winter/modules/backend/controllers/Users.php

<?php namespace Backend\Controllers;

use Lang;
use Flash;
use Backend;
use Redirect;
use BackendMenu;
use BackendAuth;
use Backend\Models\UserGroup;
use Backend\Classes\Controller;
use System\Classes\SettingsManager;

/**
 * Backend user controller
 *
 * @package october\backend
 * @author Alexey Bobkov, Samuel Georges
 *
 */
class Users extends Controller
{
    /**
     * @var array Extensions implemented by this controller.
     */
    public $implement = [
        \Backend\Behaviors\FormController::class,
        \Backend\Behaviors\ListController::class
    ];

    /**
     * @var array `FormController` configuration.
     */
    public $formConfig = 'config_form.yaml';

    /**
     * @var array `ListController` configuration.
     */
    public $listConfig = 'config_list.yaml';

    /**
     * @var array Permissions required to view this page.
     */
    public $requiredPermissions = ['backend.manage_users'];

    /**
     * @var string HTML body tag class
     */
    public $bodyClass = 'compact-container';

    /**
     * Constructor.
     */
    public function __construct()
    {
        parent::__construct();

        if ($this->action == 'myaccount') {
            $this->requiredPermissions = null;
        }

        BackendMenu::setContext('October.System', 'system', 'users');
        SettingsManager::setContext('October.System', 'administrators');
    }

    /**
     * Extends the list query to hide superusers if the current user is not a superuser themselves
     */
    public function listExtendQuery($query)
    {
        if (!$this->user->isSuperUser()) {
            $query->where('is_superuser', false);
        }
    }

    /**
     * Prevents non-superusers from even seeing the is_superuser filter
     */
    public function listFilterExtendScopes($filterWidget)
    {
        if (!$this->user->isSuperUser()) {
            $filterWidget->removeScope('is_superuser');
        }
    }

    /**
     * Strike out deleted records
     */
    public function listInjectRowClass($record, $definition = null)
    {
        if ($record->trashed()) {
            return 'strike';
        }
    }

    /**
     * Extends the form query to prevent non-superusers from accessing superusers at all
     */
    public function formExtendQuery($query)
    {
        if (!$this->user->isSuperUser()) {
            $query->where('is_superuser', false);
        }

        // Ensure soft-deleted records can still be managed
        $query->withTrashed();
    }

    /**
     * Update controller
     */
    public function update($recordId, $context = null)
    {
        // Users cannot edit themselves, only use My Settings
        if ($context != 'myaccount' && $recordId == $this->user->id) {
            return Backend::redirect('backend/users/myaccount');
        }

        return $this->asExtension('FormController')->update($recordId, $context);
    }

    /**
     * Handle restoring users
     */
    public function update_onRestore($recordId)
    {
        $this->formFindModelObject($recordId)->restore();

        Flash::success(Lang::get('backend::lang.form.restore_success', ['name' => Lang::get('backend::lang.user.name')]));

        return Redirect::refresh();
    }

    /**
     * Impersonate this user
     */
    public function update_onImpersonateUser($recordId)
    {
        if (!$this->user->hasAccess('backend.impersonate_users')) {
            return Response::make(Lang::get('backend::lang.page.access_denied.label'), 403);
        }

        $model = $this->formFindModelObject($recordId);

        BackendAuth::impersonate($model);

        Flash::success(Lang::get('backend::lang.account.impersonate_success'));

        return Backend::redirect('backend/users/myaccount');
    }

    /**
     * Unsuspend this user
     */
    public function update_onUnsuspendUser($recordId)
    {
        $model = $this->formFindModelObject($recordId);

        $model->unsuspend();

        Flash::success(Lang::get('backend::lang.account.unsuspend_success'));

        return Redirect::refresh();
    }

    /**
     * My Settings controller
     */
    public function myaccount()
    {
        SettingsManager::setContext('October.Backend', 'myaccount');

        $this->pageTitle = 'backend::lang.myaccount.menu_label';
        return $this->update($this->user->id, 'myaccount');
    }

    /**
     * Proxy update onSave event
     */
    public function myaccount_onSave()
    {
        $result = $this->asExtension('FormController')->update_onSave($this->user->id, 'myaccount');

        /*
         * If the password or login name has been updated, reauthenticate the user
         */
        $loginChanged = $this->user->login != post('User[login]');
        $passwordChanged = strlen(post('User[password]'));
        if ($loginChanged || $passwordChanged) {
            BackendAuth::login($this->user->reload(), true);
        }

        return $result;
    }

    /**
     * Add available permission fields to the User form.
     * Mark default groups as checked for new Users.
     */
    public function formExtendFields($form)
    {
        if ($form->getContext() == 'myaccount') {
            return;
        }

        if (!$this->user->isSuperUser()) {
            $form->removeField('is_superuser');
        }

        /*
         * Add permissions tab
         */
        $form->addTabFields($this->generatePermissionsField());

        /*
         * Mark default groups
         */
        if (!$form->model->exists) {
            $defaultGroupIds = UserGroup::where('is_new_user_default', true)->lists('id');

            $groupField = $form->getField('groups');
            if ($groupField) {
                $groupField->value = $defaultGroupIds;
            }
        }
    }

    /**
     * Adds the permissions editor widget to the form.
     * @return array
     */
    protected function generatePermissionsField()
    {
        return [
            'permissions' => [
                'tab' => 'backend::lang.user.permissions',
                'type' => 'Backend\FormWidgets\PermissionEditor',
                'trigger' => [
                    'action' => 'disable',
                    'field' => 'is_superuser',
                    'condition' => 'checked'
                ]
            ]
        ];
    }
}
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`<?php namespace Backend\Controllers;`

Implemented soft deleting for backend users 2018-12-17 23:09:17 -06:00			`use Lang;`
			`use Flash;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`use Backend;`
Implemented soft deleting for backend users 2018-12-17 23:09:17 -06:00			`use Redirect;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`use BackendMenu;`
			`use BackendAuth;`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00			`use Backend\Models\UserGroup;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`use Backend\Classes\Controller;`
System page navigation improvements, not finished 2014-07-24 15:19:00 +11:00			`use System\Classes\SettingsManager;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`/**`
			`* Backend user controller`
			`*`
			`* @package october\backend`
			`* @author Alexey Bobkov, Samuel Georges`
			`*`
			`*/`
			`class Users extends Controller`
			`{`
Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			`* @var array Extensions implemented by this controller.`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public $implement = [`
Code doc improvements 2017-07-27 17:35:14 +10:00			`\Backend\Behaviors\FormController::class,`
			`\Backend\Behaviors\ListController::class`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`];`

Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			* @var array `FormController` configuration.
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public $formConfig = 'config_form.yaml';`

Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			* @var array `ListController` configuration.
			`*/`
			`public $listConfig = 'config_list.yaml';`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			`* @var array Permissions required to view this page.`
			`*/`
Replace missing permissions 2017-07-28 00:05:35 +10:00			`public $requiredPermissions = ['backend.manage_users'];`

			`/**`
			`* @var string HTML body tag class`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public $bodyClass = 'compact-container';`

Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			`* Constructor.`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public function __construct()`
			`{`
			`parent::__construct();`

Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($this->action == 'myaccount') {`
Ref #306 - mysettings should be unrestricted by permissions 2014-06-16 21:12:50 +10:00			`$this->requiredPermissions = null;`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Ref #306 - mysettings should be unrestricted by permissions 2014-06-16 21:12:50 +10:00
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`BackendMenu::setContext('October.System', 'system', 'users');`
Updated the settings pages UX 2014-07-27 15:07:22 +11:00			`SettingsManager::setContext('October.System', 'administrators');`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`

Improve support for three tier user system This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role. The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well. 2017-10-14 00:25:52 -06:00			`/**`
			`* Extends the list query to hide superusers if the current user is not a superuser themselves`
			`*/`
			`public function listExtendQuery($query)`
			`{`
			`if (!$this->user->isSuperUser()) {`
			`$query->where('is_superuser', false);`
			`}`
			`}`
Implemented soft deleting for backend users 2018-12-17 23:09:17 -06:00
Fixes #3315 Fixes #3315 by moving the manipulation of the filter widget scopes to the controller event method instead of before any part of the controller constructor method is run. 2017-12-28 13:21:00 -06:00			`/**`
			`* Prevents non-superusers from even seeing the is_superuser filter`
			`*/`
			`public function listFilterExtendScopes($filterWidget)`
			`{`
			`if (!$this->user->isSuperUser()) {`
			`$filterWidget->removeScope('is_superuser');`
			`}`
			`}`
Improve support for three tier user system This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role. The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well. 2017-10-14 00:25:52 -06:00
Implemented soft deleting for backend users 2018-12-17 23:09:17 -06:00			`/**`
			`* Strike out deleted records`
			`*/`
			`public function listInjectRowClass($record, $definition = null)`
			`{`
			`if ($record->trashed()) {`
			`return 'strike';`
			`}`
			`}`

Improve support for three tier user system This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role. The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well. 2017-10-14 00:25:52 -06:00			`/**`
			`* Extends the form query to prevent non-superusers from accessing superusers at all`
			`*/`
			`public function formExtendQuery($query)`
			`{`
			`if (!$this->user->isSuperUser()) {`
			`$query->where('is_superuser', false);`
			`}`
Implemented soft deleting for backend users 2018-12-17 23:09:17 -06:00
			`// Ensure soft-deleted records can still be managed`
			`$query->withTrashed();`
Improve support for three tier user system This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role. The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well. 2017-10-14 00:25:52 -06:00			`}`

Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`/**`
			`* Update controller`
			`*/`
			`public function update($recordId, $context = null)`
			`{`
			`// Users cannot edit themselves, only use My Settings`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($context != 'myaccount' && $recordId == $this->user->id) {`
Popup control now supports several sizes via `data-size` attribute: giant, huge, large, small, tiny. Fixes various bugs in RC version 2015-02-11 18:35:39 +11:00			`return Backend::redirect('backend/users/myaccount');`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
getClassExtension -> asExtension (shorter syntax) 2014-08-23 09:41:48 +10:00			`return $this->asExtension('FormController')->update($recordId, $context);`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`

Implemented soft deleting for backend users 2018-12-17 23:09:17 -06:00			`/**`
			`* Handle restoring users`
			`*/`
			`public function update_onRestore($recordId)`
			`{`
			`$this->formFindModelObject($recordId)->restore();`

			`Flash::success(Lang::get('backend::lang.form.restore_success', ['name' => Lang::get('backend::lang.user.name')]));`

			`return Redirect::refresh();`
			`}`

Implemented easy impersonation of backend users controlled by the backend.impersonate_users permission 2019-05-09 10:36:46 -06:00			`/**`
			`* Impersonate this user`
			`*/`
			`public function update_onImpersonateUser($recordId)`
			`{`
			`if (!$this->user->hasAccess('backend.impersonate_users')) {`
			`return Response::make(Lang::get('backend::lang.page.access_denied.label'), 403);`
			`}`

			`$model = $this->formFindModelObject($recordId);`

			`BackendAuth::impersonate($model);`

			`Flash::success(Lang::get('backend::lang.account.impersonate_success'));`

			`return Backend::redirect('backend/users/myaccount');`
			`}`

Unsuspend a backend user from user update screen (#5032) 2020-04-07 20:22:41 +01:00			`/**`
			`* Unsuspend this user`
			`*/`
			`public function update_onUnsuspendUser($recordId)`
			`{`
			`$model = $this->formFindModelObject($recordId);`

			`$model->unsuspend();`

			`Flash::success(Lang::get('backend::lang.account.unsuspend_success'));`

			`return Redirect::refresh();`
			`}`

Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`/**`
			`* My Settings controller`
			`*/`
EditorSettings -> EditorPreferences (System has settings, User has preferences, App has configuration) Create a My Settings page, now linked when clicking a User Create backend preferences form for setting locale Dropdown options now support an image or icon in their options 2014-07-01 17:17:53 +10:00			`public function myaccount()`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
System page navigation improvements, not finished 2014-07-24 15:19:00 +11:00			`SettingsManager::setContext('October.Backend', 'myaccount');`

BackendSettings -> BrandSettings pageTitle is now translated at the end of the line Fixed unit tests so they pass SettingsModels are now cached 2014-10-15 19:53:44 +11:00			`$this->pageTitle = 'backend::lang.myaccount.menu_label';`
EditorSettings -> EditorPreferences (System has settings, User has preferences, App has configuration) Create a My Settings page, now linked when clicking a User Create backend preferences form for setting locale Dropdown options now support an image or icon in their options 2014-07-01 17:17:53 +10:00			`return $this->update($this->user->id, 'myaccount');`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`

			`/**`
			`* Proxy update onSave event`
			`*/`
EditorSettings -> EditorPreferences (System has settings, User has preferences, App has configuration) Create a My Settings page, now linked when clicking a User Create backend preferences form for setting locale Dropdown options now support an image or icon in their options 2014-07-01 17:17:53 +10:00			`public function myaccount_onSave()`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
getClassExtension -> asExtension (shorter syntax) 2014-08-23 09:41:48 +10:00			`$result = $this->asExtension('FormController')->update_onSave($this->user->id, 'myaccount');`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`/*`
			`* If the password or login name has been updated, reauthenticate the user`
			`*/`
			`$loginChanged = $this->user->login != post('User[login]');`
			`$passwordChanged = strlen(post('User[password]'));`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($loginChanged \|\| $passwordChanged) {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`BackendAuth::login($this->user->reload(), true);`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`return $result;`
			`}`

			`/**`
			`* Add available permission fields to the User form.`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00			`* Mark default groups as checked for new Users.`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`*/`
Fix protection level on formExtendFields Improve styling on collapsible sections 2015-09-10 20:42:24 +10:00			`public function formExtendFields($form)`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($form->getContext() == 'myaccount') {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`return;`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
Remove superuser field for non-superusers If an admin user has permission to manage other users, they are able to set others as superuser, or even create their own superuser account. That's not really what we want. 2015-09-24 12:04:26 +01:00			`if (!$this->user->isSuperUser()) {`
Move the superuser flag out of permissions array - fixes #1503 2015-11-28 10:21:41 +11:00			`$form->removeField('is_superuser');`
Remove superuser field for non-superusers If an admin user has permission to manage other users, they are able to set others as superuser, or even create their own superuser account. That's not really what we want. 2015-09-24 12:04:26 +01:00			`}`

Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`/*`
			`* Add permissions tab`
			`*/`
UI updates 2016-02-19 22:12:41 -08:00			`$form->addTabFields($this->generatePermissionsField());`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00
			`/*`
			`* Mark default groups`
			`*/`
			`if (!$form->model->exists) {`
			`$defaultGroupIds = UserGroup::where('is_new_user_default', true)->lists('id');`

			`$groupField = $form->getField('groups');`
Support groups field being removed 2019-02-25 13:21:33 -06:00			`if ($groupField) {`
			`$groupField->value = $defaultGroupIds;`
			`}`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00
			`/**`
UI updates 2016-02-19 22:12:41 -08:00			`* Adds the permissions editor widget to the form.`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`* @return array`
			`*/`
UI updates 2016-02-19 22:12:41 -08:00			`protected function generatePermissionsField()`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`{`
UI updates 2016-02-19 22:12:41 -08:00			`return [`
			`'permissions' => [`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`'tab' => 'backend::lang.user.permissions',`
UI updates 2016-02-19 22:12:41 -08:00			`'type' => 'Backend\FormWidgets\PermissionEditor',`
			`'trigger' => [`
			`'action' => 'disable',`
			`'field' => 'is_superuser',`
			`'condition' => 'checked'`
			`]`
			`]`
			`];`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`}`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`