1

A user group cannot be given access to a plugin without the plugin having hasCpSection.

I don't want to give anonymous access to the plugin's methods; is there not an option to have a plugin listed for user group permission allocation without it having an cp tab? Too many cp tabs cause a JS error - but that's another issue...

Tom
  • 135
  • 1
  • 7
  • This sounds like a bug. Whether or not a plugin has a tab should be completely irrelevant to whether a user group has permission to access it. I'd recommend reporting this bug directly to support@buildwithcraft.com – Lindsey D Aug 25 '15 at 17:13
  • Hey Tom... trying to decide if this is a bug or a feature request. Are you saying that they can't load any plugin pages in the CP? Or they can't post to a plugin's controller action? Feel free to send the plugin over to support@buildwithcraft.com along with steps to reproduce and we can update here with any results. – Brad Bell Aug 25 '15 at 18:00
  • @BradBell If a plugin does not have hasCpSection, it is not listed under the plugins section when assigning permissions. Without this, that user cannot access anything the plugin has - e.g. controllers actions (which makes sense). Tying the ability to define permissions for plugins based on hasCpSection doesn't. I've tried adding the db table row entries for a plugin for a user group - they get over-written the next time the user group permissions are saved (because they're not in the permissions plugins list, as they don't have hasCpSection...) Seems like a lot of assumptions on hasCpSection? – Tom Aug 26 '15 at 10:02

1 Answers1

2

The only point of those permissions is to determine whether the user has access to the plugins’ sections, so it would be pretty pointless to show the permissions for plugins that don’t have sections.

The confusion here is probably just in the wording of the permissions. “Access [Plugin]” isn’t very clear on which aspect of the plugin you’re granting access to. So maybe we should change that to “Access [Plugin]’s CP section” or something.

If you have a plugin that offers functionality that warrants user permissions, register your own custom user permissions using the registerUserPermissions hook, and verify that the user has those permissions using craft()->userSession->checkPermission().

Steve Holland
  • 2,485
  • 1
  • 16
  • 31
Brandon Kelly
  • 34,307
  • 2
  • 71
  • 137
  • I guess that requires giving the controller methods anonymous access, then adding auth checks inside those methods? I was hoping for some sort of built-in middle ground, to allow for user groups to be given access; such as through using a different method to determine if the plugin should be listed on the permissions screen - or perhaps just a new method of hasCPTab or similar, which is used when drawing the CP navigation options? (so 2 methods in the plugin class - one for permissions, one for having nav entry). hasCPTab could be assumed to be true, unless method exists and returning false? – Tom Aug 27 '15 at 09:26
  • But then we’d be leaving it up to the plugin developer to enforce those permissions, however they choose to. Not going to happen; I don’t want to add permissions that don’t have a specific intended purpose. – Brandon Kelly Aug 27 '15 at 13:49