Checking Permissions: Basic Examples

It's easy to check permissions programmatically in Concrete CMS.

Against Current Page

One of the most common actions a Concrete developer undertakes is the checking of permissions against the current page. For example, if you're in a theme's page template, and you wish to show some explanatory text to a user, but only if the user can edit the current page, you'll need to know what permissions that user has access to.

In a Concrete theme's page template, the $c object is already in scope (it stands for the Current page.) Want to see whether this user has the ability to edit the page's contents?

$cp = new Permissions($c);
if ($cp->canEditPageContents()) {
    // They do!

That's it! If the $c variable isn't available (for example, if you're in certain block templates this may be the case), you'll need to grab it from the current request. This is easy to accomplish:

$c = \Page::getCurrentPage();
if ($cp->canEditPageProperties()) {
    // The user has the ability to edit the metadata about the page.


From within a block template, the $b object is automatically in scope. Simply pass it to the Permissions constructor and call a block permission on it:

$bp = new Permissions($b);
if ($bp->canViewBlock()) {
    // The current user can view the block

Add Files

Can the current user add files to the site? Let's check. First, we retrieve the global file set for all files:

$fs = \Concrete\Core\File\Set\Set::getGlobal();
$fsp = new Permissions($fs);
if ($fsp->canAddFiles()) {
    // yep!

Delete Files

What about a specific file. Can the file be deleted?

$f = \File::getByID(10);
$fp = new Permissions($f);
if ($fp->canDeleteFile()) {
    // Yes, the user has permission to delete the file.

The basics of permissions should start to be fairly clear at this point. In general, the global, generic Permissions checker class receives an object. Then, depending on which object was passed, the permissions checker gains a different set of methods based on that object's class of permissions, and the permission response that that object receives. There's a lot that happens behind the scenes, however; read on for detailed information as to how the permission request functions.