Block media manager entirely if user lacks access

2017-04-11 08:40:39 +10:00 · 2017-04-11 08:40:39 +10:00 · 015b34fe88
parent 433cf1d504
commit 015b34fe88
1 changed files with 10 additions and 4 deletions
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@ -148,12 +148,21 @@ class Controller extends Extendable
        $this->layoutPath[] = '~/modules/' . $relativePath . '/layouts';
        $this->layoutPath[] = '~/plugins/' . $relativePath . '/layouts';

+        /*
+         * Create a new instance of the admin user
+         */
+        $this->user = BackendAuth::getUser();
+
        parent::__construct();

        /*
         * Media Manager widget is available on all back-end pages
         */
-        if (class_exists('Cms\Widgets\MediaManager')) {
+        if (
+            class_exists('Cms\Widgets\MediaManager') &&
+            $this->user &&
+            $this->user->hasAccess('media.*')
+        ) {
            $manager = new MediaManager($this, 'ocmediamanager');
            $manager->bindToController();
        }
@ -196,9 +205,6 @@ class Controller extends Extendable
         */
        $isPublicAction = in_array($action, $this->publicActions);

-        // Create a new instance of the admin user
-        $this->user = BackendAuth::getUser();
-
        /*
         * Check that user is logged in and has permission to view this page
         */