Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Customising the CMS /

Customising Group permissions


Reply


2 Posts   507 Views

Avatar
Reflektera

49 Posts

17 October 2012 at 5:21am

I'm looking for a way to show some groups to specific users through a modeladmin in the cms. The groups shown is based on a variable added to Group through an extension.

I've got some ideas to get it working but it all seems to fail due to row 406 in Group.php

if(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")) return true;

which, if I set that permission to the user group, grants the user access to Security-tab and ALL groups.

Is there any way around this without changing the code in Group.php?

Thanks!

Avatar
Reflektera

49 Posts

18 October 2012 at 7:27am

Edited: 18/10/2012 7:27am

Ok, maybe I misunderstood how this should be working or maybe there is a bug here. It's not exactly about my post above, kind of find a way to work that out.

So, lets see if I got this right.
The canEdit() in Group.php is supposed to return false if current member don't have admin permissions and is trying to edit a group that has admin permissions, right? That if-statement reads

      if(
         // either we have an ADMIN
         (bool)Permission::checkMember($member, "ADMIN")
         || (
            // or a privileged CMS user and a group without ADMIN permissions.
            // without this check, a user would be able to add himself to an administrators group
            // with just access to the "Security" admin interface
            Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
            !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
         )
      ) {
         return true;
      }

But this could never be true since DataObject::get() always return a DataList, right? So canEdit() on a group will always return false if currentMember don't have ADMIN permissions.

So that part maybe could be rewritten to

Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && !Permission::get()->where("GroupID = $this->ID AND Code = 'ADMIN'")->First()

or something alike? Thoughts?