I'm looking for a way to show some groups to specific users through a modeladmin in the cms. The groups shown is based on a variable added to Group through an extension.

I've got some ideas to get it working but it all seems to fail due to row 406 in Group.php

if(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")) return true;

which, if I set that permission to the user group, grants the user access to Security-tab and ALL groups.

Is there any way around this without changing the code in Group.php?

Thanks!

Ok, maybe I misunderstood how this should be working or maybe there is a bug here. It's not exactly about my post above, kind of find a way to work that out.

So, lets see if I got this right.
The canEdit() in Group.php is supposed to return false if current member don't have admin permissions and is trying to edit a group that has admin permissions, right? That if-statement reads

 		if(
			// either we have an ADMIN
			(bool)Permission::checkMember($member, "ADMIN")
			|| (
				// or a privileged CMS user and a group without ADMIN permissions.
				// without this check, a user would be able to add himself to an administrators group
				// with just access to the "Security" admin interface
				Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && 
				!DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
			)
		) {
			return true;
		}

But this could never be true since DataObject::get() always return a DataList, right? So canEdit() on a group will always return false if currentMember don't have ADMIN permissions.

So that part maybe could be rewritten to

Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && !Permission::get()->where("GroupID = $this->ID AND Code = 'ADMIN'")->First()

or something alike? Thoughts?