Datamanager Admin Permissions to select data in ajax requests form controls

Description

I need to block access to the Data manager UI for some admin users. However, those users should still be able to use other parts of the admin, including selecting data from various dropdowns.
Use case: Meeting types defined in Data manager, Meetings defined in custom UI. The user needs to be able to create a meeting and select a meeting type there - but not have access to the Datamanager listing.

I thought it should be possible with using presideobject.* and datamanager.read permissions.
However, this is not sufficient (getting access denied on the ajax requests). It only works if also having 'datamanager.navigate'. This is due to some additional stuff done in the general DataManager 'preHandler' method ('_loadCommonVariables' seems to check for the 'navigate' permission).

I wonder if other things in the `preHandler` method are not needed as well, e.g. if I understand it correct, it will also load the common breadcrumbs and top right buttons in case of a call of `getObjectRecordsForAjaxSelectControl` - which seems superfluous if this is the case.

Environment

None

Activity

Show:
Dominic Watson
May 3, 2018, 1:47 PM

Will be released in next 10.9.0 snapshot (10.9.0-snapshot117)

Dominic Watson
May 3, 2018, 1:46 PM

Awesome, thanks Nelson

Nelson Chuah
May 3, 2018, 10:19 AM

Hi Dom,

PR created for this
https://github.com/pixl8/Preside-CMS/pull/485

Thank you
Nelson

Dominic Watson
May 2, 2018, 8:39 AM

If making a feature branch - branch FROM 10.9 and target coming back to 10.9.

Fixed

Assignee

Nelson Chuah

Reporter

Jan Jannek

Accepted

Yes