Jump to:

3450 Posts in 1063 Topics by 738 members

Data Model Questions

SilverStripe Forums » Data Model Questions » [SOLVED] canView requires ADMIN permission? I'm obviously missing something...

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 264 Views
  • BobBrown
    Avatar
    Community Member
    5 Posts

    [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    Hi all,

    I'm new to SilverStripe and am working with someone else's code. I have news items that are visible in the tree (they are a custom type called NewsItemPage which extends Page with a bunch of additional fields). These news items are configured to be visible by different groups of users. This all works fine. I can set visibility permissions in the admin and the visibility for each user is correct as configured in the admin.

    However they've developed an API also that lets these news items be returned as JSON. The code behind this request is simply:

    $allItems = Versioned::get_by_stage('NewsItemPage', 'Live');

    which is then JSON encoded and sent back.

    This appears to return all news items regardless of the currently logged on user. I am trying to check whether the current user can view the items returned like so I've adjusted the code as follows:

    $visibleItems = array();
    foreach ($allItems as $item) {
    if ($item->canView()) {
    $visibleItems[] = $item;
    }
    }

    (I also tried $item->can('view') as suggested here http://doc.silverstripe.org/framework/en/reference/permission and that failed with "Uncaught Exception: Object->__call(): the method 'can' does not exist on HelpLink

    What happens here is that I get all items back if I'm logged on as an administrator and no items back if I'm logged on as a regular user. I found that the definition for canView() is simply return Permission::check('ADMIN', 'any', $member); which (I think) means allow for admins only.

    What is the right way to determine whether the news items can be accessed by the currently logged on user? It feels like there's a better method to call other than Versioned::get_by_stage()?

    Cheers,

    - Bob -

  • BobBrown
    Avatar
    Community Member
    5 Posts

    Re: [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    Actually sorry the above code works fine in the case of anything which extends the Page class. What it doesn't work for is DataObjects that are attached to the pages themselves (they're fetched via HelpLink::get() - they're associated with the HelpItem). I'm not sure how to describe this but they appear as additional items that can be added to a page that can be dragged and dropped to determine their sort order.

    I think therefore my problem is more along the lines of how do I resolve View permissions on these data objects to which I think the answer is to find the associated page for it and check the permissions on that as there doesn't appear to be individual permissions for the data objects themselves - as in you can't set it via the admin. I can work on this.

    Does this sound right to anyone? I will report back with what I find.

    Cheers,

    - Bob -

  • camfindlay
    Avatar
    Forum Moderator
    148 Posts

    Re: [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    Hey Bob,

    You'll want to simply implement the canView, canEdit etc methods on your DataObjects - then in those methods perform an appropriate permission check and return a boolean (true or false). Page class and any class that inherits from that already has these set (and permissions for these can to some degree can be set in the 'access' settings in the CMS). The DataObjects being lower level building block of SilverStripe don't make assumptions as to permissions so you need to explicitly set what you need.

    What you could actually to if you have set the data relationships reciprocally (something like MyPage has_many MyObjects and MyObject has_one MyPage), and you simply want a DataObject to inherit the permissions of the Page it is attached to is something like this:

    class MyObject extends DataObject {
    private static $has_one = array(
    "MyPage" => "MyPage"
    );
    public function canView($member=null) {
    return $this->MyPage()->canView();
    }
    }

    There is some more info around DataObject permissions at http://doc.silverstripe.org/framework/en/reference/dataobject#permissions

    Hope that helps.

  • BobBrown
    Avatar
    Community Member
    5 Posts

    Re: [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    Awesome, that sounds pretty good. I'll look at doing exactly this and see how it goes. Thanks for the response.

  • BobBrown
    Avatar
    Community Member
    5 Posts

    Re: [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    Hey Cam,

    The HelpLink (extends DataObject) class already had a getParent() method on it which returned the associated page so the answer - as you pointed out - was simply to do this:

    public function canView($member = NULL) {
       return $this->getParent()->canView();
    }


    Thanks again for your response.

    Cheers,

    - Bob -

  • BobBrown
    Avatar
    Community Member
    5 Posts

    Re: [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    And not surprisingly this is what was in getParent:

    public function getParent() {
       return $this->MyPage();
    }


    Cheers,

    - Bob -

  • camfindlay
    Avatar
    Forum Moderator
    148 Posts

    Re: [SOLVED] canView requires ADMIN permission? I'm obviously missing something... Link to this post

    good to hear, I think also because the method is a 'getter' method you could make it further simple by just using $this->Parent()->canView().

    Let's mark this one as solved then, please edit your initial post and add a [solved] to the front of your topic

    264 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.