Adding new group permissions

Adding and using new permissions

Adding new permissions

The group a user belongs to, defines what he or she is allowed to do within the CMS. It all depends on which permissions are enabled for that group. Within SilverStripe a series of permissions are predefined, but it is not hard to add new custom permissions.

Any class that implements the PermissionProvider interface can (theoretically) create new permissions within the Security admin. So you can use the Page class, or the Page_Controller class - or any class at all - it doesn't really matter.

Add a new permission

The PermissionProvider interface lets you define a method providePermissions() like this:

class Page extends SiteTree implements PermissionProvider {

	...

	// Add a new permission	
	function providePermissions(){
		return array('NEW_PERMISSION' => 'A new permission');
	}

	...

This will add a new checkbox 'A new permission' to the Permissions tab in the Security section of the CMS. You will find it in the 'Other' category.

Database - After you first save a usergroup with this new permission, a new record is created in the Permissions table, linking the code NEW_PERMISSION to the groupID.

Beware: removing this permission from the ProvidePermissions() method will not remove the actual record from the database! The checkbox will still appear in the Permissions tab, in the 'Others' category and now called 'NEW_PERMISSION' - unless you remove it from the table by hand, which you should only do if you're very sure...

Customize your permissions

To customize your new Checkbox entry in the Permission tab, there are a couple of extra parameters you might add - and do the internationalization while you're at it:

function providePermissions(){
	return array(
		'NEW_PERMISSION' => array(
			'name' => _t(
				'Permission.ANEWPERMISSION',
				'A new permission'
			),
			'category' => _t(
				'Permission.MYPERMISSIONS',
				'My permissions'
			),
			'help' => _t(
				'Permission.ANEWPERMISSION_HELP',
				'Allow the user to do all kinds of special things'
			),
			'sort' => 100
		)
	);
}
  • name - the permission title
  • category - the name of the category in which it will be displayed
  • help - some extra information (that doesn't seem to be used anywhere...)
  • sort - defines the sortorder of permissions within a certain Category (1 = top)

Check the user, based on your new permission

To check whether or not the user has the right permission, from anywhere in your code:

if(Permission::check("NEW_PERMISSION")) { 
	// do your stuff
}
else {
	Security::permissionFailure();

	// or do some other stuff
}

Security::permissionFailure($controller = null, $messageSet = null)
This function will redirect the user to the login page. If no parameters are given, default messages are displayed, but you can personalize them, if you wish. More information on this topic can be found in the Security API, or in the file sapphire/security/Security.php somewhere around line 127. Of course you can define any handling you might wish to perform, instead of letting the user login...

'can' functions

SilverStripe provides 5 basic checks for pages you can use, override or subclass (in the Page class). Having any of them return false will restrict the user in some way:

canCreate() false means the user cannot create pages of this type (in the CMS)so the type is removed from the dropdown. Existing pages can still be saved correctly, but once you change the behaviour to another sitemap, you cannot change it back!
canDelete() false means the user cannot remove existing pages of this type from the Concept Site. Be careful: it means the user can still create pages, but he can never remove them!
canPublish() false means the user can neither publish nor unpublish a site. So an author might add/edit new content, but not publish it. This should probably be combined with a check if the author 'owns' the page he's editing...
canEdit() false means the user can create a new page and then publish/unpublish it right away. He can't, however edit the page nor delete it, which would make this sort of useless...
canView() false means the user cannot view the page - neither in the CMS nor on the frontend

Naming conventions
SilverStripe encourages the 'can' naming convention for any custom handler you create for checking users - like in canDoSomeSpecialThing()

Comments

  • I guess you're right, I'll have to switch to this module. Now I have a built in registration based on the Multiform.
    Thanks for any answers.

    Once again, congratulations on a blog (a few times already helped me):)

    Verstuurd door Lobek, 15/12/2011 4:42pm (6 jaar geleden)

  • I still think you should post this on the forums, where others may benefit as well.

    I'm there quite often, and if I can I'll help, I will. but there are others that have far more experience with this topic then I.

    Also: read this topic about the member profile module, taht seems to have all you're asking for, and is maintained by one of the best SilverStripe coders: http://groups.google.com/group/silverstripe-dev/browse_thread/thread/4d3c3003f47ef67

    Verstuurd door Martine, 15/12/2011 12:30pm (6 jaar geleden)

  • Thanks for the quick reply
    I searched the forum but not found, to my knowledge of English when I doubt that anyone understood me (I admire you:)).

    I do not want to use the module because it solved a little differently.
    Most likely I'll have to make concessions and just hide the fields that I do not want edited.

    Or maybe I'll do two pages: one that will not allow a field to edit and the other ones that can - do not know if that makes sense.

    By the way, I have one more question.
    How can I do to redirect the page Prohibited example:

    http://www.samplesite.pl/developers/developer/2/view - the user can watch, but when it enters http://www.samplesite.pl/developers/developer/2/edit - because it is forbidden pages white page pops up with the code (which returns the header <! DOCTYPE html> <head> <title> GET / tour / Users / User / add </ title> <style type="text/css"> body {background-color: # eee; margin: 0; padding: 0; font-family: Helvetica, Arial, sans-serif;}. info, etc. ....)
    Is there any possibility of automatic redirection?

    I'm sorry that your games but I thought that on the occasion of the podpytam:)

    Pzepraszam for my bad English (I used a translator)


    Verstuurd door Lobek, 14/12/2011 2:41pm (6 jaar geleden)

  • Hi lobek,

    Thanks :-)

    >> Is there any possibility to defaul users can edit specific fields?

    Not out of the box... I feel it would be better to post this question at the SilverStripe forums (http://www.silverstripe.org/forums/), as others might have some ideas about this...

    Or maybe the Member Profiles module could set you on track (https://github.com/ajshort/silverstripe-memberprofiles)...

    Verstuurd door Martine, 14/12/2011 11:22am (6 jaar geleden)

  • Hi,
    Very cool blog that I read regularly.
    I have a question.
    We are a registered user, your profile can see such information:
    emial, password, company name, zip code, city, street, nip.
    When you give permission in such a way

    public function canView($member = null) {return true;}
    public function canCreate($member = null) {return true;}
    public function canEdit($member = null) {
    if(!$member) $member = Member::currentUser();
    if(!$member) return false;
    return (
    Permission::checkMember($member, 'ADMIN')
    || ($member && $member->ID == $this->ID)
    );
    }
    public function canDelete($member = null) {
    return $this->canEdit($member);
    }

    Then can edit everything, but I would like to be able to edit own profile and only the specific fields, eg:
    email, password, company name
    rest of field i wanted to that not to edit.

    When I give it power by a group in such ways that it can continue to edit all items by this code

    public function canView($member = null) {
    return true;
    }
    public function canCreate($member = null) {
    return true;
    }
    public function canEdit($member = false) {
    if(!$member) $member = Member::currentUser();
    if(!$member) return false;
    return (
    Permission::checkMember($member, 'ADMIN')
    || Permission::checkMember($member, 'FAKTURY_EDIT')
    || $member->ID == $this->UzytkownikID
    );
    }
    public function canDelete($member = null) {
    return $this->canEdit($member);
    }
    public function providePermissions() {
    return array(
    'FAKTURY_EDIT' => 'Edytowanie faktur'
    );
    }

    Is there any possibility to defaul users can edit specific fields?

    Sorry for my bad english

    Verstuurd door Lobek, 14/12/2011 7:13am (6 jaar geleden)

Het versturen van reacties is uitgeschakeld.

RSS feed voor reacties op deze pagina