Add grantFieldAccess & grantTemplateAccess options.

Author: dadish

ProcessGraphQLConfig.php

@@ -11,10 +11,36 @@ class ProcessGraphQLConfig extends Moduleconfig {
   public function getDefaults()
   {
     return array(
+      /**
+       * Sets the max for ProcessWire's limit selector field.
+       * @var integer
+       */
       'maxLimit' => 50,
+
+      /**
+       * Wheather the GraphiQL GUI should be stretched to full width or centered
+       * like other parts of the ProcessWire's admin back-end.
+       * @var boolean
+       */
       'fullWidthGraphiQL' => false,
+
+      /**
+       * An array of template names that will be concidered for schema generation.
+       * @var array
+       */
       'legalTemplates' => [],
+
+      /**
+       * An array of field names that will be considered for schema generation.
+       * @var array
+       */
       'legalFields' => [],
+
+      /**
+       * An array of built-in Page field names that will be considered for schema
+       * generation.
+       * @var array
+       */
       'legalPageFields' => [
         'created',
         'modified',
@@ -23,11 +49,29 @@ public function getDefaults()
         'name',
         'httpUrl',
         ],
+
+      /**
+       * An array of built-in PageFile field names that will be considered for
+       * schema createtion.
+       * @var array
+       */
       'legalPageFileFields' => [
         'url',
         'httpUrl',
         'description',
       ],
+
+      /**
+       * Grant access to everyone on a template level.
+       * @var boolean
+       */
+      'grantTemplatesAccess' => false,
+
+      /**
+       * Grant access to everyone on a field level.
+       * @var boolean
+       */
+      'grantFieldsAccess' => false,
     );
   }
 
@@ -133,6 +177,35 @@ public function getInputFields()
     }
     $inputfields->add($f);
 
+    $fSet = $this->modules->get('InputfieldFieldset');
+    $fSet->label = 'Advanced';
+    $fSet->collapsed = Inputfield::collapsedYes;
+
+    // templateAccessControl
+    $f = $this->modules->get('InputfieldCheckbox');
+    $f->attr('name', 'grantTemplatesAccess');
+    $f->label = 'Grant Templates Access';
+    $f->columnWidth = 50;
+    $desc = "By default only `superuser` can access pages with template that ";
+    $desc .= "does not have `Access` settings enabled. If you wish to grant ";
+    $desc .= "access to pages without `Access` settings, check this field. ";
+    $desc .= "(not recommended)";
+    $f->description = $desc;
+    $fSet->add($f);
+
+    // fieldAccessControl
+    $f = $this->modules->get('InputfieldCheckbox');
+    $f->attr('name', 'grantFieldsAccess');
+    $f->label = 'Grant Fields Access';
+    $f->columnWidth = 50;
+    $desc = "By default only `superuser` can access fields that does not have `Access` ";
+    $desc .= "settings enabled. If you wish to grant access to fields without `Access` ";
+    $desc .= "settings, check this field. (not recommended)";
+    $f->description = $desc;
+    $fSet->add($f);
+
+    $inputfields->add($fSet);
+
     return $inputfields;
   }
 

src/Config.php

@@ -32,19 +32,14 @@ public function get($key)
       case 'legalPageFileFields':
         return $this->module->$key;
       case 'legalViewTemplates':
-        if ($super) return $this->getLegalTemplates();
         return $this->getLegalTemplatesForPermission('page-view');
       case 'legalCreateTemplates':
-        if ($super) return $this->getLegalTemplates();
         return $this->getLegalTemplatesForPermission('page-create');
       case 'legalEditTemplates':
-        if ($super) return $this->getLegalTemplates();
         return $this->getLegalTemplatesForPermission('page-edit');
       case 'legalViewFields':
-        if ($super) return $this->getLegalFields();
         return $this->getLegalFieldsForPermission('view');
       case 'legalEditFields':
-        if ($super) return $this->getLegalFields();
         return $this->getLegalFieldsForPermission('edit');
       default:
         return parent::get($key);
@@ -59,12 +54,33 @@ protected function getLegalTemplates()
 
   protected function getLegalTemplatesForPermission($permission = 'page-view')
   {
-    $templates = $this->getLegalTemplates()->find("useRoles=1");
-    foreach ($templates as $template) {
-      if (!Utils::user()->hasTemplatePermission($permission, $template)) {
-        $templates->remove($template);
+    $user = Utils::user();
+    $templates = $this->getLegalTemplates();
+
+    // if superuser give access to everything
+    if ($user->isSuperuser()) return $templates;
+
+    // if access is granted then templates are accessable by default
+    // but if a template has Access settings, user should have relevant
+    // permissions
+    if (Utils::moduleConfig()->grantTemplateAccess) {
+      foreach ($templates as $template) {
+        if ($template->useRoles && !$user->hasTemplatePermission($permission, $template)) {
+          $templates->remove($template);
+        }
+      }
+
+    // if access is not granted then user can see only those templates that
+    // she has explicit access to.
+    } else {
+      $templates->filter("useRoles=1");
+      foreach ($templates as $template) {
+        if (!$user->hasTemplatePermission($permission, $template)) {
+          $templates->remove($template);
+        }
       }
     }
+
     return $templates;
   }
 
@@ -76,17 +92,27 @@ protected function getLegalFields()
 
   protected function getLegalFieldsForPermission($permission = 'view')
   {
-    $fields = $this->getLegalFields()->find("useRoles=1");
-    $rolesType = $permission . "Roles";
-    foreach ($fields as $field) {
-      if (!$this->userHasPermission($field->$rolesType)) {
-        $fields->remove($field);
+    $fields = $this->getLegalFields();
+    $roles = $permission . "Roles";
+
+    if (Utils::moduleConfig()->grantFieldAccess) {
+      foreach ($fields as $field) {
+        if ($field->useRoles && !$this->userHasRoleIn($field->$roles)) {
+          $fields->remove($field);
+        }
+      }
+    } else {
+      $fields->find("useRoles=1");
+      foreach ($fields as $field) {
+        if (!$this->userHasRoleIn($field->$roles)) {
+          $fields->remove($field);
+        }
       }
     }
     return $fields;
   }
 
-  protected function userHasPermission($rolesID)
+  protected function userHasRoleIn($rolesID)
   {
     $userRolesID = Utils::user()->roles->explode('id');
     foreach ($userRolesID as $userRoleID) {