Hi Isabel,
Allowing other user groups to be able to add and edit functions has proven much more complex than I had hoped, unfortunately. So far nothing I've tried has worked, but I'll give you a summary in case you want to experiment yourself in a local test instance like the Vagrant box.
First, in the 2.7 documentation I've added a new section on a little known feature that can be used to extend permissions to groups in a few modules and places that don't have settings in the user interface's Permissions module. You can find this section in the Admin manual, here:
Essentially, several modules in Symfony have security configuration files in YAML, that a system administrator can edit to add or remove user groups, including custom groups. The documentation outlines a few examples, and some of the limitations of this approach.
There is a security config YAML file for the Functions module, but... I didn't include it in the new documentation, because it seems that it is being overridden by something else, and editing it to add other groups hasn't been working for me. However, you can find the file here:
Things I tried with this file:
- Removing all lines, and just adding is_secure: false
- Adding authenticated to the existing permission blocks
- Adding additional blocks for add, create, etc
- Combinations of the above
None of them worked, unfortunately. I'm not sure exactly why, but it seems to me like some other ACL check code is overriding this file.
Additionally, by default, an authenticated user does not have access to the Add menu. This I was able to solve by editing the following:
By adding in a new line for QubitAclGroup::AUTHENTICATED_ID, I was able to get the Add menu to show for my test authenticated user. However, clicking any of the Add menu's options generally still led to a Permission denied page - including Add > Functions, despite the YAML file changes made above.
Curiously, I then tried testing with the Contributor group. Even though the Functions security YAML file lists the contributor group in its existing permissions, my test Contributor could not add a new Function. It worked as expected for the Editor group, however.
I then started looking into other parts of the code to see if I could find where permissions were being checked. I found the following:
However, any attempts to comment out the permissions check here broke AtoM, so I don't recommend doing that :). I[m not well-versed enough in PHP to be able to suggest code edits that might work.
There are also further files
in the ISDF plugin, but I'm not a developer and wasn't able to find anything that seemed obviously related to the permissions checks that are happening elsewhere.
I will see if any of our developers have some time to look into this a bit, but for now, I don't have a good solution for you. If your users need to be adding and editing functions, it's best to make them part of the Editor group for now.
Cheers,