This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Restrict access to DataObject, even if user knows URL

983 Views

old bluffer

Community Member, 2 Posts

11 July 2017 at 1:51am

Hi,
I have to add an additional security check for some of our uploaded documents.
We are already using User Roles to restrict access, which works fine.
But, I now need to also restrict access to some docs using a new custom boolean field I've added called "Restricted" and a corresponding Member custom boolean field called "CanViewRestrictedDocs"

I'm not sure how to prevent access to the URL of the document though?

As a test, I added:

    
class MembersDocument extends DataObject{
[...]
public function canView($member = false) {
        if(!$member) $member = Member::currentUser();
        return false; // deny any user access, just as a test
    }

...but this doesn't prevent logged in users from downloading the doc if they know the URL.

Thanks!

Return to top