Allow Preview Access to Backend List & Records only

Hi,

I would like to have two different permissions for my backend list: one which allows view access (my.plugin.model) and one which allows full create/update permissions (my.plugin.model.full).

The names of the permissions are just exemplary.

Within the controller, I’ve set the required Permission to the basic one
public $requiredPermissions = ['my.plugin.model'];

But this way, everybody with the view permission can also create/update records.

So I modified the update() and create() methods within the controller:

    public function update($recordId)
    {
        if (!$this->user->hasPermission(['my.plugin.model.full'])) {
            Flash::error("No permission");
            return Backend::redirect('my/plugin/modellist');
        }
        parent::update($recordId);
    }

    public function create()
    {
        if (!$this->user->hasPermission(['my.plugin.model.full'])) {
            Flash::error("No permission");
            return Backend::redirect('my/plugin/modellist');
        }
        parent::create();
    }

In order to redirect from the list to the preview form if you have reduced rights and the update form if you have full rights, I did the following:

Within the config_list.yaml, I set the preview path as recordUrl as default:
recordUrl: 'mch/heads/skinfileblacklist/preview/:id'

And now I used the listOverride in the controller if the user has full permissions:

    public function listOverrideRecordUrl($record)
    {
        if ($this->user->hasPermission(['my.plugin.model.full'])) {
            return 'my/plugin/model/update/' . $record->id;
        }
    }

Basically this works and users with the reduced rights are redirected to the backend list if they try to access the create or update path directly.

However, is this the easiest way to do this, or did I miss something?

I got a lot of info from older threads like this one:
https://octobercms.com/forum/post/important-how-to-set-permission-for-single-route-action-in-backend-controller-action-based-permission-check-in-backend-routing?page=1

But in the first place, I expected something like an option in the config_form.yaml:

create:
    redirect: 'my/plugin/lust/update/:id'
    redirectClose: my/plugin/list
    permission: my.plugin.model.full <=this here...
update:
    redirect: my/plugin/list
    redirectClose: my/plugin/list
    permission: my.plugin.model.full

So you can easily set a permission in order to enter the create and update form in general and if you dont have the update permission and click a record in the list (clickable: true), you go to the preview form automatically.

Did I miss this or does this feature not exist? If not, I would like to suggest it.

1 Like

Good solution and suggestion, and yes we could add something for this. Thanks!

1 Like

Ok glad I found a good solution so far.

Great you also say you would implement such a feature. Could I expect it in the near future or the far?