When a user is not an Admin, but his assigned group has access to a ModelAdmin the model admin page is listed in the menu & the user can visit it, however no records show in the index view.
To show the records, the permissions need to be set in the model. The documentation says to do it like this:
http://doc.silverstripe.org/framework/en/3.1/reference/modeladmin
class Category extends DataObject {
// ...
public function canView($member = null) {
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
}
public function canEdit($member = null) {
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
}
public function canDelete($member = null) {
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
}
public function canCreate($member = null) {
return Permission::check('CMS_ACCESS_CMSMain', 'any', $member);
}
}
However this does not work as $member is Null. Setting these methods to return true displays the records. Is this secure? Or does that set anybody to be able to edit the records? logging in as a user whose group does not have access to that model admin seems to not allow them to get to the listing page, but it seems like the wrong thing to do.
public function canView($member = null) {
return null;
}
public function canEdit($member = null) {
return true;
}
public function canDelete($member = null) {
return true;
}
public function canCreate($member = null) {
return true;
}
What is the best way to allow a group to view & edit a modelAdmin's records?
