Make CRUD permissions ACL based
RIght now we do permissions exclusively client side with canView, canEdit, etc.
Not only is this not easy to extend, it's also hard to apply to sets of objects, especially for objects that don't inherit from Page (which provides a bulk-check feature, as long as you haven't tweaked canView) - each one needs to be checked in turn.
We should look at changing permissions to be something that can be applied in bulk - ideally on the SQL server.
SilverStripe have planned this item
Marcus Nyeholt commented
I wrote https://github.com/nyeholt/silverstripe-restrictedobjects for to handle a few things
- standard way of permission application across all data object types
- inheritance can be defined across types if desired
- allow for explicit "deny" permissions
- roles configured within the CMS, and applied in the object context; ie "Group A is granted the Manager role to the 'Resources' sub-tree of content". The "Manager" role would then be made up of a set of low-level permissions (ie Read / Write / CreateChildren etc)