Too strict permission handling: Content Editors cannot add or edit a shortcode

sheadawson / silverstripe-shortcodable

Provides a GUI for CMS users to insert Shortcodes into the HTMLEditorField + an API for developers to define Shortcodable DataObjects and Views.

MIT License

48 stars 36 forks source link

Too strict permission handling: Content Editors cannot add or edit a shortcode #66

Closed wernerkrauss closed 6 years ago

wernerkrauss commented 6 years ago

Only Admins are allowed to access ShortcodableController's actions; wouldn't it be better to handle this with an explicit permission?

TODO: [ ] implement PermissionProvider interface [ ] Update allowed actions to reflect add / edit permission [ ] set $required_permission_roles [ ] Update docs and CHANGELOG [ ] show shortcodable icon in TinyMCE only when user has permission to use it

wernerkrauss commented 6 years ago

Quick fix: Overwrite settings in a config.yml to allow other permissions, see https://docs.silverstripe.org/en/3/developer_guides/controllers/access_control/

As ShortcodableController also subclasses LeftAndMain we also need to consider required_permission_codes

ShortcodableController:
  allowed_actions:
    ShortcodeForm: CMS_ACCESS_CMSMain
    index: CMS_ACCESS_CMSMain
    handleEdit: CMS_ACCESS_CMSMain
    shortcodePlaceHolder: CMS_ACCESS_CMSMain
  required_permission_codes:
    - CMS_ACCESS_CMSMain