ENH Add more nuanced permissions to Dev Task runner

[andrewandante]

Affected Version

CMS All

Description

Currently the ability to view and run a BuildTask from the browser is restricted to ADMINs via a hard-coded check in TaskRunner.php: https://github.com/silverstripe/silverstripe-framework/blob/5/src/Dev/TaskRunner.php#L42-L57. A more fine-grained permission scheme would allow a subset of users to be able to trigger a specific task, for example.

Proposal

• Implement proper permissions schemes on the tasks and the runner.
• Allow anyone that can see at least one task to visit /dev/tasks and have the list rendered.
• Allow per-task configuration
• Extra for experts - perhaps a CMS admin area to configure DevTasks? Then permissions could be managed in the same way as pages, for example. Could be fun 😉

PRs

• Add buildtask and dev URL permissions #10979
• ENH add canInit method and CAN_DEV_GRAPHQL permissions silverstripe-graphql#559
• ENH add CAN_DEV_BUILD to non_live_permissions silverstripe-versioned#426
• DOC Document new dev admin permissions developer-docs#399

[andrewandante]

I've had a cursory play-around with this - the most jarring thing is that we get to dev/tasks via the DevelopmentAdmin controller, which also has a strict isAdmin() check. So this would also need to add a sort of "can see at least one dev-admin area" check to that init() method as well - which is fine, and lovely and granular, but a little more work 😄

[GuySartorelli]

@andrewandante I've added a docs PR to call out this change in the changelog. Can you please take a look and suggest any changes you think should be made?
Note that the lack of detail is mostly because I was feeling a little lazy lol so if you think there should be more detail please don't hesitate to say so (and preferably suggest specific wording)

[emteknetnz]

Linked PRs have all been merged