I am using arckinteractive's role plugin (https://github.com/arckinteractive/Roles/tree/master), I wanna restrict a role CUSTOMER from add and edit groups and below is my code:
// mytheme/start.php
.....
function my_theme_roles_config($hook_name, $entity_type, $return_value, $params)
{
$roles = [
CUSTOMER => [
'title' => 'Core Customer',
'extends' => [],
'permissions' => [
'actions' => [
'groups/save' => [
'rule' => 'deny',
'forward' => 'groups/all'
],
'groups/add' => [
'rule' => 'deny',
'forward' => 'groups/all'
]
],
'menus' => [
'site::members' => ['rule' => 'deny']
],
'pages' => [
'groups/add/{$self_guid}' => array(
'rule' => 'deny',
'forward' => 'groups/all',
)
]
],
],
];
if (!is_array($return_value)) {
return $roles;
} else {
return array_merge($return_value, $roles);
}
}
The create group button is successfully not showing and the member menu also not showing, so this function should be working without doubt. However, as a customer role user, I can still access the add group form and create a group by go to the url: http://mysite.com/groups/add. Can anyone point to me why the actions deny rule is not working here? Thanks
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- ihayredinov@ihayredinov
ihayredinov - 0 likes
- damieneskimo@damieneskimo
damieneskimo - 0 likes
You must log in to post replies.With /add subresources, if container guid segment is not provided, it is assumed to be the current user guid. You could either add a rule for a route without a container guid, or use a route:rewrite hook to explicitly set the container guid if one is missing.
It makes sense. Thank you.