Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Customising the CMS

Customising Group permissions


Reply

2 Posts   438 Views

Avatar
Reflektera

17 October 2012 at 5:21am 49 Posts

I'm looking for a way to show some groups to specific users through a modeladmin in the cms. The groups shown is based on a variable added to Group through an extension.

I've got some ideas to get it working but it all seems to fail due to row 406 in Group.php

if(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")) return true;

which, if I set that permission to the user group, grants the user access to Security-tab and ALL groups.

Is there any way around this without changing the code in Group.php?

Thanks!

Avatar
Reflektera

18 October 2012 at 7:27am (Last edited: 18 October 2012 7:27am), 49 Posts

Ok, maybe I misunderstood how this should be working or maybe there is a bug here. It's not exactly about my post above, kind of find a way to work that out.

So, lets see if I got this right.
The canEdit() in Group.php is supposed to return false if current member don't have admin permissions and is trying to edit a group that has admin permissions, right? That if-statement reads

      if(
         // either we have an ADMIN
         (bool)Permission::checkMember($member, "ADMIN")
         || (
            // or a privileged CMS user and a group without ADMIN permissions.
            // without this check, a user would be able to add himself to an administrators group
            // with just access to the "Security" admin interface
            Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
            !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
         )
      ) {
         return true;
      }

But this could never be true since DataObject::get() always return a DataList, right? So canEdit() on a group will always return false if currentMember don't have ADMIN permissions.

So that part maybe could be rewritten to

Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && !Permission::get()->where("GroupID = $this->ID AND Code = 'ADMIN'")->First()

or something alike? Thoughts?