Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Forbid an action on a class using allowed_actions


Go to End


2 Posts   2544 Views

Avatar
paradigmincarnate

Community Member, 2 Posts

12 October 2010 at 3:14pm

Using this example setup:

Page_Controller::$allowed_actions = array('index', 'tag');

class SubPage_Controller extends Page_Controller {
}

How can I ensure the action "date" isn't allowed on SubPage?

/my-subpage/date

I'm looking in RequestHandler::checkAccessAction() and it looks like - because SubPage_Controller doesn't explicitly define any allowed_actions, and because there's no method for this non-existent "date" action, that the date action is allowed.

Oddly, I can avoid that by declaring another unrelated allowed action, or by re-declaring the ones from the parent.
e.g.
SubPage_Controller::$allowed_actions = array('index');
or
SubPage_Controller::$allowed_action = array('apple');

This is a little confusing to me. Surely if an action isn't in $allowed_actions, it's not allowed? The inline comment is "Return true so that a template can handle this action", but my only response to that is "wtf".

Thanks in advance for any help or explanation.

Avatar
Willr

Forum Moderator, 5523 Posts

12 October 2010 at 4:21pm

Edited: 12/10/2010 4:22pm

I believe this is coming from a legacy issue - because a lot of projects never had allowed_actions it broke applications left, right and center when it was added to the core, so to prevent apps from breaking if no allowed actions are defined on a controller then it doesn't check the action permissions. Haven't played around with checking if it respects the parent controller allowed action though so that could still be a bug.