A new feature for SilverStripe should be ...

Make CRUD permissions ACL based

RIght now we do permissions exclusively client side with canView, canEdit, etc.

Not only is this not easy to extend, it's also hard to apply to sets of objects, especially for objects that don't inherit from Page (which provides a bulk-check feature, as long as you haven't tweaked canView) - each one needs to be checked in turn.

We should look at changing permissions to be something that can be applied in bulk - ideally on the SQL server.

4 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Hamish Friedlander shared this idea  ·   ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Marcus Nyeholt commented  · 

        I wrote https://github.com/nyeholt/silverstripe-restrictedobjects for to handle a few things

        - standard way of permission application across all data object types
        - inheritance can be defined across types if desired
        - allow for explicit "deny" permissions
        - roles configured within the CMS, and applied in the object context; ie "Group A is granted the Manager role to the 'Resources' sub-tree of content". The "Manager" role would then be made up of a set of low-level permissions (ie Read / Write / CreateChildren etc)

      Feedback and Knowledge Base