Skip to content
Snippets Groups Projects
Select Git revision
  • refctorHTTPCLient
  • fix-zero
  • issue2721
  • master default protected
  • psr2
  • fixNoticesCLI
  • issue2665
  • issue2517
  • rmdir
  • old-stable
  • stable
  • extcli
  • HTTPClientAgent
  • issue2366
  • betterDeprecationComment
  • issue1569
  • fixGetVersion
  • testfixes
  • psr2-plugin
  • renameParam
  • release_stable_2017-02-19f
  • release_stable_2018-04-22b
  • release_stable_2018-04-22a
  • release_stable_2018-04-22
  • release_stable_2016-06-26e
  • release_stable_2017-02-19e
  • release_stable_2016-06-26d
  • release_stable_2017-02-19d
  • release_stable_2016-06-26c
  • release_stable_2017-02-19c
  • release_stable_2016-06-26b
  • release_stable_2017-02-19b
  • release_stable_2017-02-19a
  • release_stable_2017-02-19
  • release_stable_2016-06-26a
  • release_stable_2016-06-26
  • release_stable_2015-08-10a
  • release_stable_2015-08-10
  • release_stable_2014_05_05e
  • release_stable_2014_09_29d
40 results
Blame Permalink
  • Andreas Gohr's avatar
    64cdf779
    add event to check access to admin plugins · 64cdf779
    Andreas Gohr authored 
    This adds a new method that capsulates the access check that has to be
done to decide if an admin plugin's page should be shown to the user.
The default implementation is the same as before, relying only on the
forAdminOnly() method and the users' isadmin or ismanager status.

Admin plugins themselves can override the method to do additional
checks. In this patch, I added that to the usermanager plugin which will
only return true if the current auth backend can list users.

However the real idea behind this change is that the new method emits a
new event called ADMINPLUGIN_ACCESS_CHECK which would allow plugins to
overwrite it. This way it could be possible to give certain user groups
access to certain admin plugins without giving them admin or manager
permissions.

Note: this does not change how the "Admin" link is shown, it still
depends on ismanager or isadmin. A plugin as mentioned above would need
to influence the display via the MENU_ITEMS_ASSEMBLY event.

Note: this only covers the basic access check. Admin plugins may need
further adjustments for access to other parts of the plugin (like AJAX
components). An additional commit will update this for the bundled
plugins.
    64cdf779
    History
    add event to check access to admin plugins
    Andreas Gohr authored 
    This adds a new method that capsulates the access check that has to be
done to decide if an admin plugin's page should be shown to the user.
The default implementation is the same as before, relying only on the
forAdminOnly() method and the users' isadmin or ismanager status.

Admin plugins themselves can override the method to do additional
checks. In this patch, I added that to the usermanager plugin which will
only return true if the current auth backend can list users.

However the real idea behind this change is that the new method emits a
new event called ADMINPLUGIN_ACCESS_CHECK which would allow plugins to
overwrite it. This way it could be possible to give certain user groups
access to certain admin plugins without giving them admin or manager
permissions.

Note: this does not change how the "Admin" link is shown, it still
depends on ismanager or isadmin. A plugin as mentioned above would need
to influence the display via the MENU_ITEMS_ASSEMBLY event.

Note: this only covers the basic access check. Admin plugins may need
further adjustments for access to other parts of the plugin (like AJAX
components). An additional commit will update this for the bundled
plugins.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
admin.php 39.31 KiB