1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Global permission check: extend the controller or just in the template?

Discussion in 'XenForo Development Discussions' started by Brogan, Nov 11, 2013.

  1. Brogan

    Brogan XenForo Moderator Staff Member

    My add-on has a global permission to view the template which is on the forum index.

    Talking to a couple of developers about this and was interested to see each had a different preferred way of doing it: extend the controller, or via a simple <xen:if is="{$visitor.permissions.(permission group ID).(permission ID}"> check in the template.

    Unless I am completely misunderstanding things (which is very likely), I can't see any benefit at all in extending the controller for the global perm.

    Doing it in the template it's a simple xen:if, e.g. <xen:if is="{$visitor.permissions.ctaFt.ctaFtViewFeaturedThreads}">

    Doing it the other way however involves creating a new ControllerPublic\Forum.php to extend XenForo\ControllerPublic\Forum.php.
    In addition, the model needs to have a new public function canViewFeaturedThreads, which also requires a corresponding <xen:if is="{$canViewFeaturedThreads}"> on the template anyway.

    So the amount of template code is more or less the same but the second way involves much more php code.

    How do others do it and why have you done it that way?
    Chris D likes this.
  2. Jeremy

    Jeremy XenForo Moderator Staff Member

    I believe the model / PHP version is meant for more complex permission checks (the amount of permissions in add-ons I've written are minimal). Such as something like the following (completely random example):
    canViewFeaturedThreads is to be set to true if (these are or statements)...
    • $visitor is a member staff
    • $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads
    • $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads && !$visitor.is_robot
    • $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads && $visitor.user_id != 1

    Extending and adding the checks via PHP in this case is monumentally easier to read and understand than inserting them via the templates. Simple checks such as $visitor.permissions.ctaFt.ctaFtViewFeaturedThreads are understandable and easier via templates.
    Brogan likes this.
  3. Mike

    Mike XenForo Developer Staff Member

    From an add-on perspective, the difference is mostly academic. I consider the controller/PHP-based method to be more correct though. The stock XF code doesn't access $visitor.permissions in the template as far as I can tell. In this particular instance, presumably you need to extend the controller to get the featured threads, and you wouldn't do it if they couldn't view them.

    So, what's the actual difference. Well, if you just access the permission in the controller, effectively none. However, if you create a canViewFeaturedThreads() method, then accessing the permission directly ignores any behaviors that are defined there. Even if you don't define these behaviors, it's possible for another add-on to extend them and add behaviors or it's possible that you want to add them later. It focuses the "business logic" into one place.
    Brogan likes this.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    Yes, I'm using the controller method for the other perms as they are node specific, so it's just for this global perm I was trying to understand the case for doing it in php.

Share This Page