Jump to:

5521 Posts in 1734 Topics by 1223 members

Customising the CMS

SilverStripe Forums » Customising the CMS » Customising Group permissions

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 408 Views
  • Reflektera
    Avatar
    49 Posts

    Customising Group permissions Link to this post

    I'm looking for a way to show some groups to specific users through a modeladmin in the cms. The groups shown is based on a variable added to Group through an extension.

    I've got some ideas to get it working but it all seems to fail due to row 406 in Group.php

    if(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")) return true;

    which, if I set that permission to the user group, grants the user access to Security-tab and ALL groups.

    Is there any way around this without changing the code in Group.php?

    Thanks!

  • Reflektera
    Avatar
    49 Posts

    Re: Customising Group permissions Link to this post

    Ok, maybe I misunderstood how this should be working or maybe there is a bug here. It's not exactly about my post above, kind of find a way to work that out.

    So, lets see if I got this right.
    The canEdit() in Group.php is supposed to return false if current member don't have admin permissions and is trying to edit a group that has admin permissions, right? That if-statement reads

          if(
             // either we have an ADMIN
             (bool)Permission::checkMember($member, "ADMIN")
             || (
                // or a privileged CMS user and a group without ADMIN permissions.
                // without this check, a user would be able to add himself to an administrators group
                // with just access to the "Security" admin interface
                Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
                !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
             )
          ) {
             return true;
          }

    But this could never be true since DataObject::get() always return a DataList, right? So canEdit() on a group will always return false if currentMember don't have ADMIN permissions.

    So that part maybe could be rewritten to

    Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && !Permission::get()->where("GroupID = $this->ID AND Code = 'ADMIN'")->First()

    or something alike? Thoughts?

    408 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.