contao
Add security voter example
This adds a simple voter example where you can restrict admin access to the "Maintenance" back end section.
Ah, this does not actually work as I intended. @aschempp what do you think would be the best practise to expand voting on a certain privilige? Injecting the original voter? Decorating it?
I have updated the example in af95f9e04a7256198b6d3e28ebafb13472bbaa5d - though I noticed that this works without manually setting the priority higher. @aschempp wdyt?
I don't like the current approach since I have to retrieve the user in the supports method via the Security helper. Too bad the abstract Voter class does not pass the token there too. I might change it to not using the abstract class.
I have added an example for Contao 5 with which you can restrict editing/deleting of news articles to the original author of the news article.
@aschempp one issue I keep having with implementing your own Voters for Contao permissions is that we basically have to check for everything in the supports method (when using the AbstractVoter) as we want to abstain if the specific conditions are not met - so that Contao's own permissions still apply. And the supports method unfortunately does not pass the token, which makes it a little more inconvenient to abstain based on user properties.
I don't think you are meant to abstain on the user token in the supports method! The supports method tells whether you support the specific attribute and subject, not any other condition of the application.
But that means I cannot abstain on isAdmin for example - or other arbitrary user properties.