silverstripe-framework/docs/en/02_Developer_Guides/09_Security/01_Access_Control.md

# Access Control and Page Security

There is a fairly comprehensive security mechanism in place for SilverStripe. If you want to add premium content to your
site you have to figure this stuff out, and it's not entirely obvious. 

## Ways to restrict access

There are a number of ways to restrict access in SilverStripe.  In the security tab in the CMS you can create groups
that have access to certain parts.  The options can be found on the [permissions](/developer_guides/security/permissions) documentation. 

Once you have groups, you can set access for each page for a particular group.  This can be:
* anyone;
* any person who is logged in;
* a specific group.

It is unclear how this works for data-objects that are not pages.

## The Security Groups in SilverStripe

In the security tab you can make groups for security.  The way this was intended was as follows (this may be a counter
intuitive):

	* employees
		* marketing
			* marketing executive

Thus, the further up the hierarchy you go the MORE privileges you can get.  Similarly, you could have:

	* members
		* coordinators
			* admins

Where members have some privileges, coordinators slightly more and administrators the most; having each group inheriting
privileges from its parent group.     

## Permission checking is at class level

SilverStripe provides a security mechanism via the *Permission::check* method (see [LeftAndMain](api:SilverStripe\Admin\LeftAndMain) for examples on how
the admin screens work).

(next step -- go from *Permission::checkMember*...)

### Nuts and bolts -- figuring it out

Here are my notes trying to figure this stuff out. Not really useful unless you're VERY interested in how exactly SS
works.


### Loading the admin page: looking at security

If you go to [your site]/admin *Director.php* maps the 'admin' URL request through a [Director](api:SilverStripe\Control\Director) rule to the
[CMSMain](api:SilverStripe\CMS\Controllers\CMSMain) controller (see [CMSMain](api:SilverStripe\CMS\Controllers\CMSMain), with no arguments). 

*CMSMain.init()* calls its parent which, of all things is called [LeftAndMain](api:SilverStripe\Admin\LeftAndMain). It's in [LeftAndMain](api:SilverStripe\Admin\LeftAndMain) that the
important security checks are made by calling *Permission::check*. 

[Security::permissionFailure()](api:SilverStripe\Security\Security::permissionFailure()) is the next utility function you can use to redirect to the login form. 

### Customizing Access Checks in CMS Classes

see [LeftAndMain](api:SilverStripe\Admin\LeftAndMain)
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00			`# Access Control and Page Security`

			`There is a fairly comprehensive security mechanism in place for SilverStripe. If you want to add premium content to your`
			`site you have to figure this stuff out, and it's not entirely obvious.`

			`## Ways to restrict access`

			`There are a number of ways to restrict access in SilverStripe. In the security tab in the CMS you can create groups`
DOCS 3.1 - fixes broken internal links 2016-01-14 11:59:53 +01:00			`that have access to certain parts. The options can be found on the [permissions](/developer_guides/security/permissions) documentation.`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update access-control.md small typo 2014-11-26 21:25:43 +01:00			`Once you have groups, you can set access for each page for a particular group. This can be:`
Typography review 2013-12-05 21:20:49 +01:00			`* anyone;`
			`* any person who is logged in;`
			`* a specific group.`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
			`It is unclear how this works for data-objects that are not pages.`

			`## The Security Groups in SilverStripe`

			`In the security tab you can make groups for security. The way this was intended was as follows (this may be a counter`
			`intuitive):`
Small text changes, added api links, cont. updating images for tutorials, fixed tutorials from member feedback 2011-03-08 22:05:51 +01:00
Typography review 2013-12-05 21:20:49 +01:00			`* employees`
			`* marketing`
			`* marketing executive`
Small text changes, added api links, cont. updating images for tutorials, fixed tutorials from member feedback 2011-03-08 22:05:51 +01:00
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00			`Thus, the further up the hierarchy you go the MORE privileges you can get. Similarly, you could have:`
Small text changes, added api links, cont. updating images for tutorials, fixed tutorials from member feedback 2011-03-08 22:05:51 +01:00
Typography review 2013-12-05 21:20:49 +01:00			`* members`
			`* coordinators`
			`* admins`
Small text changes, added api links, cont. updating images for tutorials, fixed tutorials from member feedback 2011-03-08 22:05:51 +01:00
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00			`Where members have some privileges, coordinators slightly more and administrators the most; having each group inheriting`
			`privileges from its parent group.`

			`## Permission checking is at class level`

FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`SilverStripe provides a security mechanism via the Permission::check method (see [LeftAndMain](api:SilverStripe\Admin\LeftAndMain) for examples on how`
Typography review 2013-12-05 21:20:49 +01:00			`the admin screens work).`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Small text changes, added api links, cont. updating images for tutorials, fixed tutorials from member feedback 2011-03-08 22:05:51 +01:00			`(next step -- go from Permission::checkMember...)`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
			`### Nuts and bolts -- figuring it out`

			`Here are my notes trying to figure this stuff out. Not really useful unless you're VERY interested in how exactly SS`
			`works.`


			`### Loading the admin page: looking at security`

FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`If you go to [your site]/admin Director.php maps the 'admin' URL request through a [Director](api:SilverStripe\Control\Director) rule to the`
			`[CMSMain](api:SilverStripe\CMS\Controllers\CMSMain) controller (see [CMSMain](api:SilverStripe\CMS\Controllers\CMSMain), with no arguments).`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`CMSMain.init() calls its parent which, of all things is called [LeftAndMain](api:SilverStripe\Admin\LeftAndMain). It's in [LeftAndMain](api:SilverStripe\Admin\LeftAndMain) that the`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00			`important security checks are made by calling Permission::check.`

FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`[Security::permissionFailure()](api:SilverStripe\Security\Security::permissionFailure()) is the next utility function you can use to redirect to the login form.`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
			`### Customizing Access Checks in CMS Classes`

FIX Add namespaces in markdown docs (#7088) * FIX Add namespaces in markdown docs * FIX Convert doc [link] to [link-text](link-uri) 2017-07-03 03:22:12 +02:00			`see [LeftAndMain](api:SilverStripe\Admin\LeftAndMain)`