Permissions on single Tailor entry

Hi! Is it possible to restrict backend access to specific Tailor entries instead of whole ‘models’?
What I’m trying to achieve is to have
Create (or publish) - only admin
Read - admin and backend users assigned to the entry
Update - admin and backend users assigned to the entry
Delete (or unpublish) - only admin

Simplified idea is to have the blog where only admin can create post and allow specific author to write it, without allowing him to see (or change) posts written by other authors.

I’ve managed to do so in Voyager by adding the simple rule to the BREAD (their version of CRUD) controller

if(Auth::user()->role_id != 1)
{
    $query->where('owner_email', '=', Auth::user()->email);
}

and I’m looking to replicate this behaviour in October; ideally using Tailor

Hi and welcome @Marcino,

This is a concept we are calling “Content Owners” that should arrive in a version of October CMS soon. It covers the scenario where admins who create records can only manage their own records and not records created by other users.

For now, you could add a field called owner_email and automatically populate it with this code; added to boot() method of the app/Provider.php file. The following example targets a blueprint with handle Blog\Post.

// Automatically set the owner_email attribute on Blog\Post blueprints
\Tailor\Models\EntryRecord::extendInSection('Blog\Post', function($model) {
    $model->bindEvent('model.beforeSave', function () use ($model) {
        if ($owner = \BackendAuth::getUser()) {
            $model->owner_email = $owner->email;
        }
    });
});

Then extend the list query to only display entries that belong to the owner, if they are not a “super user”.

// Filter the entries list on Blog\Post blueprints by the owner email if the
// logged in user is not a super user
\Event::listen('backend.list.extendQuery', function ($listWidget, $query) {
    $owner = \BackendAuth::getUser();
    if (!$owner || $owner->is_superuser) {
        return;
    }

    $model = $query->getModel();
    if ($model instanceof \Tailor\Models\EntryRecord) {
        $blueprint = $model->getBlueprintDefinition();
        if ($blueprint->handle === 'Blog\Post') {
            $query->where('owner_email', $owner->email);
        }
    }
});
1 Like