Apart from the route-based rules defined in permissions.yml, the
following special cases are available:
"overview:$contenttype" - view the overview for the content type. Alias
for "contenttype:$contenttype:view".
"contenttype:$contenttype",
"contenttype:$contenttype:view",
"contenttype:$contenttype:view:$id" - View any item or a particular item
of the specified content type.
"contenttype:$contenttype:edit",
"contenttype:$contenttype:edit:$id" - Edit any item or a particular item
of the specified content type.
"contenttype:$contenttype:create" - Create a new item of the specified
content type. (It doesn't make sense
to provide this permission on a
per-item basis, for obvious reasons)
"contenttype:$contenttype:change-ownership",
"contenttype:$contenttype:change-ownership:$id" - Change the ownership
of the specified content type or item.
/**
* When redirecting to the backend dashboard (while logged in),
* if the user does not have access change the redirect to the homepage.
*
* @param \Symfony\Component\HttpFoundation\RedirectResponse $response
*/
protected function handleNoBackendAccess(RedirectResponse $response)
{
$authCookie = $this->session->get('authentication');
if (!$this->authentication->isValidSession((string) $authCookie)) {
return;
}
$dashboardPath = $this->urlGenerator->generate('dashboard');
$dashboardAccess = $this->users->isAllowed('dashboard');
if ($response->getTargetUrl() === $dashboardPath && !$dashboardAccess) {
$this->session->getFlashBag()->clear();
$response->setTargetUrl($this->urlGenerator->generate('homepage'));
}
}
/**
* Do the edit form for a record.
*
* @param Content $content A content record
* @param array $contentType The contenttype data
* @param boolean $duplicate If TRUE create a duplicate record
*
* @return array
*/
public function action(Content $content, array $contentType, $duplicate)
{
$contentTypeSlug = $contentType['slug'];
$new = $content->getId() === null ?: false;
$oldStatus = $content->getStatus();
$allStatuses = ['published', 'held', 'draft', 'timed'];
$allowedStatuses = [];
foreach ($allStatuses as $status) {
if ($this->users->isContentStatusTransitionAllowed($oldStatus, $status, $contentTypeSlug, $content->getId())) {
$allowedStatuses[] = $status;
}
}
// For duplicating a record, clear base field values.
if ($duplicate) {
$content->setId('');
$content->setSlug('');
$content->setDatecreated('');
$content->setDatepublish('');
$content->setDatedepublish(null);
$content->setDatechanged('');
$content->setUsername('');
$content->setOwnerid('');
$this->loggerFlash->info(Trans::__('contenttypes.generic.duplicated-finalize', ['%contenttype%' => $contentTypeSlug]));
}
// Set the users and the current owner of this content.
if ($new || $duplicate) {
// For brand-new and duplicated items, the creator becomes the owner.
$contentowner = $this->users->getCurrentUser();
} else {
// For existing items, we'll just keep the current owner.
$contentowner = $this->users->getUser($content->getOwnerid());
}
// Build list of incoming non inverted related records.
$incomingNotInverted = [];
foreach ($content->getRelation()->incoming($content) as $relation) {
if ($relation->isInverted()) {
continue;
}
$fromContentType = $relation->getFromContenttype();
$record = $this->em->getContent($fromContentType . '/' . $relation->getFromId());
if ($record) {
$incomingNotInverted[$fromContentType][] = $record;
}
}
// Test write access for uploadable fields.
$contentType['fields'] = $this->setCanUpload($contentType['fields']);
$templateFields = $content->getTemplatefields();
if ($templateFields instanceof TemplateFields && ($templateFieldsData = $templateFields->getContenttype()->getFields())) {
$templateFields->getContenttype()['fields'] = $this->setCanUpload($templateFields->getContenttype()->getFields());
}
// Build context for Twig.
$contextCan = ['upload' => $this->users->isAllowed('files:uploads'), 'publish' => $this->users->isAllowed('contenttype:' . $contentTypeSlug . ':publish:' . $content->getId()), 'depublish' => $this->users->isAllowed('contenttype:' . $contentTypeSlug . ':depublish:' . $content->getId()), 'change_ownership' => $this->users->isAllowed('contenttype:' . $contentTypeSlug . ':change-ownership:' . $content->getId())];
$contextHas = ['incoming_relations' => count($incomingNotInverted) > 0, 'relations' => isset($contentType['relations']), 'tabs' => $contentType['groups'] !== false, 'taxonomy' => isset($contentType['taxonomy']), 'templatefields' => empty($templateFieldsData) ? false : true];
$contextValues = ['datepublish' => $this->getPublishingDate($content->getDatepublish(), true), 'datedepublish' => $this->getPublishingDate($content->getDatedepublish())];
$context = ['incoming_not_inv' => $incomingNotInverted, 'contenttype' => $contentType, 'content' => $content, 'allowed_status' => $allowedStatuses, 'contentowner' => $contentowner, 'fields' => $this->config->fields->fields(), 'fieldtemplates' => $this->getTemplateFieldTemplates($contentType, $content), 'fieldtypes' => $this->getUsedFieldtypes($contentType, $content, $contextHas), 'groups' => $this->createGroupTabs($contentType, $contextHas), 'can' => $contextCan, 'has' => $contextHas, 'values' => $contextValues, 'relations_list' => $this->getRelationsList($contentType)];
return $context;
}
public function onRequest(GetResponseEvent $event)
{
if (!Zone::isBackend($event->getRequest())) {
return;
}
foreach ($this->config->getRolesAdmin() as $role) {
if ($this->users->isAllowed($role)) {
return;
}
}
throw new AccessDeniedException('Logged in user does not have the correct rights to use this class.');
}
/**
* Transition a record's owner if permitted.
*
* @param Content $entity
* @param integer $ownerId
*/
protected function transistionRecordOwner(Content $entity, $ownerId)
{
$recordId = $entity->getId();
$contentTypeName = (string) $entity->getContenttype();
$canChangeOwner = $this->users->isAllowed("contenttype:{$contentTypeName}:change-ownership:{$recordId}");
if (!$canChangeOwner) {
$this->loggerFlash->error(Trans::__('general.access-denied.content-not-modified', ['%title%' => $entity->getTitle()]));
return;
}
$entity->setOwnerid($ownerId);
$entity->_modified = true;
}
/**
* Set a ContentType record values from a HTTP POST.
*
* @param Entity\Content $content
* @param array $formValues
* @param array $contentType
*
* @throws AccessControlException
*/
private function setPostedValues(Entity\Content $content, $formValues, $contentType)
{
// Ensure all fields have valid values
$formValues = $this->setSuccessfulControlValues($formValues, $contentType['fields']);
$formValues = Input::cleanPostedData($formValues);
unset($formValues['contenttype']);
$user = $this->users->getCurrentUser();
if ($id = $content->getId()) {
// Owner is set explicitly, is current user is allowed to do this?
if (isset($formValues['ownerid']) && (int) $formValues['ownerid'] !== $content->getOwnerid()) {
if (!$this->users->isAllowed("contenttype:{$contentType['slug']}:change-ownership:{$id}")) {
throw new AccessControlException('Changing ownership is not allowed.');
}
$content->setOwnerid($formValues['ownerid']);
}
} else {
$content->setOwnerid($user['id']);
}
// Hack … remove soon
$formValues += ['status' => 'draft'];
// Make sure we have a proper status.
if (!in_array($formValues['status'], ['published', 'timed', 'held', 'draft'])) {
if ($status = $content->getStatus()) {
$formValues['status'] = $status;
} else {
$formValues['status'] = 'draft';
}
}
// Set the object values appropriately
foreach ($formValues as $name => $value) {
if ($name === 'relation' || $name === 'taxonomy') {
continue;
} else {
$content->set($name, empty($value) ? null : $value);
}
}
$this->setPostedRelations($content, $formValues);
$this->setPostedTaxonomies($content, $formValues);
}
