Skip to content

Commit

Permalink
DOC Document new dev admin permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
GuySartorelli committed Nov 12, 2023
1 parent a25f9a0 commit 9de4607
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 14 deletions.
29 changes: 15 additions & 14 deletions en/02_Developer_Guides/02_Controllers/06_Builtin_Middlewares.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,21 @@ summary: Middleware components that come with Silverstripe CMS
# Built-in Middleware

Silverstripe CMS has a number of Middleware components. Some of them are listed here.
Many of them are in the [SilverStripe\Control\Middleware](api:SilverStripe\Control\Middleware) namespace.
Many of them are in the [`SilverStripe\Control\Middleware`](api:SilverStripe\Control\Middleware) namespace.

| Name | Description |
| ---- | ----------- |
| [AllowedHostsMiddleware](api:SilverStripe\Control\Middleware\AllowedHostsMiddleware) | Secures requests by only allowing a whitelist of Host values |
| [AuthenticationMiddleware](api:SilverStripe\Security\AuthenticationMiddleware) | Handles authentication for the request |
| [CanonicalURLMiddleware](api:SilverStripe\Control\Middleware\CanonicalURLMiddleware) | URL normalisation and redirection |
| [ChangeDetectionMiddleware](api:SilverStripe\Control\Middleware\ChangeDetectionMiddleware) | Change detection via Etag / IfModifiedSince headers, conditionally sending a 304 not modified if possible. |
| [ConfirmationMiddleware](api:SilverStripe\Control\Middleware\ConfirmationMiddleware) | Checks whether user manual confirmation is required for HTTPRequest |
| [ExecMetricMiddleware](api:SilverStripe\Control\Middleware\ExecMetricMiddleware) | Display execution metrics in DEV mode |
| [FlushMiddleware](api:SilverStripe\Control\Middleware\FlushMiddleware) | Triggers a call to flush() on all [Flushable](api:SilverStripe\Core\Flushable) implementors |
| [HTTPCacheControlMiddleware](api:SilverStripe\Control\Middleware\HTTPCacheControlMiddleware) | Controls HTTP response cache headers |
| [PasswordExpirationMiddleware](api:SilverStripe\Security\PasswordExpirationMiddleware) | Check if authenticated user has password expired |
| [RateLimitMiddleware](api:SilverStripe\Control\Middleware\RateLimitMiddleware) | Access throttling, controls HTTP Retry-After header |
| [SessionMiddleware](api:SilverStripe\Control\Middleware\SessionMiddleware) | PHP Session initialisation |
| [TrustedProxyMiddleware](api:SilverStripe\Control\Middleware\TrustedProxyMiddleware) | Rewrites headers that provide IP and host details from upstream proxies |
| [URLSpecialsMiddleware](api:SilverStripe\Control\Middleware\URLSpecialsMiddleware) | Controls some of the [URL special variables](../debugging/url_variable_tools) |
| [`AllowedHostsMiddleware`](api:SilverStripe\Control\Middleware\AllowedHostsMiddleware) | Secures requests by only allowing a whitelist of Host values |
| [`AuthenticationMiddleware`](api:SilverStripe\Security\AuthenticationMiddleware) | Handles authentication for the request |
| [`CanonicalURLMiddleware`](api:SilverStripe\Control\Middleware\CanonicalURLMiddleware) | URL normalisation and redirection |
| [`ChangeDetectionMiddleware`](api:SilverStripe\Control\Middleware\ChangeDetectionMiddleware) | Change detection via Etag / IfModifiedSince headers, conditionally sending a 304 not modified if possible. |
| [`ConfirmationMiddleware`](api:SilverStripe\Control\Middleware\ConfirmationMiddleware) | Checks whether user manual confirmation is required for HTTPRequest |
| [`DevelopmentAdminConfirmationMiddleware`](api:SilverStripe\Control\Middleware\DevelopmentAdminConfirmationMiddleware) | A specific subclass of `ConfirmationMiddleware` which handles the `/dev/*` routes. |
| [`ExecMetricMiddleware`](api:SilverStripe\Control\Middleware\ExecMetricMiddleware) | Display execution metrics in DEV mode |
| [`FlushMiddleware`](api:SilverStripe\Control\Middleware\FlushMiddleware) | Triggers a call to flush() on all [Flushable](api:SilverStripe\Core\Flushable) implementors |
| [`HTTPCacheControlMiddleware`](api:SilverStripe\Control\Middleware\HTTPCacheControlMiddleware) | Controls HTTP response cache headers |
| [`PasswordExpirationMiddleware`](api:SilverStripe\Security\PasswordExpirationMiddleware) | Check if authenticated user has password expired |
| [`RateLimitMiddleware`](api:SilverStripe\Control\Middleware\RateLimitMiddleware) | Access throttling, controls HTTP Retry-After header |
| [`SessionMiddleware`](api:SilverStripe\Control\Middleware\SessionMiddleware) | PHP Session initialisation |
| [`TrustedProxyMiddleware`](api:SilverStripe\Control\Middleware\TrustedProxyMiddleware) | Rewrites headers that provide IP and host details from upstream proxies |
| [`URLSpecialsMiddleware`](api:SilverStripe\Control\Middleware\URLSpecialsMiddleware) | Controls some of the [URL special variables](../debugging/url_variable_tools) |
9 changes: 9 additions & 0 deletions en/04_Changelogs/5.2.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ title: 5.2.0 (unreleased)
- [ErrorPage allowed codes configuration](#errorpage-allowed-codes-configuration)
- [Create random passwords for new users](#create-random-passwords-for-new-users)
- [Buttons to select all files and deselect all files](#bulk-action-buttons)
- [More nuanced permissions for `/dev/*` routes](#dev-route-permissions)
- [Other new features](#other-new-features)
- [API changes](#api-changes)
- [Bug fixes](#bug-fixes)
Expand Down Expand Up @@ -103,6 +104,14 @@ The files section of the CMS now has buttons to select and deselect all files an
![](../_images/asset-admin-select-all.png)
### More nuanced permissions for `/dev/*` routes {#dev-route-permissions}

Previously, all `/dev/*` routes registered with [`DevelopmentAdmin`](api:SilverStripe\Dev\DevelopmentAdmin) (for example `/dev/tasks/MyBuildTask`) could only be access by administrator users, and this couldn't be configured.

Now, all of the controllers which handle these routes that come packaged in a core or supported module have a new `init_permissions` configuration property (e.g. [`TaskRunner.init_permissions`](api:SilverStripe\Dev\TaskRunner->init_permissions)). This new configuration can be used to grant non-administrative users access to these routes.

You can also now optionally implement a `canView()` method on your `BuildTask` implementations to restrict accessed for specific tasks even further. This means you can grant access to _some_ tasks to specific users or groups without granting access to _all_ tasks.

### Other new features

- A new [`SiteTree.hide_pagetypes`](api:SilverStripe\CMS\Model\SiteTree->hide_pagetypes) configuration property has been added. Unlike [`SiteTree.hide_ancestor`](api:SilverStripe\CMS\Model\SiteTree->hide_ancestor) (which has [now been deprecated](#api-silverstripe-cms)), this is an array. This allows you to define all page types that should be hidden in a single configuration property in your yaml configuration.
Expand Down

0 comments on commit 9de4607

Please sign in to comment.