tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-07-22 11:23:48 +02:00
Code Issues Projects Releases Wiki Activity
63fd20093e
silverstripe-framework/docs/en/02_Developer_Guides/09_Security/01_Access_Control.md
Aaron Carlino 6888901468
NEW: Update docs to be compliant with Gatsby site (#9314) 
* First cut

* Temporarily disable composer.json for netlify build

* POC

* New recursive directory query, various refinements

* Fix flexbox

* new styled components plugin

* Apply frontmatter delimiters

* Mobile styles, animation

* Search

* Redesign, clean up

* Nuke the cache, try again

* fix file casing

* Remove production env file

* ID headers

* Move app to new repo

* Add frontmatter universally

* Hide children changelogs

* Add how to title

* New callout tags

* Revert inline code block change

* Replace note callouts

* Fix icons

* Repalce images

* Fix icon

* Fix image links

* Use proper SQL icon
2019-11-18 17:58:33 +13:00

2.6 KiB
Raw Blame History

title summary icon
Access Control Restrict CMS access to specific groups of users user-lock

Access Control and Page Security

There is a fairly comprehensive security mechanism in place for SilverStripe. If you want to add premium content to your site you have to figure this stuff out, and it's not entirely obvious.

Ways to restrict access

There are a number of ways to restrict access in SilverStripe. In the security tab in the CMS you can create groups that have access to certain parts. The options can be found on the permissions documentation.

Once you have groups, you can set access for each page for a particular group. This can be:

  • anyone;
  • any person who is logged in;
  • a specific group.

It is unclear how this works for data-objects that are not pages.

The Security Groups in SilverStripe

In the security tab you can make groups for security. The way this was intended was as follows (this may be a counter intuitive):

* employees
	* marketing
		* marketing executive

Thus, the further up the hierarchy you go the MORE privileges you can get. Similarly, you could have:

* members
	* coordinators
		* admins

Where members have some privileges, coordinators slightly more and administrators the most; having each group inheriting privileges from its parent group.

Permission checking is at class level

SilverStripe provides a security mechanism via the Permission::check method (see LeftAndMain for examples on how the admin screens work).

(next step -- go from Permission::checkMember...)

Nuts and bolts -- figuring it out

Here are my notes trying to figure this stuff out. Not really useful unless you're VERY interested in how exactly SS works.

Loading the admin page: looking at security

If you go to [your site]/admin Director.php maps the 'admin' URL request through a Director rule to the CMSMain controller (see CMSMain, with no arguments).

CMSMain.init() calls its parent which, of all things is called LeftAndMain. It's in LeftAndMain that the important security checks are made by calling Permission::check.

Security::permissionFailure() is the next utility function you can use to redirect to the login form.

Customizing Access Checks in CMS Classes

see LeftAndMain