hi there,

just playing arround wiht permissions ... I have a group "Testgroup". Users in testgroup can just login to the CMS and have
access to page content (minimal rights to login to backend).

page.php

class Page_Controller extends ContentController implements PermissionProvider {
{

// I dont add group checking, just disallow for all for testing

    function canView() {
	return false;
    }

    function canEdit(){
	return false;
    }

    function canCreate(){
	return false;
    }

//....

Now, if I login with a user of the "Testgroup" I see all pages and can edit them. But I cant create pages.
Why I can view Pages and can edit them with this settings?

How should I do if I want this:

User should can create pages, and can only view and edit HIS pages, the pages he created.

thx

Permissions should be tied to your model record (e.g Page) not the controller as the controller is only used on the front end to handle the requests.

In your example - if you're dealing with pages only, you can set the permissions via the backend 'Access' tab rather than needed to hard code everything if thats easier. You'll also need to make sure your override can* methods call parent::can... as well so that the built in permission checking still works (unless you want to fully override them)

One thing to note that has caught me out today is the CMS will check for canView() as well as canEdit() in the backend so all users who can edit an object need to be able to view that object as well.