winter/modules/backend/controllers/Users.php

<?php namespace Backend\Controllers;

use Backend;
use BackendMenu;
use BackendAuth;
use Backend\Models\UserGroup;
use Backend\Classes\Controller;
use System\Classes\SettingsManager;

/**
 * Backend user controller
 *
 * @package october\backend
 * @author Alexey Bobkov, Samuel Georges
 *
 */
class Users extends Controller
{
    /**
     * @var array Extensions implemented by this controller.
     */
    public $implement = [
        \Backend\Behaviors\FormController::class,
        \Backend\Behaviors\ListController::class
    ];

    /**
     * @var array `FormController` configuration.
     */
    public $formConfig = 'config_form.yaml';

    /**
     * @var array `ListController` configuration.
     */
    public $listConfig = 'config_list.yaml';

    /**
     * @var array Permissions required to view this page.
     */
    public $requiredPermissions = ['backend.manage_users'];

    /**
     * @var string HTML body tag class
     */
    public $bodyClass = 'compact-container';

    /**
     * Constructor.
     */
    public function __construct()
    {
        $this->user = BackendAuth::getUser();
        if (!$this->user->isSuperUser()) {
            // Prevent non-superusers from even seeing the is_superuser filter
            $this->listConfig = $this->makeConfig($this->listConfig);
            $this->listConfig->filter = $this->makeConfig($this->listConfig->filter);
            unset($this->listConfig->filter->scopes['is_superuser']);
        }

        parent::__construct();

        if ($this->action == 'myaccount') {
            $this->requiredPermissions = null;
        }

        BackendMenu::setContext('October.System', 'system', 'users');
        SettingsManager::setContext('October.System', 'administrators');
    }

    /**
     * Extends the list query to hide superusers if the current user is not a superuser themselves
     */
    public function listExtendQuery($query)
    {
        if (!$this->user->isSuperUser()) {
            $query->where('is_superuser', false);
        }
    }

    /**
     * Extends the form query to prevent non-superusers from accessing superusers at all
     */
    public function formExtendQuery($query)
    {
        if (!$this->user->isSuperUser()) {
            $query->where('is_superuser', false);
        }
    }

    /**
     * Update controller
     */
    public function update($recordId, $context = null)
    {
        // Users cannot edit themselves, only use My Settings
        if ($context != 'myaccount' && $recordId == $this->user->id) {
            return Backend::redirect('backend/users/myaccount');
        }

        return $this->asExtension('FormController')->update($recordId, $context);
    }

    /**
     * My Settings controller
     */
    public function myaccount()
    {
        SettingsManager::setContext('October.Backend', 'myaccount');

        $this->pageTitle = 'backend::lang.myaccount.menu_label';
        return $this->update($this->user->id, 'myaccount');
    }

    /**
     * Proxy update onSave event
     */
    public function myaccount_onSave()
    {
        $result = $this->asExtension('FormController')->update_onSave($this->user->id, 'myaccount');

        /*
         * If the password or login name has been updated, reauthenticate the user
         */
        $loginChanged = $this->user->login != post('User[login]');
        $passwordChanged = strlen(post('User[password]'));
        if ($loginChanged || $passwordChanged) {
            BackendAuth::login($this->user->reload(), true);
        }

        return $result;
    }

    /**
     * Add available permission fields to the User form.
     * Mark default groups as checked for new Users.
     */
    public function formExtendFields($form)
    {
        if ($form->getContext() == 'myaccount') {
            return;
        }

        if (!$this->user->isSuperUser()) {
            $form->removeField('is_superuser');
        }

        /*
         * Add permissions tab
         */
        $form->addTabFields($this->generatePermissionsField());

        /*
         * Mark default groups
         */
        if (!$form->model->exists) {
            $defaultGroupIds = UserGroup::where('is_new_user_default', true)->lists('id');

            $groupField = $form->getField('groups');
            $groupField->value = $defaultGroupIds;
        }
    }

    /**
     * Adds the permissions editor widget to the form.
     * @return array
     */
    protected function generatePermissionsField()
    {
        return [
            'permissions' => [
                'tab' => 'backend::lang.user.permissions',
                'type' => 'Backend\FormWidgets\PermissionEditor',
                'trigger' => [
                    'action' => 'disable',
                    'field' => 'is_superuser',
                    'condition' => 'checked'
                ]
            ]
        ];
    }
}
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`<?php namespace Backend\Controllers;`

			`use Backend;`
			`use BackendMenu;`
			`use BackendAuth;`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00			`use Backend\Models\UserGroup;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`use Backend\Classes\Controller;`
System page navigation improvements, not finished 2014-07-24 15:19:00 +11:00			`use System\Classes\SettingsManager;`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`/**`
			`* Backend user controller`
			`*`
			`* @package october\backend`
			`* @author Alexey Bobkov, Samuel Georges`
			`*`
			`*/`
			`class Users extends Controller`
			`{`
Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			`* @var array Extensions implemented by this controller.`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public $implement = [`
Code doc improvements 2017-07-27 17:35:14 +10:00			`\Backend\Behaviors\FormController::class,`
			`\Backend\Behaviors\ListController::class`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`];`

Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			* @var array `FormController` configuration.
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public $formConfig = 'config_form.yaml';`

Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			* @var array `ListController` configuration.
			`*/`
			`public $listConfig = 'config_list.yaml';`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			`* @var array Permissions required to view this page.`
			`*/`
Replace missing permissions 2017-07-28 00:05:35 +10:00			`public $requiredPermissions = ['backend.manage_users'];`

			`/**`
			`* @var string HTML body tag class`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public $bodyClass = 'compact-container';`

Code doc improvements 2017-07-27 17:35:14 +10:00			`/**`
			`* Constructor.`
			`*/`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`public function __construct()`
			`{`
Enable superusers to actually use the is_superuser filter 2017-10-14 21:55:56 -06:00			`$this->user = BackendAuth::getUser();`
			`if (!$this->user->isSuperUser()) {`
			`// Prevent non-superusers from even seeing the is_superuser filter`
			`$this->listConfig = $this->makeConfig($this->listConfig);`
			`$this->listConfig->filter = $this->makeConfig($this->listConfig->filter);`
			`unset($this->listConfig->filter->scopes['is_superuser']);`
			`}`
Improve support for three tier user system This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role. The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well. 2017-10-14 00:25:52 -06:00
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`parent::__construct();`

Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($this->action == 'myaccount') {`
Ref #306 - mysettings should be unrestricted by permissions 2014-06-16 21:12:50 +10:00			`$this->requiredPermissions = null;`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Ref #306 - mysettings should be unrestricted by permissions 2014-06-16 21:12:50 +10:00
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`BackendMenu::setContext('October.System', 'system', 'users');`
Updated the settings pages UX 2014-07-27 15:07:22 +11:00			`SettingsManager::setContext('October.System', 'administrators');`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`

Improve support for three tier user system This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role. The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well. 2017-10-14 00:25:52 -06:00			`/**`
			`* Extends the list query to hide superusers if the current user is not a superuser themselves`
			`*/`
			`public function listExtendQuery($query)`
			`{`
			`if (!$this->user->isSuperUser()) {`
			`$query->where('is_superuser', false);`
			`}`
			`}`

			`/**`
			`* Extends the form query to prevent non-superusers from accessing superusers at all`
			`*/`
			`public function formExtendQuery($query)`
			`{`
			`if (!$this->user->isSuperUser()) {`
			`$query->where('is_superuser', false);`
			`}`
			`}`

Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`/**`
			`* Update controller`
			`*/`
			`public function update($recordId, $context = null)`
			`{`
			`// Users cannot edit themselves, only use My Settings`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($context != 'myaccount' && $recordId == $this->user->id) {`
Popup control now supports several sizes via `data-size` attribute: giant, huge, large, small, tiny. Fixes various bugs in RC version 2015-02-11 18:35:39 +11:00			`return Backend::redirect('backend/users/myaccount');`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
getClassExtension -> asExtension (shorter syntax) 2014-08-23 09:41:48 +10:00			`return $this->asExtension('FormController')->update($recordId, $context);`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`

			`/**`
			`* My Settings controller`
			`*/`
EditorSettings -> EditorPreferences (System has settings, User has preferences, App has configuration) Create a My Settings page, now linked when clicking a User Create backend preferences form for setting locale Dropdown options now support an image or icon in their options 2014-07-01 17:17:53 +10:00			`public function myaccount()`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
System page navigation improvements, not finished 2014-07-24 15:19:00 +11:00			`SettingsManager::setContext('October.Backend', 'myaccount');`

BackendSettings -> BrandSettings pageTitle is now translated at the end of the line Fixed unit tests so they pass SettingsModels are now cached 2014-10-15 19:53:44 +11:00			`$this->pageTitle = 'backend::lang.myaccount.menu_label';`
EditorSettings -> EditorPreferences (System has settings, User has preferences, App has configuration) Create a My Settings page, now linked when clicking a User Create backend preferences form for setting locale Dropdown options now support an image or icon in their options 2014-07-01 17:17:53 +10:00			`return $this->update($this->user->id, 'myaccount');`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`

			`/**`
			`* Proxy update onSave event`
			`*/`
EditorSettings -> EditorPreferences (System has settings, User has preferences, App has configuration) Create a My Settings page, now linked when clicking a User Create backend preferences form for setting locale Dropdown options now support an image or icon in their options 2014-07-01 17:17:53 +10:00			`public function myaccount_onSave()`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
getClassExtension -> asExtension (shorter syntax) 2014-08-23 09:41:48 +10:00			`$result = $this->asExtension('FormController')->update_onSave($this->user->id, 'myaccount');`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`/*`
			`* If the password or login name has been updated, reauthenticate the user`
			`*/`
			`$loginChanged = $this->user->login != post('User[login]');`
			`$passwordChanged = strlen(post('User[password]'));`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($loginChanged \|\| $passwordChanged) {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`BackendAuth::login($this->user->reload(), true);`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
			`return $result;`
			`}`

			`/**`
			`* Add available permission fields to the User form.`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00			`* Mark default groups as checked for new Users.`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`*/`
Fix protection level on formExtendFields Improve styling on collapsible sections 2015-09-10 20:42:24 +10:00			`public function formExtendFields($form)`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`{`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`if ($form->getContext() == 'myaccount') {`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`return;`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00
Remove superuser field for non-superusers If an admin user has permission to manage other users, they are able to set others as superuser, or even create their own superuser account. That's not really what we want. 2015-09-24 12:04:26 +01:00			`if (!$this->user->isSuperUser()) {`
Move the superuser flag out of permissions array - fixes #1503 2015-11-28 10:21:41 +11:00			`$form->removeField('is_superuser');`
Remove superuser field for non-superusers If an admin user has permission to manage other users, they are able to set others as superuser, or even create their own superuser account. That's not really what we want. 2015-09-24 12:04:26 +01:00			`}`

Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`/*`
			`* Add permissions tab`
			`*/`
UI updates 2016-02-19 22:12:41 -08:00			`$form->addTabFields($this->generatePermissionsField());`
Back-end user groups can now be marked to add new administrators by default Streamline naming of backend user groups Add description field to backend user group table 2014-12-16 12:39:38 +11:00
			`/*`
			`* Mark default groups`
			`*/`
			`if (!$form->model->exists) {`
			`$defaultGroupIds = UserGroup::where('is_new_user_default', true)->lists('id');`

			`$groupField = $form->getField('groups');`
			`$groupField->value = $defaultGroupIds;`
			`}`
Welcome to the world, October :-) 2014-05-14 23:24:20 +10:00			`}`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00
			`/**`
UI updates 2016-02-19 22:12:41 -08:00			`* Adds the permissions editor widget to the form.`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`* @return array`
			`*/`
UI updates 2016-02-19 22:12:41 -08:00			`protected function generatePermissionsField()`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`{`
UI updates 2016-02-19 22:12:41 -08:00			`return [`
			`'permissions' => [`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`'tab' => 'backend::lang.user.permissions',`
UI updates 2016-02-19 22:12:41 -08:00			`'type' => 'Backend\FormWidgets\PermissionEditor',`
			`'trigger' => [`
			`'action' => 'disable',`
			`'field' => 'is_superuser',`
			`'condition' => 'checked'`
			`]`
			`]`
			`];`
Restyle Administrator pages 2015-05-21 22:54:44 +10:00			`}`
Updating backend/controllers 2014-10-10 23:26:57 +02:00			`}`