winter/modules/backend/classes/AuthManager.php

<?php namespace Backend\Classes;

use System\Classes\PluginManager;
use October\Rain\Auth\Manager as RainAuthManager;

/**
 * Back-end authentication manager.
 *
 * @package october\backend
 * @author Alexey Bobkov, Samuel Georges
 */
class AuthManager extends RainAuthManager
{
    protected static $instance;

    protected $sessionKey = 'admin_auth';

    protected $userModel = 'Backend\Models\User';

    protected $groupModel = 'Backend\Models\UserGroup';

    protected $throttleModel = 'Backend\Models\UserThrottle';

    protected $requireActivation = false;

    //
    // Permission management
    //

    protected static $permissionDefaults = [
        'code'    => null,
        'label'   => null,
        'comment' => null,
        'roles'   => null,
        'order'   => 500
    ];

    /**
     * @var array Cache of registration callbacks.
     */
    protected $callbacks = [];

    /**
     * @var array List of registered permissions.
     */
    protected $permissions = [];

    /**
     * @var array List of registered permission roles.
     */
    protected $permissionRoles = false;

    /**
     * @var array Cache of registered permissions.
     */
    protected $permissionCache = false;

    /**
     * Registers a callback function that defines authentication permissions.
     * The callback function should register permissions by calling the manager's
     * registerPermissions() function. The manager instance is passed to the
     * callback function as an argument. Usage:
     *
     *     BackendAuth::registerCallback(function($manager){
     *         $manager->registerPermissions([...]);
     *     });
     *
     * @param callable $callback A callable function.
     */
    public function registerCallback(callable $callback)
    {
        $this->callbacks[] = $callback;
    }

    /**
     * Registers the back-end permission items.
     * The argument is an array of the permissions. The array keys represent the
     * permission codes, specific for the plugin/module. Each element in the
     * array should be an associative array with the following keys:
     * - label - specifies the menu label localization string key, required.
     * - order - a position of the item in the menu, optional.
     * - comment - a brief comment that describes the permission, optional.
     * - tab - assign this permission to a tabbed group, optional.
     * @param string $owner Specifies the menu items owner plugin or module in the format Vendor/Module.
     * @param array $definitions An array of the menu item definitions.
     */
    public function registerPermissions($owner, array $definitions)
    {
        foreach ($definitions as $code => $definition) {
            $permission = (object)array_merge(self::$permissionDefaults, array_merge($definition, [
                'code' => $code,
                'owner' => $owner
            ]));

            $this->permissions[] = $permission;
        }
    }

    /**
     * Returns a list of the registered permissions items.
     * @return array
     */
    public function listPermissions()
    {
        if ($this->permissionCache !== false) {
            return $this->permissionCache;
        }

        /*
         * Load module items
         */
        foreach ($this->callbacks as $callback) {
            $callback($this);
        }

        /*
         * Load plugin items
         */
        $plugins = PluginManager::instance()->getPlugins();

        foreach ($plugins as $id => $plugin) {
            $items = $plugin->registerPermissions();
            if (!is_array($items)) {
                continue;
            }

            $this->registerPermissions($id, $items);
        }

        /*
         * Sort permission items
         */
        usort($this->permissions, function ($a, $b) {
            if ($a->order == $b->order) {
                return 0;
            }

            return $a->order > $b->order ? 1 : -1;
        });

        return $this->permissionCache = $this->permissions;
    }

    /**
     * Returns an array of registered permissions, grouped by tabs.
     * @return array
     */
    public function listTabbedPermissions()
    {
        $tabs = [];

        foreach ($this->listPermissions() as $permission) {
            $tab = $permission->tab ?? 'backend::lang.form.undefined_tab';

            if (!array_key_exists($tab, $tabs)) {
                $tabs[$tab] = [];
            }

            $tabs[$tab][] = $permission;
        }

        return $tabs;
    }

    /**
     * {@inheritdoc}
     */
    protected function createUserModelQuery()
    {
        return parent::createUserModelQuery()->withTrashed();
    }


    /**
     * {@inheritdoc}
     */
    protected function validateUserModel($user)
    {
        if ( ! $user instanceof $this->userModel) {
            return false;
        }

        // Perform the deleted_at check manually since the relevant migrations
        // might not have been run yet during the update to build 444.
        // @see https://github.com/octobercms/october/issues/3999
        if (array_key_exists('deleted_at', $user->getAttributes()) && $user->deleted_at !== null) {
            return false;
        }

        return $user;
    }

    /**
     * Returns an array of registered permissions belonging to a given role code
     * @param string $role
     * @param bool $includeOrphans
     * @return array
     */
    public function listPermissionsForRole($role, $includeOrphans = true)
    {
        if ($this->permissionRoles === false) {
            $this->permissionRoles = [];

            foreach ($this->listPermissions() as $permission) {
                if ($permission->roles) {
                    foreach ((array) $permission->roles as $_role) {
                        $this->permissionRoles[$_role][$permission->code] = 1;
                    }
                }
                else {
                    $this->permissionRoles['*'][$permission->code] = 1;
                }
            }
        }

        $result = $this->permissionRoles[$role] ?? [];

        if ($includeOrphans) {
            $result += $this->permissionRoles['*'] ?? [];
        }

        return $result;
    }

    public function hasPermissionsForRole($role)
    {
        return !!$this->listPermissionsForRole($role, false);
    }
}
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`<?php namespace Backend\Classes;`

Oops, now plugins can register permissions :-) 2014-05-19 22:42:16 +10:00			`use System\Classes\PluginManager;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`use October\Rain\Auth\Manager as RainAuthManager;`

			`/**`
			`* Back-end authentication manager.`
			`*`
			`* @package october\backend`
			`* @author Alexey Bobkov, Samuel Georges`
			`*/`
			`class AuthManager extends RainAuthManager`
			`{`
			`protected static $instance;`

			`protected $sessionKey = 'admin_auth';`

			`protected $userModel = 'Backend\Models\User';`

			`protected $groupModel = 'Backend\Models\UserGroup';`

			`protected $throttleModel = 'Backend\Models\UserThrottle';`

			`protected $requireActivation = false;`

			`//`
			`// Permission management`
			`//`

Refs #679 - Fixed Visibility must be declared on property issues 2014-10-11 12:27:21 +11:00			`protected static $permissionDefaults = [`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`'code' => null,`
			`'label' => null,`
			`'comment' => null,`
Introduce concept of system roles These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default. 2017-07-13 19:29:50 +10:00			`'roles' => null,`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`'order' => 500`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`];`

			`/**`
			`* @var array Cache of registration callbacks.`
			`*/`
private -> protected 2014-08-01 18:20:55 +10:00			`protected $callbacks = [];`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`/**`
			`* @var array List of registered permissions.`
			`*/`
private -> protected 2014-08-01 18:20:55 +10:00			`protected $permissions = [];`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
Introduce concept of system roles These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default. 2017-07-13 19:29:50 +10:00			`/**`
			`* @var array List of registered permission roles.`
			`*/`
			`protected $permissionRoles = false;`

Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`/**`
			`* @var array Cache of registered permissions.`
			`*/`
private -> protected 2014-08-01 18:20:55 +10:00			`protected $permissionCache = false;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`/**`
			`* Registers a callback function that defines authentication permissions.`
			`* The callback function should register permissions by calling the manager's`
			`* registerPermissions() function. The manager instance is passed to the`
			`* callback function as an argument. Usage:`
API docs progress Controller -> SystemController for consistency 2017-03-16 17:08:20 +11:00			`*`
			`* BackendAuth::registerCallback(function($manager){`
			`* $manager->registerPermissions([...]);`
			`* });`
			`*`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`* @param callable $callback A callable function.`
			`*/`
			`public function registerCallback(callable $callback)`
			`{`
			`$this->callbacks[] = $callback;`
			`}`

			`/**`
			`* Registers the back-end permission items.`
Code dusting (#2826) Code cleaning according to PSR-2 w/ exemptions (mostly dust). 2017-04-24 13:38:19 +02:00			`* The argument is an array of the permissions. The array keys represent the`
			`* permission codes, specific for the plugin/module. Each element in the`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`* array should be an associative array with the following keys:`
			`* - label - specifies the menu label localization string key, required.`
			`* - order - a position of the item in the menu, optional.`
			`* - comment - a brief comment that describes the permission, optional.`
			`* - tab - assign this permission to a tabbed group, optional.`
			`* @param string $owner Specifies the menu items owner plugin or module in the format Vendor/Module.`
			`* @param array $definitions An array of the menu item definitions.`
			`*/`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`public function registerPermissions($owner, array $definitions)`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`foreach ($definitions as $code => $definition) {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`$permission = (object)array_merge(self::$permissionDefaults, array_merge($definition, [`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`'code' => $code,`
			`'owner' => $owner`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`]));`

			`$this->permissions[] = $permission;`
			`}`
			`}`

			`/**`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`* Returns a list of the registered permissions items.`
Code dusting (#2826) Code cleaning according to PSR-2 w/ exemptions (mostly dust). 2017-04-24 13:38:19 +02:00			`* @return array`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`*/`
			`public function listPermissions()`
			`{`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`if ($this->permissionCache !== false) {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`return $this->permissionCache;`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
Oops, now plugins can register permissions :-) 2014-05-19 22:42:16 +10:00			`/*`
			`* Load module items`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`foreach ($this->callbacks as $callback) {`
			`$callback($this);`
			`}`

Oops, now plugins can register permissions :-) 2014-05-19 22:42:16 +10:00			`/*`
			`* Load plugin items`
			`*/`
			`$plugins = PluginManager::instance()->getPlugins();`

			`foreach ($plugins as $id => $plugin) {`
			`$items = $plugin->registerPermissions();`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`if (!is_array($items)) {`
Oops, now plugins can register permissions :-) 2014-05-19 22:42:16 +10:00			`continue;`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`}`
Oops, now plugins can register permissions :-) 2014-05-19 22:42:16 +10:00
			`$this->registerPermissions($id, $items);`
			`}`

			`/*`
			`* Sort permission items`
			`*/`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`usort($this->permissions, function ($a, $b) {`
			`if ($a->order == $b->order) {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`return 0;`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`return $a->order > $b->order ? 1 : -1;`
			`});`

			`return $this->permissionCache = $this->permissions;`
			`}`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00
			`/**`
			`* Returns an array of registered permissions, grouped by tabs.`
			`* @return array`
			`*/`
			`public function listTabbedPermissions()`
			`{`
			`$tabs = [];`

			`foreach ($this->listPermissions() as $permission) {`
Refactor ternary operators to null coalescing operators 2018-08-15 19:15:13 +02:00			`$tab = $permission->tab ?? 'backend::lang.form.undefined_tab';`
Make sure a tab is defined always - Refs #1397 2015-08-29 16:45:01 +10:00
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`if (!array_key_exists($tab, $tabs)) {`
			`$tabs[$tab] = [];`
			`}`

			`$tabs[$tab][] = $permission;`
			`}`

			`return $tabs;`
			`}`
Introduce concept of system roles These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default. 2017-07-13 19:29:50 +10:00
Added manual deleted_at checks (#4051) Fixes #4046 It is possible that the user model gets fetched using the SoftDelete trait before the relevant migrations were applied during an update. To fix this edge case the user model is always fetched using the withTrashed scope and the deleted_at check is done manually afterwards. @see https://github.com/octobercms/october/issues/3999 2019-01-18 21:42:25 +01:00			`/**`
			`* {@inheritdoc}`
			`*/`
			`protected function createUserModelQuery()`
			`{`
			`return parent::createUserModelQuery()->withTrashed();`
			`}`


			`/**`
			`* {@inheritdoc}`
			`*/`
			`protected function validateUserModel($user)`
			`{`
			`if ( ! $user instanceof $this->userModel) {`
			`return false;`
			`}`

			`// Perform the deleted_at check manually since the relevant migrations`
			`// might not have been run yet during the update to build 444.`
			`// @see https://github.com/octobercms/october/issues/3999`
			`if (array_key_exists('deleted_at', $user->getAttributes()) && $user->deleted_at !== null) {`
			`return false;`
			`}`

			`return $user;`
			`}`

Introduce concept of system roles These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default. 2017-07-13 19:29:50 +10:00			`/**`
			`* Returns an array of registered permissions belonging to a given role code`
			`* @param string $role`
Compiled assets, minor docblock update 2019-01-03 16:26:30 -06:00			`* @param bool $includeOrphans`
Introduce concept of system roles These are roles defined by a special API code, once a system role code is detected, the role becomes locked and its permissions are sourced from the AuthManager. All permissions are granted to system roles by default, unless otherwise specified. This should make it easier to create client accounts as "Publishers", hiding developer tools like the CMS and Builder plugins by default. 2017-07-13 19:29:50 +10:00			`* @return array`
			`*/`
			`public function listPermissionsForRole($role, $includeOrphans = true)`
			`{`
			`if ($this->permissionRoles === false) {`
			`$this->permissionRoles = [];`

			`foreach ($this->listPermissions() as $permission) {`
			`if ($permission->roles) {`
			`foreach ((array) $permission->roles as $_role) {`
			`$this->permissionRoles[$_role][$permission->code] = 1;`
			`}`
			`}`
			`else {`
			`$this->permissionRoles['*'][$permission->code] = 1;`
			`}`
			`}`
			`}`

			`$result = $this->permissionRoles[$role] ?? [];`

			`if ($includeOrphans) {`
			`$result += $this->permissionRoles['*'] ?? [];`
			`}`

			`return $result;`
			`}`

			`public function hasPermissionsForRole($role)`
			`{`
			`return !!$this->listPermissionsForRole($role, false);`
			`}`
Updating backend/classes 2014-10-10 23:12:50 +02:00			`}`