Merge pull request #559 from andrewandante/ENH/add_dev_permission

ENH add canInit method and CAN_DEV_GRAPHQL permissions
silverstripe · Nov 10, 2023 · 4192aa4 · 4192aa4
2 parents d6f0cec + b47487d
commit 4192aa4
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 14 deletions.
diff --git a/composer.json b/composer.json
@@ -5,7 +5,7 @@
     "license": "BSD-3-Clause",
     "require": {
         "php": "^8.1",
-        "silverstripe/framework": "^5",
+        "silverstripe/framework": "^5.2",
         "silverstripe/vendor-plugin": "^2",
         "webonyx/graphql-php": "^15.0.1",
         "silverstripe/event-dispatcher": "^1",

diff --git a/src/Dev/DevelopmentAdmin.php b/src/Dev/DevelopmentAdmin.php
@@ -8,14 +8,16 @@
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Dev\DebugView;
+use SilverStripe\Dev\DevelopmentAdmin as RootDevelopmentAdmin;
 use SilverStripe\Security\Permission;
+use SilverStripe\Security\PermissionProvider;
 use SilverStripe\Security\Security;
 use Exception;
 use Psr\Log\LoggerInterface;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\GraphQL\Schema\Logger;
 
-class DevelopmentAdmin extends Controller
+class DevelopmentAdmin extends Controller implements PermissionProvider
 {
     private static $allowed_actions = [
         'runRegisteredController'
@@ -26,25 +28,22 @@ class DevelopmentAdmin extends Controller
         '$Action' => 'runRegisteredController',
     ];
 
+    private static $init_permissions = [
+        'ADMIN',
+        'ALL_DEV_ADMIN',
+        'CAN_DEV_GRAPHQL',
+    ];
+
     protected function init()
     {
         parent::init();
 
-        if (DevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) {
+        if (RootDevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) {
             return $this->httpError(404);
         }
-        // We allow access to this controller regardless of live-status or ADMIN permission only
-        // if on CLI.  Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.
-        $allowAllCLI = DevelopmentAdmin::config()->get('allow_all_cli');
-        $canAccess = (
-            Director::isDev()
-            || (Director::is_cli() && $allowAllCLI)
-            // Its important that we don't run this check if dev/build was requested
-            || Permission::check("ADMIN")
-        );
-        if (!$canAccess) {
+
+        if (!$this->canInit()) {
             Security::permissionFailure($this);
-            return;
         }
 
         // Define custom logger
@@ -104,6 +103,29 @@ public function runRegisteredController(HTTPRequest $request)
         }
     }
 
+    public function canInit(): bool
+    {
+        return (
+            Director::isDev()
+            // We need to ensure that DevelopmentAdminTest can simulate permission failures when running
+            // "dev/tasks" from CLI.
+            || (Director::is_cli() && RootDevelopmentAdmin::config()->get('allow_all_cli'))
+            || Permission::check(static::config()->get('init_permissions'))
+        );
+    }
+
+    public function providePermissions(): array
+    {
+        return [
+            'CAN_DEV_GRAPHQL' => [
+                'name' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_DESCRIPTION', 'Can view and execute /dev/graphql'),
+                'help' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_HELP', 'Can view and execute GraphQL development tools (/dev/graphql).'),
+                'category' => RootDevelopmentAdmin::permissionsCategory(),
+                'sort' => 80
+            ],
+        ];
+    }
+
     /**
      * @return array of url => description
      */