Building a Craft CMS Dashboard Widget
Not every widget should be available to every control panel user. Let's restrict the widget to only those who have access to the deprecation errors area of Utlities.
Sometimes our widgets will display data or information that isn’t appropriate for all control panel users. Just because someone has access to the Control Panel doesn’t mean they are necessarily an admin user.
Let’s look at our sample project again, where we have our deprecation widget we created in this course.
As it stands right now, anyone with control panel access will be able to select and enable the DeprecWidget on their dashboard.
I have a new user group I created for the content team and a new user added to that team for testing our permissions.
The permissions of the Content Team user group is such that they can access the control panel and the content sections. However, suppose I try to access the Utilities section via the widget. In that case, I get a 403 Forbidden response because that accessing that part of the Control Panel is forbidden per the user group permissions.
So, I want to manage better who can see this widget based on permissions. For now, let’s make it so only admin users have access to the DeprecWidget.
To do this, we’ll use the static method isSelectable()
in the base Widget class that checks whether the user making the request should see the widget in the drop-down of available widgets.
isSelectable()
returns a boolean, so we need to return true
if we want the user to be able to select and use the widget, or false
if we do not.
The isSelectable()
method returns true
by default, so any widget you create that doesn’t implement the isSelectable()
method will be available to anyone with control panel access.
The criteria for how we do this is up to us. Who should have access to the widget? Let’s start by restricting based on whether or not the control panel user is an admin user.
We add the static method to our widget file (DeprecWidget.php
). I will add it near the top because it’s more straightforward when reading the code if we see this restriction early on in the file.
public static function isSelectable(): bool
{
}
Now we need to find out if the current user, the one making this request, is an admin user. Craft makes that easy for us via the Craft::$app
object and the getIsAdmin()
method in the User class.
We just return whatever getIsAdmin()
return since it also returns a boolean and that’s what isSelectable
is required to return, too:
public static function isSelectable(): bool
{
return Craft::$app->getUser()->getIsAdmin();
}
This new permission check will only work for new instances of the widget. If the user already has the widget installed then it will continue to function.
Now the widget is no longer returned. But if we look at an account that has admin rights, then the widget is still available and selectable via the drop-down list on the dashboard.
However, using just admin is perhaps a bit too heavy-handed of permission checking. A user could not be an admin but still have access to the deprecation notices in the control panel’s utilities section. This is because Craft has the different sections of Utilities broken out as their own permissions:
![[Screen Shot 2021-06-01 at 2.47.17 PM.png]]
So this is nice because it allows us to be a bit more precise with our implementation. Instead of just requiring admin permissions, we can check that this current user has permissions to the Deprecation Warnings section of the Utilities. If they do, then we can make the DeprecWidget isSelectable()
static method return True.
And, any user group could have this permission selected, so we’ll remove our check for getIsAdmin()
and replace it with a check for that particular permission.
public static function isSelectable(): bool
{
return Craft::$app->getUser()->checkPermission('utility:deprecation-errors');
}
You can find the user permissions via the Craft documentation or invoke this class method to return all available user permissions.
Building a Craft CMS Dashboard Widget is made up of the following videos: