Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Permissions - canView, canEdit, ...

Go to End

2 Posts   3930 Views


Community Member, 175 Posts

13 May 2011 at 9:56am

hi there,

just playing arround wiht permissions ... I have a group "Testgroup". Users in testgroup can just login to the CMS and have
access to page content (minimal rights to login to backend).


class Page_Controller extends ContentController implements PermissionProvider {

// I dont add group checking, just disallow for all for testing

    function canView() {
	return false;

    function canEdit(){
	return false;

    function canCreate(){
	return false;


Now, if I login with a user of the "Testgroup" I see all pages and can edit them. But I cant create pages.
Why I can view Pages and can edit them with this settings?

How should I do if I want this:

User should can create pages, and can only view and edit HIS pages, the pages he created.



Forum Moderator, 5523 Posts

14 May 2011 at 1:23pm

Permissions should be tied to your model record (e.g Page) not the controller as the controller is only used on the front end to handle the requests.

In your example - if you're dealing with pages only, you can set the permissions via the backend 'Access' tab rather than needed to hard code everything if thats easier. You'll also need to make sure your override can* methods call parent::can... as well so that the built in permission checking still works (unless you want to fully override them)

One thing to note that has caught me out today is the CMS will check for canView() as well as canEdit() in the backend so all users who can edit an object need to be able to view that object as well.