ideas icon indicating copy to clipboard operation
ideas copied to clipboard
verified publisher icon statamic

Add permission: `View other authors' entries`

Open AtmoFX opened this issue 8 months ago • 0 comments

Right now for collections, there are, among others, permisions to:

  • View all entries (i.e. the collection is not visible if not granted to the user).
    This will always give access to list and see entries from other authors.
  • Edit other authors' entries (i.e. there is a way to restrict a site's contributors to only editing their own entries).

Strangely enough, there is no way to specifically prevent contributors from seeing entries created by other authors. On our site, there is a circumstance where a contributor may not be able to see some entries in the front end, but they currently are able to see them all in the CP, and of course they are not allowed to edit one another's entries, only their own. Not necessarily a big one but it opens a door to plagiarism.

I would like to create a PR to add that missing View other authors' entries on collections:

  1. Add the corresponding core permission for every collection (see first child of View Test entries) Image
  2. Remove entries from the collection listing (path: /cp/collections/{collection}), if the user has no right to see them.
    Optionally, the entry count should be updated (path: /cp/collections) to match.
  3. Change the EntryPolicy's view method to prevent users from opening an entry they are not supposed to see or edit (see below).
    This is necessary as e.g. assets can sometimes give away an entry uuid from the front end.

I can more or less do 1. and 3. by myself and create a pull request for that. Concerning 2.:

  • The only way I managed to hide entries in a collection listing is by creating an entry index query hook, though I am not sure if that is the correct approach for the core code, nor where it should be put if installed directly into Statamic
  • Not that it is critical but I have no idea how to adjust the entry count for a collection. For instance, if a collection has 100 entries but 60 of them are from a different author and I am not allowed to see them, then I do not know how to show this count as 40 (i.e. the entries I authored myself).
  • Judging from the existing code, the view method in the EntryPolicy class checks if the current user has the Edit other authors entries.
    My little test code is built in such a way that if a user is granted Edit other authors' entries but NOT View other authors' entries, then entries from other auhors won't be shown to them in the listing, but they can still edit them if they are given (or manage to reverse-engineer) the url.
    To me, this is a more sensible approach compared to showing all the entries in the listing with only Edit other authors' entries but I would like to know what you think about this particular point.
    Maybe the solution would be to make Edit other authors' entries a child of View other authors' entries instead of Edit entries.

PS: the only languages I can provide for the interface are English and French. PPS: Since I have more or less already developed the function, I'd be more than happy to go through a quick screen sharing session if you think that can help understand my points.

AtmoFX avatar May 08 '25 09:05 AtmoFX