Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENH add canInit method and CAN_DEV_GRAPHQL permissions #559

Merged
merged 2 commits into from
Nov 10, 2023
Merged

ENH add canInit method and CAN_DEV_GRAPHQL permissions #559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
addf529
add canInit method and CAN_DEV_GRAPHQL permissions
andrewandante Oct 19, 2023
b47487d
ENH use init_permissions to match core PR
andrewandante Oct 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"license": "BSD-3-Clause",
"require": {
"php": "^8.1",
"silverstripe/framework": "^5",
"silverstripe/framework": "^5.2",
"silverstripe/vendor-plugin": "^2",
"webonyx/graphql-php": "^15.0.1",
"silverstripe/event-dispatcher": "^1",
Expand Down
48 changes: 35 additions & 13 deletions src/Dev/DevelopmentAdmin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,16 @@
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Core\Config\Config;
use SilverStripe\Dev\DebugView;
use SilverStripe\Dev\DevelopmentAdmin as RootDevelopmentAdmin;
use SilverStripe\Security\Permission;
use SilverStripe\Security\PermissionProvider;
use SilverStripe\Security\Security;
use Exception;
use Psr\Log\LoggerInterface;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\GraphQL\Schema\Logger;

class DevelopmentAdmin extends Controller
class DevelopmentAdmin extends Controller implements PermissionProvider
{
private static $allowed_actions = [
'runRegisteredController'
Expand All @@ -26,25 +28,22 @@ class DevelopmentAdmin extends Controller
'$Action' => 'runRegisteredController',
];

private static $init_permissions = [
'ADMIN',
'ALL_DEV_ADMIN',
'CAN_DEV_GRAPHQL',
];

protected function init()
{
parent::init();

if (DevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) {
if (RootDevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) {
return $this->httpError(404);
}
// We allow access to this controller regardless of live-status or ADMIN permission only
// if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.
$allowAllCLI = DevelopmentAdmin::config()->get('allow_all_cli');
$canAccess = (
Director::isDev()
|| (Director::is_cli() && $allowAllCLI)
// Its important that we don't run this check if dev/build was requested
|| Permission::check("ADMIN")
);
if (!$canAccess) {

if (!$this->canInit()) {
Security::permissionFailure($this);
return;
}

// Define custom logger
Expand Down Expand Up @@ -104,6 +103,29 @@ public function runRegisteredController(HTTPRequest $request)
}
}

public function canInit(): bool
{
return (
Director::isDev()
// We need to ensure that DevelopmentAdminTest can simulate permission failures when running
// "dev/tasks" from CLI.
|| (Director::is_cli() && RootDevelopmentAdmin::config()->get('allow_all_cli'))
|| Permission::check(static::config()->get('init_permissions'))
);
}

public function providePermissions(): array
{
return [
'CAN_DEV_GRAPHQL' => [
'name' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_DESCRIPTION', 'Can view and execute /dev/graphql'),
'help' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_HELP', 'Can view and execute GraphQL development tools (/dev/graphql).'),
'category' => RootDevelopmentAdmin::permissionsCategory(),
'sort' => 80
],
];
}

/**
* @return array of url => description
*/
Expand Down