-
Notifications
You must be signed in to change notification settings - Fork 332
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,12 +32,26 @@ class SiteConfig extends DataObject implements PermissionProvider, TemplateGloba | |
"EditorGroups" => "Group", | ||
"CreateTopLevelGroups" => "Group" | ||
); | ||
|
||
private static $defaults = array( | ||
"CanViewType" => "Anyone", | ||
"CanEditType" => "LoggedInUsers", | ||
"CanCreateTopLevelType" => "LoggedInUsers", | ||
); | ||
|
||
/** | ||
* @config | ||
* @var array | ||
*/ | ||
private static $disabled_themes = array(); | ||
|
||
/** | ||
* Default permission to check for 'LoggedInUsers' to create or edit pages | ||
* | ||
* @var array | ||
* @config | ||
*/ | ||
private static $required_permission = array('CMS_ACCESS_CMSMain', 'CMS_ACCESS_LeftAndMain'); | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
tractorcow
Contributor
|
||
|
||
/** | ||
* @deprecated 3.2 Use the "SiteConfig.disabled_themes" config setting instead | ||
|
@@ -230,48 +244,70 @@ static public function make_site_config() { | |
* called if a page is set to Inherit, but there is nothing | ||
* to inherit from. | ||
* | ||
* @param mixed $member | ||
* @param Member $member | ||
* @return boolean | ||
*/ | ||
public function canView($member = null) { | ||
public function canViewPages($member = null) { | ||
if(!$member) $member = Member::currentUserID(); | ||
if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
||
if ($member && Permission::checkMember($member, "ADMIN")) return true; | ||
|
||
$extended = $this->extendedCan('canViewPages', $member); | ||
if($extended !== null) return $extended; | ||
|
||
if (!$this->CanViewType || $this->CanViewType == 'Anyone') return true; | ||
|
||
// check for any logged-in users | ||
if($this->CanViewType == 'LoggedInUsers' && $member) return true; | ||
if($this->CanViewType === 'LoggedInUsers' && $member) return true; | ||
|
||
// check for specific groups | ||
if($this->CanViewType == 'OnlyTheseUsers' && $member && $member->inGroups($this->ViewerGroups())) return true; | ||
if($this->CanViewType === 'OnlyTheseUsers' && $member && $member->inGroups($this->ViewerGroups())) return true; | ||
|
||
return false; | ||
} | ||
|
||
/** | ||
* Can a user edit pages on this site? This method is only | ||
* called if a page is set to Inherit, but there is nothing | ||
* to inherit from. | ||
* to inherit from, or on new records without a parent. | ||
* | ||
* @param mixed $member | ||
* @param Member $member | ||
* @return boolean | ||
*/ | ||
public function canEdit($member = null) { | ||
public function canEditPages($member = null) { | ||
if(!$member) $member = Member::currentUserID(); | ||
if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
||
if ($member && Permission::checkMember($member, "ADMIN")) return true; | ||
|
||
// check for any logged-in users | ||
if(!$this->CanEditType || $this->CanEditType == 'LoggedInUsers' && $member) return true; | ||
$extended = $this->extendedCan('canEditPages', $member); | ||
if($extended !== null) return $extended; | ||
|
||
// check for any logged-in users with CMS access | ||
if( $this->CanEditType === 'LoggedInUsers' | ||
&& Permission::checkMember($member, $this->config()->required_permission) | ||
) { | ||
return true; | ||
} | ||
|
||
// check for specific groups | ||
if($this->CanEditType == 'OnlyTheseUsers' && $member && $member->inGroups($this->EditorGroups())) return true; | ||
if($this->CanEditType === 'OnlyTheseUsers' && $member && $member->inGroups($this->EditorGroups())) { | ||
return true; | ||
} | ||
|
||
return false; | ||
} | ||
|
||
public function canEdit($member = null) { | ||
if(!$member) $member = Member::currentUserID(); | ||
if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
||
$extended = $this->extendedCan('canEdit', $member); | ||
if($extended !== null) return $extended; | ||
|
||
return Permission::checkMember($member, "EDIT_SITECONFIG"); | ||
} | ||
|
||
public function providePermissions() { | ||
return array( | ||
|
@@ -287,25 +323,32 @@ public function providePermissions() { | |
/** | ||
* Can a user create pages in the root of this site? | ||
* | ||
* @param mixed $member | ||
* @param Member $member | ||
* @return boolean | ||
*/ | ||
public function canCreateTopLevel($member = null) { | ||
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) { | ||
$member = Member::currentUserID(); | ||
} | ||
|
||
if (Permission::check('ADMIN')) return true; | ||
if(!$member) $member = Member::currentUserID(); | ||
if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
||
if ($member && Permission::checkMember($member, "ADMIN")) return true; | ||
|
||
$extended = $this->extendedCan('canCreateTopLevel', $member); | ||
if($extended !== null) return $extended; | ||
|
||
// check for any logged-in users | ||
if($this->CanCreateTopLevelType == 'LoggedInUsers' && $member) return true; | ||
// check for any logged-in users with CMS permission | ||
if( $this->CanCreateTopLevelType === 'LoggedInUsers' | ||
&& Permission::checkMember($member, $this->config()->required_permission) | ||
) { | ||
return true; | ||
} | ||
|
||
// check for specific groups | ||
if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
if($this->CanCreateTopLevelType == 'OnlyTheseUsers' && $member && $member->inGroups($this->CreateTopLevelGroups())) return true; | ||
|
||
if( $this->CanCreateTopLevelType === 'OnlyTheseUsers' | ||
&& $member | ||
&& $member->inGroups($this->CreateTopLevelGroups()) | ||
) { | ||
return true; | ||
} | ||
|
||
return false; | ||
} | ||
|
I'm wondering if the default permissions for this are correct.
We are now allowing people to create or edit pages based on their permission to "Access to 'Pages' section" - access doesn't imply creation or editing ability.
Instead, should this not be based on the content permission "Edit any page" (
SITETREEEDITALL
) instead, which makes more sense as its related to the editing of page, rather than the ability to view a section of the CMS.ping @tractorcow