Using Custom Layouts in PimCore to restrict the visibility of editing tabs for selected users or user groups
Anyone who has worked with product data knows that not all parameters assigned to an object should be visible and available for editing to every user. When creating a custom view that includes selected parameters for a given user or user group, an error occurs in PimCore, showing tabs that are not available for those users.
Read below how we fixed it and what caused it.
One of the tools that PimCore offers is the option of defining more than one editing form layout for a data object. This can be done at the PimCore class editor level – by opening the class you want to edit, selecting the Configure Custom Layouts option, and then composing a custom object edit view based on existing data elements.
This mechanism simply allows you to create views that will later facilitate working on data objects to specific users or user groups. However, there is a use case in which we need to restrict the visibility of selected fields and the option of editing them to selected user groups.
Imagine that we have a product object displayed on a website. This object has basic parameters (such as a name and its translations), technical parameters, financial data and SEO parameters. The latter-most are related to the search engine optimization of the object page and are processed on the object page. Meanwhile, the financial parameters are filled in by accounting and sent to the ERP system, while the technical parameters define the properties of the product itself.
It is immediately clear that not every user of the system should have access to all tabs. For example, accounting staff should not be able to edit SEO and technical parameters, and those responsible for SEO should not be able to change financial parameters. In addition, too many tabs can make it difficult for the system’s users to navigate the editing form.
Thus, let’s create a custom view, showing only the tabs related to the object’s basic parameters and its financial parameters. After this has been created, it still needs to be assigned to a specific group and path: to do this, go to “Users/Groups” / “Groups,” then in the “Areas” tab, enter the path where the products are located and go to “Custom settings” / “Custom layouts” next to the path entered. Here, select the custom view you have created.
From now on, accounting staff will only see the financial and basic parameters of the product they are editing. However, there is a bug in PimCore version 5.8.4 and earlier that causes the product form to load with all tabs after refreshing the browser, including the tabs that should be hidden, if the product was open for editing before the refresh. The error is caused by the fact that the object data request sent by PimCore’s frontend after a page refresh contains an empty layoutId parameter. This makes the system load the default view of the object instead of the view set for the user/user group.
To fix this, just edit line 428 of the class Pimcore\Bundle\AdminBundle\Controller\Admin\DataObject\DataObjectController and replace the existing condition:
if (is_null($currentLayoutId) && !empty($validLayouts))
if ((is_null($currentLayoutId) || !strlen($currentLayoutId)) && !empty($validLayouts))
This will make PimCore properly refresh the custom object view when the page is reloaded.
Our team has already prepared a patch for the core mechanisms in PimCore, which has already been approved. It is available at https://github.com/pimcore/pimcore/pull/4479.