sonata-project · jordisala1991 · Sep 5, 2021 · Aug 31, 2021 · Aug 31, 2021 · core23
diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md
@@ -259,3 +259,9 @@ protected function configureListFields(ListMapper $listMapper)
 }
 ```
 but the best is to use the constant `ListMapper::NAME_ACTIONS`.
+
+## History actions
+
+Instead of relying on the `ROLE_MYADMIN_EDIT` role, a new `ROLE_MYADMIN_HISTORY`
+role was introduced to get access to the history actions. If you use the
+revisions be sure to add this role to your users.
diff --git a/docs/reference/configuration.rst b/docs/reference/configuration.rst
@@ -61,6 +61,7 @@ Full Configuration Options
                     # Defaults:
                     - VIEW
                     - EDIT
+                    - HISTORY
                     - DELETE
                     - UNDELETE
                     - OPERATOR

diff --git a/docs/reference/security.rst b/docs/reference/security.rst
@@ -90,7 +90,7 @@ Using ACL:
                 # acl security information
                 information:
                     GUEST:    [VIEW, LIST]
-                    STAFF:    [EDIT, LIST, CREATE]
+                    STAFF:    [EDIT, HISTORY, LIST, CREATE]
                     EDITOR:   [OPERATOR, EXPORT]
                     ADMIN:    [MASTER]
 
@@ -99,7 +99,7 @@ Using ACL:
                 admin_permissions: [CREATE, LIST, DELETE, UNDELETE, EXPORT, OPERATOR, MASTER]
 
                 # permission related to the objects
-                object_permissions: [VIEW, EDIT, DELETE, UNDELETE, OPERATOR, MASTER, OWNER]
+                object_permissions: [VIEW, EDIT, HISTORY, DELETE, UNDELETE, OPERATOR, MASTER, OWNER]
 
 Later, we will explain how to set up ACL with the ``FriendsOfSymfony/UserBundle``.
 
@@ -126,6 +126,7 @@ LIST         view the list of objects
 VIEW         view the detail of one object
 CREATE       create a new object
 EDIT         update an existing object
+HISTORY      access to the history of edition of an object
 DELETE       delete an existing object
 EXPORT       (for the native Sonata export links)
 **ALL**      **grants LIST, VIEW, CREATE, EDIT, DELETE and EXPORT**

diff --git a/src/Admin/AbstractAdmin.php b/src/Admin/AbstractAdmin.php
@@ -137,13 +137,6 @@ abstract class AbstractAdmin extends AbstractTaggedAdmin implements AdminInterfa
      */
     protected $searchResultActions = ['edit', 'show'];
 
-    /**
-     * The Access mapping.
-     *
-     * @var array<string, string|string[]> [action1 => requiredRole1, action2 => [requiredRole2, requiredRole3]]
-     */
-    protected $accessMapping = [];
-
     /**
      * The list FieldDescription constructed from the configureListField method.
      *
@@ -1731,11 +1724,6 @@ final public function getListMode(): string
         return $this->getRequest()->getSession()->get(sprintf('%s.list_mode', $this->getCode()), 'list');
     }
 
-    final public function getAccessMapping(): array
-    {
-        return $this->accessMapping;
-    }
-
     final public function checkAccess(string $action, ?object $object = null): void
     {
         $access = $this->getAccess();
@@ -2206,9 +2194,9 @@ final protected function getAccess(): array
         $access = array_merge([
             'acl' => AdminPermissionMap::PERMISSION_MASTER,
             'export' => AdminPermissionMap::PERMISSION_EXPORT,
-            'historyCompareRevisions' => AdminPermissionMap::PERMISSION_EDIT,
-            'historyViewRevision' => AdminPermissionMap::PERMISSION_EDIT,
-            'history' => AdminPermissionMap::PERMISSION_EDIT,
+            'historyCompareRevisions' => AdminPermissionMap::PERMISSION_HISTORY,
+            'historyViewRevision' => AdminPermissionMap::PERMISSION_HISTORY,
+            'history' => AdminPermissionMap::PERMISSION_HISTORY,
             'edit' => AdminPermissionMap::PERMISSION_EDIT,
             'show' => AdminPermissionMap::PERMISSION_VIEW,
             'create' => AdminPermissionMap::PERMISSION_CREATE,
@@ -2224,6 +2212,14 @@ final protected function getAccess(): array
         return $access;
     }
 
+    /**
+     * @return array<string, string|string[]> [action1 => requiredRole1, action2 => [requiredRole2, requiredRole3]]
+     */
+    protected function getAccessMapping(): array
+    {
+        return [];
+    }
+
     /**
      * Return the list of permissions the user should have in order to display the admin.
      *

diff --git a/src/Admin/AccessRegistryInterface.php b/src/Admin/AccessRegistryInterface.php
@@ -22,13 +22,6 @@
  */
 interface AccessRegistryInterface
 {
-    /**
-     * Return the controller access mapping.
-     *
-     * @return array<string, string[]|string>
-     */
-    public function getAccessMapping(): array;
-
     /**
      * Hook to handle access authorization.
      *

diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -88,6 +88,7 @@ public function getConfigTreeBuilder(): TreeBuilder
                             ->defaultValue([
                                 AdminPermissionMap::PERMISSION_VIEW,
                                 AdminPermissionMap::PERMISSION_EDIT,
+                                AdminPermissionMap::PERMISSION_HISTORY,
                                 AdminPermissionMap::PERMISSION_DELETE,
                                 AdminPermissionMap::PERMISSION_UNDELETE,
                                 AdminPermissionMap::PERMISSION_OPERATOR,

diff --git a/src/Security/Acl/Permission/AdminPermissionMap.php b/src/Security/Acl/Permission/AdminPermissionMap.php
@@ -26,6 +26,7 @@ final class AdminPermissionMap implements PermissionMapInterface
 {
     public const PERMISSION_VIEW = 'VIEW';
     public const PERMISSION_EDIT = 'EDIT';
+    public const PERMISSION_HISTORY = 'HISTORY';
     public const PERMISSION_CREATE = 'CREATE';
     public const PERMISSION_DELETE = 'DELETE';
     public const PERMISSION_UNDELETE = 'UNDELETE';
@@ -58,6 +59,13 @@ final class AdminPermissionMap implements PermissionMapInterface
             MaskBuilder::MASK_OWNER,
         ],
 
+        self::PERMISSION_HISTORY => [
+            MaskBuilder::MASK_HISTORY,
+            MaskBuilder::MASK_OPERATOR,
+            MaskBuilder::MASK_MASTER,
+            MaskBuilder::MASK_OWNER,
+        ],
+
         self::PERMISSION_CREATE => [
             MaskBuilder::MASK_CREATE,
             MaskBuilder::MASK_OPERATOR,

diff --git a/src/Security/Acl/Permission/MaskBuilder.php b/src/Security/Acl/Permission/MaskBuilder.php
@@ -18,12 +18,16 @@
 /**
  * {@inheritdoc}
  * - LIST: the SID is allowed to view a list of the domain objects / fields.
+ * - EXPORT: the SID is allowed to export the list of the domain objects / fields.
+ * - HISTORY: the SID is allowed to see the history of edition of a domain objects / fields.
  */
 final class MaskBuilder extends BaseMaskBuilder
 {
     public const MASK_LIST = 4096;       // 1 << 12
-    public const MASK_EXPORT = 8192;       // 1 << 13
+    public const MASK_EXPORT = 8192;     // 1 << 13
+    public const MASK_HISTORY = 16384;   // 1 << 14
 
     public const CODE_LIST = 'L';
     public const CODE_EXPORT = 'E';
+    public const CODE_HISTORY = 'H';
 }
diff --git a/tests/Controller/CRUDControllerTest.php b/tests/Controller/CRUDControllerTest.php
@@ -255,7 +255,6 @@ protected function setUp(): void
         ]);
 
         $this->admin->method('getIdParameter')->willReturn('id');
-        $this->admin->method('getAccessMapping')->willReturn([]);
         $this->admin->method('getCode')->willReturn('foo.admin');
         $this->admin->method('hasTemplateRegistry')->willReturn(true);
         $this->admin->method('getTemplateRegistry')->willReturn($this->templateRegistry);

diff --git a/tests/Security/Acl/Permission/AdminPermissionMapTest.php b/tests/Security/Acl/Permission/AdminPermissionMapTest.php
@@ -62,6 +62,7 @@ public function permissionProvider(): array
         return [
             [true, AdminPermissionMap::PERMISSION_VIEW],
             [true, AdminPermissionMap::PERMISSION_EDIT],
+            [true, AdminPermissionMap::PERMISSION_HISTORY],
             [true, AdminPermissionMap::PERMISSION_CREATE],
             [true, AdminPermissionMap::PERMISSION_DELETE],
             [true, AdminPermissionMap::PERMISSION_UNDELETE],

diff --git a/tests/Util/AdminObjectAclDataTest.php b/tests/Util/AdminObjectAclDataTest.php
@@ -15,11 +15,11 @@
 
 use PHPUnit\Framework\TestCase;
 use Sonata\AdminBundle\Admin\AdminInterface;
+use Sonata\AdminBundle\Security\Acl\Permission\MaskBuilder;
 use Sonata\AdminBundle\Security\Handler\AclSecurityHandlerInterface;
 use Sonata\AdminBundle\Util\AdminObjectAclData;
 use Symfony\Component\Form\Form;
 use Symfony\Component\Security\Acl\Domain\Acl;
-use Symfony\Component\Security\Acl\Permission\MaskBuilder;
 
 /**
  * @author Kévin Dunglas <[email protected]>
@@ -223,7 +223,7 @@ protected function createAdmin(bool $isOwner = true, bool $isAclEnabled = true):
 
         $securityHandler
             ->method('getObjectPermissions')
-            ->willReturn(['VIEW', 'EDIT', 'DELETE', 'UNDELETE', 'OPERATOR', 'MASTER', 'OWNER']);
+            ->willReturn(['VIEW', 'EDIT', 'HISTORY', 'DELETE', 'UNDELETE', 'OPERATOR', 'MASTER', 'OWNER']);
 
         $securityHandler
             ->method('buildSecurityInformation')
-Original file line number
+Diff line change
@@ Expand Up / @@ -61,6 +61,7 @@ Full Configuration Options @@
                         # Defaults:
                         - VIEW
                         - EDIT
+                        - HISTORY
                         - DELETE
                         - UNDELETE
                         - OPERATOR
@@ Expand Down @@