From addf529b5c26affd35a787529fc776d04d3dc15c Mon Sep 17 00:00:00 2001 From: Andrew Paxley Date: Thu, 19 Oct 2023 14:16:36 +1300 Subject: [PATCH] add canInit method and CAN_DEV_GRAPHQL permissions --- composer.json | 2 +- src/Dev/DevelopmentAdmin.php | 42 +++++++++++++++++++++++++----------- 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/composer.json b/composer.json index 3352de9a..ca91d4e2 100755 --- a/composer.json +++ b/composer.json @@ -5,7 +5,7 @@ "license": "BSD-3-Clause", "require": { "php": "^8.1", - "silverstripe/framework": "^5", + "silverstripe/framework": "^5.2", "silverstripe/vendor-plugin": "^2", "webonyx/graphql-php": "^15.0.1", "silverstripe/event-dispatcher": "^1", diff --git a/src/Dev/DevelopmentAdmin.php b/src/Dev/DevelopmentAdmin.php index f9a2f7d2..ccee22a6 100644 --- a/src/Dev/DevelopmentAdmin.php +++ b/src/Dev/DevelopmentAdmin.php @@ -8,14 +8,16 @@ use SilverStripe\Control\HTTPRequest; use SilverStripe\Core\Config\Config; use SilverStripe\Dev\DebugView; +use SilverStripe\Dev\DevelopmentAdmin as RootDevelopmentAdmin; use SilverStripe\Security\Permission; +use SilverStripe\Security\PermissionProvider; use SilverStripe\Security\Security; use Exception; use Psr\Log\LoggerInterface; use SilverStripe\Core\Injector\Injector; use SilverStripe\GraphQL\Schema\Logger; -class DevelopmentAdmin extends Controller +class DevelopmentAdmin extends Controller implements PermissionProvider { private static $allowed_actions = [ 'runRegisteredController' @@ -30,21 +32,12 @@ protected function init() { parent::init(); - if (DevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) { + if (RootDevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) { return $this->httpError(404); } - // We allow access to this controller regardless of live-status or ADMIN permission only - // if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN. - $allowAllCLI = DevelopmentAdmin::config()->get('allow_all_cli'); - $canAccess = ( - Director::isDev() - || (Director::is_cli() && $allowAllCLI) - // Its important that we don't run this check if dev/build was requested - || Permission::check("ADMIN") - ); - if (!$canAccess) { + + if (!$this->canInit()) { Security::permissionFailure($this); - return; } // Define custom logger @@ -104,6 +97,29 @@ public function runRegisteredController(HTTPRequest $request) } } + public function canInit(): bool + { + return ( + Director::isDev() + // We need to ensure that DevelopmentAdminTest can simulate permission failures when running + // "dev/tasks" from CLI. + || (Director::is_cli() && RootDevelopmentAdmin::config()->get('allow_all_cli')) + || Permission::check(['ADMIN', 'ALL_DEV_ADMIN', 'CAN_DEV_GRAPHQL']) + ); + } + + public function providePermissions(): array + { + return [ + 'CAN_DEV_GRAPHQL' => [ + 'name' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_DESCRIPTION', 'Can view and execute /dev/graphql'), + 'help' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_HELP', 'Can view and execute GraphQL development tools (/dev/graphql).'), + 'category' => RootDevelopmentAdmin::permissionsCategory(), + 'sort' => 80 + ], + ]; + } + /** * @return array of url => description */