Permissions Check Request Details

So, what happens in the following call? How does it work?

$permissions = new Permissions($page);
if ($permissions->canEditPageContents()) {


Checker Object

A permissions check always begins the same way: with an instance of the Permissions object. (Note: the Permissions class with no namespace aliases to the Concrete\Core\Permission\Checker) class. Typically, the Permissions class also receives an argument:

$permissions = new Permissions($page);


$permissions = new Permissions($file);

In these examples, $page and $file are Permissions Objects. Permission Objects are the items that will be checked when methods are run against the Checker object.

Permission Category

Once the Checker receives a Permissions Object, it retrieves the Permission Category for the type of object in question. For example, all permissions that affect Concrete\Core\Page\Page objects belong to the "Page" permission category.

Permission Response

Once we have the permission category for a particular permission object, we can retrieve the Permission Response for this particular object. For example, the \Concrete\Core\Page\Page object is part of the "Page" permission Category, and permissions requests made of Page objects return the \Concrete\Core\Permission\Response\PageResponse Permission Response. The response object is checked for the existence of a method named canEditPageContents. If it exists, the method is run and true or false is returned.

Permission Key

If the response object doesn't contain this particular method, the method run is turned into a handle for a Permission Key. In this example


is translated into


Which is a permission that exists in the PermissionKeys database table. Each Permission Key represents a specific, discreet permission in Concrete CMS. Once the Permission Key object is retrieved, the Concrete\Core\Permission\Key\Key::validate() method is run against that Permission Key object.


The validate() method of the Permission Key object is responsible for retrieving the current Permission Assignment.

From this object, the Permission Access object is retrieved.


Once we have the Permission Access Object, we can determine which access entities are allowed to perform this permission. validate() is called on the Permission Access object. This takes care of retrieving the access entities from the current users session, and determining whether they have access to this specific permission assignment. A boolean value is returned all the way up the chain to the original Checker object.