1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Route Prefix Permissions

Discussion in 'XenForo Development Discussions' started by Sim, Jun 22, 2015.

  1. Sim

    Sim Well-Known Member

    I wrote an addon which provides an integration point for my (multiple) forums with my helpdesk system - essentially a simply API I can call remotely and perform user lookups against a forum based on things like the email address that the helpdesk request came from.

    The way I implemented this addon in XenForo was using a route prefix which called a public controller and then responded using a public view which returned the data as JSON.

    Now this works perfectly for most of my sites - but I have one private site I run for a client of mine, and the permissions on that site are such that unregistered users are explicitly denied access to pretty much everything.

    So now I get permission errors when trying to access my route prefix for my private site.

    What permissions would be required for an unregistered user to access the site via my route prefix? "View"?

    Is there a way to bypass the permissions on a single route?
     
  2. Chris D

    Chris D XenForo Developer Staff Member

    You would do this at the Controller level (not the route level).

    The Abstract public controller asserts viewing permissions in this way:
    PHP:
        protected function _assertViewingPermissions($action)
        {
            if (!
    XenForo_Visitor::getInstance()->hasPermission('general''view'))
            {
                throw 
    $this->getNoPermissionResponseException();
            }
        }
    What you would need to do is add that function to your own Controller and change it to something like:

    PHP:
        protected function _assertViewingPermissions($action)
        {
            if (
    $action == 'your-action')
            {
                return;
            }

            
    parent::_assertViewingPermissions($action);
        }
    That would override the default behaviour in your controller so that actionYourAction does not do the normal permission check.

    You can make it so that your controller completely bypasses the permission check for all actions in your controller (use with caution!) like this:

    PHP:
        protected function _assertViewingPermissions($action)
        {

        }
     
  3. Sim

    Sim Well-Known Member

    Thanks @Chris D - this is exactly what I was looking for.
     

Share This Page