CODEWITHSUNDEEP
silverstripe
Will
Will

Reputation: 4705

Permissions for ModelAdmin DataObjects

When a user is not an Admin, but his assigned group has access to a ModelAdmin the model admin page is listed in the menu & the user can visit it, however no records show in the index view.

To show the records, the permissions need to be set in the model. The documentation says to do it like this:

http://doc.silverstripe.org/framework/en/3.1/reference/modeladmin

class Category extends DataObject {
  // ...
    public function canView($member = null) {
        return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
    }
    public function canEdit($member = null) {
        return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
    }
    public function canDelete($member = null) {
        return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
    }
    public function canCreate($member = null) {
        return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
    }
}

However this does not work as $member is Null. Setting these methods to return true displays the records. Is this secure? Or does that set anybody to be able to edit the records? logging in as a user whose group does not have access to that model admin seems to not allow them to get to the listing page, but it seems like the wrong thing to do. 

    public function canView($member = null) {
        return null;
    }
    public function canEdit($member = null) {
        return true;
    }
    public function canDelete($member = null) {
         return true;
    }
    public function canCreate($member = null) {
         return true;
    }

What is the best way to allow a group to view & edit a modelAdmin's records?

Upvotes: 2

Views: 1268

Answers (1)

user3477804
user3477804

Reputation:

The example is what you want to follow, though with a different permission name. The permission name in the example is if the user has access to CMSMain, which is the part go the CMS that handles pages.

To get the name of the permission, you take the class name of your ModelAdmin (say, CategoryAdmin) and prepend CMS_ACCESS_ to it (which would give CMS_ACCESS_CategoryAdmin in this example).

As for $member being null, that is only the default value. So $member is only null if no value is passed in. This doesn't actually matter though, as Permission::check specifically handles being passed in a null value and uses the current logged in user instead.

Upvotes: 3

Related Questions