HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.


ShadowdareShadowdare r_j MVP

To define a plugin which has a settings page, we can set these two keys in the PluginInfo array:

// Define the plugin:
$PluginInfo['Example'] = array(
    'SettingsUrl' => '/settings/example',
    'SettingsPermission' => 'Garden.Settings.Manage',

SettingsUrl is used to display a "Settings" button next to the plugin Enable/Disable button in the dashboard.

Since the Plugins dashboard page is inherently only visible to those with Garden.Settings.Manage permission, it would seem that SettingsPermission is meant to be used for new pages created on the SettingsController.

However, in most examples of creating new pages on the SettingsController, I see that $sender->permission('Garden.Settings.Manage') is called anyway and I can't find any occurrences of the string SettingsPermission in the entire Vanilla Forums code other than plugins. Is it being used?

Add Pages to Vanilla with the Basic Pages app


  • Options
    R_JR_J Ex-Fanboy Munich Admin

    As far as I know this plugin info is useless, but I find it quite of good style to use it, because a) someday someone might create such a pull request, b) it is an extra info which might some day be used in the dashboard, c) it gives extra information if someone reads your code, d) it might serve as a reminder for yourself

  • Options

    Interesting. I always thought, that SettingsPermission determines whether the settings link is shown to a user. But it doesn't seem to be used in the core at all.

  • Options
    LincLinc Detroit Admin

    I really thought it was used at some point.

    My feeling is it should be removed to avoid security complacency. I've heard folks confuse it for the only needed permission check on that page, and that worries me.

Sign In or Register to comment.