Global permission check: extend the controller or just in the template?


XenForo moderator
Staff member
My add-on has a global permission to view the template which is on the forum index.

Talking to a couple of developers about this and was interested to see each had a different preferred way of doing it: extend the controller, or via a simple <xen:if is="{$visitor.permissions.(permission group ID).(permission ID}"> check in the template.

Unless I am completely misunderstanding things (which is very likely), I can't see any benefit at all in extending the controller for the global perm.

Doing it in the template it's a simple xen:if, e.g. <xen:if is="{$visitor.permissions.ctaFt.ctaFtViewFeaturedThreads}">

Doing it the other way however involves creating a new ControllerPublic\Forum.php to extend XenForo\ControllerPublic\Forum.php.
In addition, the model needs to have a new public function canViewFeaturedThreads, which also requires a corresponding <xen:if is="{$canViewFeaturedThreads}"> on the template anyway.

So the amount of template code is more or less the same but the second way involves much more php code.

How do others do it and why have you done it that way?


Well-known member
I believe the model / PHP version is meant for more complex permission checks (the amount of permissions in add-ons I've written are minimal). Such as something like the following (completely random example):
canViewFeaturedThreads is to be set to true if (these are or statements)...
  • $visitor is a member staff
  • $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads
  • $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads && !$visitor.is_robot
  • $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads && $visitor.user_id != 1
Extending and adding the checks via PHP in this case is monumentally easier to read and understand than inserting them via the templates. Simple checks such as $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads are understandable and easier via templates.


XenForo developer
Staff member
From an add-on perspective, the difference is mostly academic. I consider the controller/PHP-based method to be more correct though. The stock XF code doesn't access $visitor.permissions in the template as far as I can tell. In this particular instance, presumably you need to extend the controller to get the featured threads, and you wouldn't do it if they couldn't view them.

So, what's the actual difference. Well, if you just access the permission in the controller, effectively none. However, if you create a canViewFeaturedThreads() method, then accessing the permission directly ignores any behaviors that are defined there. Even if you don't define these behaviors, it's possible for another add-on to extend them and add behaviors or it's possible that you want to add them later. It focuses the "business logic" into one place.


XenForo moderator
Staff member
Yes, I'm using the controller method for the other perms as they are node specific, so it's just for this global perm I was trying to understand the case for doing it in php.

Brad Padgett

Well-known member
Hey @Brogan I have a simple question. How can I do this in a template for Xenforo 2? I've tried a few things but none of them worked. Appreciate the help if you can. I'm releasing a Most Users Ever Online free add-on soon but I need to check for permissions for a phrase and since I'm doing it from a php file I'd need to run a check via the template since it won't let me insert the phrase as a string. Let me know if you know. Thanks.