Commit
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -32,12 +32,26 @@ class SiteConfig extends DataObject implements PermissionProvider, TemplateGloba | |
| "EditorGroups" => "Group", | ||
| "CreateTopLevelGroups" => "Group" | ||
| ); | ||
|
|
||
| private static $defaults = array( | ||
| "CanViewType" => "Anyone", | ||
| "CanEditType" => "LoggedInUsers", | ||
| "CanCreateTopLevelType" => "LoggedInUsers", | ||
| ); | ||
|
|
||
| /** | ||
| * @config | ||
| * @var array | ||
| */ | ||
| private static $disabled_themes = array(); | ||
|
|
||
| /** | ||
| * Default permission to check for 'LoggedInUsers' to create or edit pages | ||
| * | ||
| * @var array | ||
| * @config | ||
| */ | ||
| private static $required_permission = array('CMS_ACCESS_CMSMain', 'CMS_ACCESS_LeftAndMain'); | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. 
tractorcow
Contributor
|
||
|
|
||
| /** | ||
| * @deprecated 3.2 Use the "SiteConfig.disabled_themes" config setting instead | ||
|
|
@@ -230,48 +244,70 @@ static public function make_site_config() { | |
| * called if a page is set to Inherit, but there is nothing | ||
| * to inherit from. | ||
| * | ||
| * @param Member $member | ||
| * @return boolean | ||
| */ | ||
| public function canViewPages($member = null) { | ||
| if(!$member) $member = Member::currentUserID(); | ||
| if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
|
||
| if ($member && Permission::checkMember($member, "ADMIN")) return true; | ||
|
|
||
| $extended = $this->extendedCan('canViewPages', $member); | ||
| if($extended !== null) return $extended; | ||
|
|
||
| if (!$this->CanViewType || $this->CanViewType == 'Anyone') return true; | ||
|
|
||
| // check for any logged-in users | ||
| if($this->CanViewType === 'LoggedInUsers' && $member) return true; | ||
|
|
||
| // check for specific groups | ||
| if($this->CanViewType === 'OnlyTheseUsers' && $member && $member->inGroups($this->ViewerGroups())) return true; | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| /** | ||
| * Can a user edit pages on this site? This method is only | ||
| * called if a page is set to Inherit, but there is nothing | ||
| * to inherit from, or on new records without a parent. | ||
| * | ||
| * @param Member $member | ||
| * @return boolean | ||
| */ | ||
| public function canEditPages($member = null) { | ||
| if(!$member) $member = Member::currentUserID(); | ||
| if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
|
||
| if ($member && Permission::checkMember($member, "ADMIN")) return true; | ||
|
|
||
| $extended = $this->extendedCan('canEditPages', $member); | ||
| if($extended !== null) return $extended; | ||
|
|
||
| // check for any logged-in users with CMS access | ||
| if( $this->CanEditType === 'LoggedInUsers' | ||
| && Permission::checkMember($member, $this->config()->required_permission) | ||
| ) { | ||
| return true; | ||
| } | ||
|
|
||
| // check for specific groups | ||
| if($this->CanEditType === 'OnlyTheseUsers' && $member && $member->inGroups($this->EditorGroups())) { | ||
| return true; | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| public function canEdit($member = null) { | ||
| if(!$member) $member = Member::currentUserID(); | ||
| if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
|
||
| $extended = $this->extendedCan('canEdit', $member); | ||
| if($extended !== null) return $extended; | ||
|
|
||
| return Permission::checkMember($member, "EDIT_SITECONFIG"); | ||
| } | ||
|
|
||
| public function providePermissions() { | ||
| return array( | ||
|
|
@@ -287,25 +323,32 @@ public function providePermissions() { | |
| /** | ||
| * Can a user create pages in the root of this site? | ||
| * | ||
| * @param Member $member | ||
| * @return boolean | ||
| */ | ||
| public function canCreateTopLevel($member = null) { | ||
| if(!$member) $member = Member::currentUserID(); | ||
| if($member && is_numeric($member)) $member = DataObject::get_by_id('Member', $member); | ||
|
|
||
| if ($member && Permission::checkMember($member, "ADMIN")) return true; | ||
|
|
||
| $extended = $this->extendedCan('canCreateTopLevel', $member); | ||
| if($extended !== null) return $extended; | ||
|
|
||
| // check for any logged-in users with CMS permission | ||
| if( $this->CanCreateTopLevelType === 'LoggedInUsers' | ||
| && Permission::checkMember($member, $this->config()->required_permission) | ||
| ) { | ||
| return true; | ||
| } | ||
|
|
||
| // check for specific groups | ||
| if( $this->CanCreateTopLevelType === 'OnlyTheseUsers' | ||
| && $member | ||
| && $member->inGroups($this->CreateTopLevelGroups()) | ||
| ) { | ||
| return true; | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
I'm wondering if the default permissions for this are correct.
We are now allowing people to create or edit pages based on their permission to "Access to 'Pages' section" - access doesn't imply creation or editing ability.
Instead, should this not be based on the content permission "Edit any page" (
SITETREEEDITALL) instead, which makes more sense as its related to the editing of page, rather than the ability to view a section of the CMS.ping @tractorcow