBaseURL}'), 'Upper-case %AbsoluteBaseURL can be called from within template'); $this->assertEquals(Director::is_ajax(), $this->render('{$isAjax}'), 'All variations of is_ajax result in the correct call'); $this->assertEquals(Director::is_ajax(), $this->render('{$IsAjax}'), 'All variations of is_ajax result in the correct call'); $this->assertEquals(Director::is_ajax(), $this->render('{$is_ajax}'), 'All variations of is_ajax result in the correct call'); $this->assertEquals(Director::is_ajax(), $this->render('{$Is_ajax}'), 'All variations of is_ajax result in the correct call'); $this->assertEquals(i18n::get_locale(), $this->render('{$i18nLocale}'), 'i18n template functions result correct result'); $this->assertEquals(i18n::get_locale(), $this->render('{$get_locale}'), 'i18n template functions result correct result'); $this->assertEquals((string) Member::currentUser(), $this->render('{$CurrentMember}'), 'Member template functions result correct result'); $this->assertEquals((string) Member::currentUser(), $this->render('{$CurrentUser}'), 'Member template functions result correct result'); $this->assertEquals((string) Member::currentUser(), $this->render('{$currentMember}'), 'Member template functions result correct result'); $this->assertEquals((string) Member::currentUser(), $this->render('{$currentUser}'), 'Member template functions result correct result'); $this->assertEquals(SecurityToken::getSecurityID(), $this->render('{$getSecurityID}'), 'SecurityToken template functions result correct result'); $this->assertEquals(SecurityToken::getSecurityID(), $this->render('{$SecurityID}'), 'SecurityToken template functions result correct result'); $this->assertEquals(Permission::check("ADMIN"), (bool) $this->render('{$HasPerm(\'ADMIN\')}'), 'Permissions template functions result correct result'); $this->assertEquals(Permission::check("ADMIN"), (bool) $this->render('{$hasPerm(\'ADMIN\')}'), 'Permissions template functions result correct result'); }
/** * Validate that this DBFile accepts this filename as valid * * @param string $filename * @throws ValidationException * @return bool */ protected function isValidFilename($filename) { $extension = strtolower(File::get_file_extension($filename)); // Validate true if within the list of allowed extensions $allowed = $this->getAllowedExtensions(); if ($allowed) { return in_array($extension, $allowed); } // If no extensions are configured, fallback to global list $globalList = File::config()->allowed_extensions; if (in_array($extension, $globalList)) { return true; } // Only admins can bypass global rules return !File::config()->apply_restrictions_to_admin && Permission::check('ADMIN'); }
/** * An internal utility function to set up variables in preparation for including a compiled * template, then do the include * * Effectively this is the common code that both SSViewer#process and SSViewer_FromString#process call * * @param string $cacheFile The path to the file that contains the template compiled to PHP * @param ViewableData $item The item to use as the root scope for the template * @param array $overlay Any variables to layer on top of the scope * @param array $underlay Any variables to layer underneath the scope * @param ViewableData $inheritedScope The current scope of a parent template including a sub-template * @return string The result of executing the template */ protected function includeGeneratedTemplate($cacheFile, $item, $overlay, $underlay, $inheritedScope = null) { if (isset($_GET['showtemplate']) && $_GET['showtemplate'] && Permission::check('ADMIN')) { $lines = file($cacheFile); echo "<h2>Template: {$cacheFile}</h2>"; echo "<pre>"; foreach ($lines as $num => $line) { echo str_pad($num + 1, 5) . htmlentities($line, ENT_COMPAT, 'UTF-8'); } echo "</pre>"; } $cache = $this->getPartialCacheStore(); $scope = new SSViewer_DataPresenter($item, $overlay, $underlay, $inheritedScope); $val = ''; include $cacheFile; return $val; }
/** * Update the permission set associated with $record DataObject * * @param DataObjectInterface $record */ public function saveInto(DataObjectInterface $record) { $fieldname = $this->name; $managedClass = $this->managedClass; // Remove all "privileged" permissions if the currently logged-in user is not an admin $privilegedPermissions = Permission::config()->privileged_permissions; if (!Permission::check('ADMIN')) { foreach ($this->value as $id => $bool) { if (in_array($id, $privilegedPermissions)) { unset($this->value[$id]); } } } // remove all permissions and re-add them afterwards $permissions = $record->{$fieldname}(); foreach ($permissions as $permission) { $permission->delete(); } $schema = DataObject::getSchema(); if ($fieldname && $record && ($schema->hasManyComponent(get_class($record), $fieldname) || $schema->manyManyComponent(get_class($record), $fieldname))) { if (!$record->ID) { $record->write(); } // We need a record ID to write permissions if ($this->value) { foreach ($this->value as $id => $bool) { if ($bool) { $perm = new $managedClass(); $perm->{$this->filterField} = $record->ID; $perm->Code = $id; $perm->write(); } } } } }
/** * Determine if the user has permission to upload. * * @return boolean */ public function canUpload() { if (!$this->isActive()) { return false; } $can = $this->getConfig('canUpload'); if (is_bool($can)) { return $can; } return Permission::check($can); }
/** * Cleanup function to reset all the Filename fields. Visit File/fixfiles to call. * * @deprecated 5.0 */ public function fixfiles() { Deprecation::notice('5.0'); if (!Permission::check('ADMIN')) { return Security::permissionFailure($this); } $files = File::get(); foreach ($files as $file) { $file->updateFilesystem(); echo "<li>", $file->Filename; $file->write(); } echo "<p>Done!"; }
/** * Get a list of all available permission codes, both defined through the * {@link PermissionProvider} interface, and all not explicitly defined codes existing * as a {@link Permission} database record. By default, the results are * grouped as denoted by {@link Permission_Group}. * * @param bool $grouped Group results into an array of permission groups. * @return array Returns an array of all available permission codes. The * array indicies are the permission codes as used in * {@link Permission::check()}. The value is a description * suitable for using in an interface. */ public static function get_codes($grouped = true) { $classes = ClassInfo::implementorsOf('SilverStripe\\Security\\PermissionProvider'); $allCodes = array(); $adminCategory = _t('Permission.AdminGroup', 'Administrator'); $allCodes[$adminCategory]['ADMIN'] = array('name' => _t('Permission.FULLADMINRIGHTS', 'Full administrative rights'), 'help' => _t('Permission.FULLADMINRIGHTS_HELP', 'Implies and overrules all other assigned permissions.'), 'sort' => 100000); if ($classes) { foreach ($classes as $class) { $SNG = singleton($class); if ($SNG instanceof TestOnly) { continue; } $someCodes = $SNG->providePermissions(); if ($someCodes) { foreach ($someCodes as $k => $v) { if (is_array($v)) { // There must be a category and name key. if (!isset($v['category'])) { user_error("The permission {$k} must have a category key", E_USER_WARNING); } if (!isset($v['name'])) { user_error("The permission {$k} must have a name key", E_USER_WARNING); } if (!isset($allCodes[$v['category']])) { $allCodes[$v['category']] = array(); } $allCodes[$v['category']][$k] = array('name' => $v['name'], 'help' => isset($v['help']) ? $v['help'] : null, 'sort' => isset($v['sort']) ? $v['sort'] : 0); } else { $allCodes['Other'][$k] = array('name' => $v, 'help' => null, 'sort' => 0); } } } } } $flatCodeArray = array(); foreach ($allCodes as $category) { foreach ($category as $code => $permission) { $flatCodeArray[] = $code; } } $otherPerms = DB::query("SELECT DISTINCT \"Code\" From \"Permission\" WHERE \"Code\" != ''")->column(); if ($otherPerms) { foreach ($otherPerms as $otherPerm) { if (!in_array($otherPerm, $flatCodeArray)) { $allCodes['Other'][$otherPerm] = array('name' => $otherPerm, 'help' => null, 'sort' => 0); } } } // Don't let people hijack ADMIN rights if (!Permission::check("ADMIN")) { unset($allCodes['ADMIN']); } ksort($allCodes); $returnCodes = array(); foreach ($allCodes as $category => $permissions) { if ($grouped) { uasort($permissions, array(__CLASS__, 'sort_permissions')); $returnCodes[$category] = $permissions; } else { $returnCodes = array_merge($returnCodes, $permissions); } } return $returnCodes; }
/** * Determine if the user has permission to attach existing files * By default returns true if the user has the CMS_ACCESS_AssetAdmin permission * * @return boolean */ public function canAttachExisting() { if (!$this->isActive()) { return false; } $can = $this->getConfig('canAttachExisting'); return is_bool($can) ? $can : Permission::check($can); }
/** * @see SecurityAdmin_MemberImportForm * * @return Form */ public function GroupImportForm() { if (!Permission::check('ADMIN')) { return false; } $form = new GroupImportForm($this, 'GroupImportForm'); return $form; }
/** * Cleanup function to reset all the Filename fields. Visit File/fixfiles to call. */ public function fixfiles() { if (!Permission::check('ADMIN')) { return Security::permissionFailure($this); } $files = DataObject::get("File"); foreach ($files as $file) { $file->updateFilesystem(); echo "<li>", $file->Filename; $file->write(); } echo "<p>Done!"; }
public function index() { if (!Permission::check('ADMIN')) { return Security::permissionFailure($this); } return 'Success'; }
public function CanOrganiseSitetree() { return !Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN') ? false : true; }
/** * Return a {@link FieldList} of fields that would appropriate for editing * this member. * * @return FieldList Return a FieldList of fields that would appropriate for * editing this member. */ public function getCMSFields() { require_once 'Zend/Date.php'; $self = $this; $this->beforeUpdateCMSFields(function (FieldList $fields) use($self) { /** @var FieldList $mainFields */ $mainFields = $fields->fieldByName("Root")->fieldByName("Main")->getChildren(); // Build change password field $mainFields->replaceField('Password', $self->getMemberPasswordField()); $mainFields->replaceField('Locale', new DropdownField("Locale", _t('Member.INTERFACELANG', "Interface Language", 'Language of the CMS'), i18n::get_existing_translations())); $mainFields->removeByName($self->config()->hidden_fields); if (!$self->config()->lock_out_after_incorrect_logins) { $mainFields->removeByName('FailedLoginCount'); } // Groups relation will get us into logical conflicts because // Members are displayed within group edit form in SecurityAdmin $fields->removeByName('Groups'); // Members shouldn't be able to directly view/edit logged passwords $fields->removeByName('LoggedPasswords'); $fields->removeByName('RememberLoginHashes'); if (Permission::check('EDIT_PERMISSIONS')) { $groupsMap = array(); foreach (Group::get() as $group) { // Listboxfield values are escaped, use ASCII char instead of » $groupsMap[$group->ID] = $group->getBreadcrumbs(' > '); } asort($groupsMap); $fields->addFieldToTab('Root.Main', ListboxField::create('DirectGroups', singleton('SilverStripe\\Security\\Group')->i18n_plural_name())->setSource($groupsMap)->setAttribute('data-placeholder', _t('Member.ADDGROUP', 'Add group', 'Placeholder text for a dropdown'))); // Add permission field (readonly to avoid complicated group assignment logic). // This should only be available for existing records, as new records start // with no permissions until they have a group assignment anyway. if ($self->ID) { $permissionsField = new PermissionCheckboxSetField_Readonly('Permissions', false, 'SilverStripe\\Security\\Permission', 'GroupID', $self->getManyManyComponents('Groups')); $fields->findOrMakeTab('Root.Permissions', singleton('SilverStripe\\Security\\Permission')->i18n_plural_name()); $fields->addFieldToTab('Root.Permissions', $permissionsField); } } $permissionsTab = $fields->fieldByName("Root")->fieldByName('Permissions'); if ($permissionsTab) { $permissionsTab->addExtraClass('readonly'); } $defaultDateFormat = Zend_Locale_Format::getDateFormat(new Zend_Locale($self->Locale)); $dateFormatMap = array('MMM d, yyyy' => Zend_Date::now()->toString('MMM d, yyyy'), 'yyyy/MM/dd' => Zend_Date::now()->toString('yyyy/MM/dd'), 'MM/dd/yyyy' => Zend_Date::now()->toString('MM/dd/yyyy'), 'dd/MM/yyyy' => Zend_Date::now()->toString('dd/MM/yyyy')); $dateFormatMap[$defaultDateFormat] = Zend_Date::now()->toString($defaultDateFormat) . sprintf(' (%s)', _t('Member.DefaultDateTime', 'default')); $mainFields->push($dateFormatField = new MemberDatetimeOptionsetField('DateFormat', $self->fieldLabel('DateFormat'), $dateFormatMap)); $dateFormatField->setValue($self->DateFormat); $dateFormatField->setDescriptionTemplate('forms/MemberDatetimeOptionsetField_description_date'); $defaultTimeFormat = Zend_Locale_Format::getTimeFormat(new Zend_Locale($self->Locale)); $timeFormatMap = array('h:mm a' => Zend_Date::now()->toString('h:mm a'), 'H:mm' => Zend_Date::now()->toString('H:mm')); $timeFormatMap[$defaultTimeFormat] = Zend_Date::now()->toString($defaultTimeFormat) . sprintf(' (%s)', _t('Member.DefaultDateTime', 'default')); $mainFields->push($timeFormatField = new MemberDatetimeOptionsetField('TimeFormat', $self->fieldLabel('TimeFormat'), $timeFormatMap)); $timeFormatField->setValue($self->TimeFormat); $timeFormatField->setDescriptionTemplate('forms/MemberDatetimeOptionsetField_description_time'); }); return parent::getCMSFields(); }
/** * Check that the given action is allowed to be called from a URL. * It will interrogate {@link self::$allowed_actions} to determine this. * * @param string $action * @return bool * @throws Exception */ public function checkAccessAction($action) { $actionOrigCasing = $action; $action = strtolower($action); $isAllowed = false; $isDefined = false; // Get actions for this specific class (without inheritance) $definingClass = $this->definingClassForAction($actionOrigCasing); $allowedActions = $this->allowedActions($definingClass); // check if specific action is set if (isset($allowedActions[$action])) { $isDefined = true; $test = $allowedActions[$action]; if ($test === true || $test === 1 || $test === '1') { // TRUE should always allow access $isAllowed = true; } elseif (substr($test, 0, 2) == '->') { // Determined by custom method with "->" prefix list($method, $arguments) = Object::parse_class_spec(substr($test, 2)); $isAllowed = call_user_func_array(array($this, $method), $arguments); } else { // Value is a permission code to check the current member against $isAllowed = Permission::check($test); } } elseif (is_array($allowedActions) && ($key = array_search($action, $allowedActions, true)) !== false && is_numeric($key)) { // Allow numeric array notation (search for array value as action instead of key) $isDefined = true; $isAllowed = true; } elseif (is_array($allowedActions) && !count($allowedActions)) { // If defined as empty array, deny action $isAllowed = false; } elseif ($allowedActions === null) { // If undefined, allow action based on configuration $isAllowed = !Config::inst()->get('RequestHandler', 'require_allowed_actions'); } // If we don't have a match in allowed_actions, // whitelist the 'index' action as well as undefined actions based on configuration. if (!$isDefined && ($action == 'index' || empty($action))) { $isAllowed = true; } return $isAllowed; }
public function validate() { $result = parent::validate(); // Check if the new group hierarchy would add certain "privileged permissions", // and require an admin to perform this change in case it does. // This prevents "sub-admin" users with group editing permissions to increase their privileges. if ($this->Parent()->exists() && !Permission::check('ADMIN')) { $inheritedCodes = Permission::get()->filter('GroupID', $this->Parent()->collateAncestorIDs())->column('Code'); $privilegedCodes = Config::inst()->get('SilverStripe\\Security\\Permission', 'privileged_permissions'); if (array_intersect($inheritedCodes, $privilegedCodes)) { $result->error(sprintf(_t('Group.HierarchyPermsError', 'Can\'t assign parent group "%s" with privileged permissions (requires ADMIN access)'), $this->Parent()->Title)); } } return $result; }