Concrete 5 comes with a brilliant permission system, for both advanced sites and complex workflow and simple sites too. These two are catered for by toggling between two markedly different modes dubbed; simple and advanced permission mode. Developers can switch on (but not off, this is a one way journey!) advanced permissions for you using a simple configuration setting in site.php:
define('PERMISSIONS_MODEL', 'advanced');
If you're a programmer and diving deep into Concrete 5, you're going to want to control these programatically, say on the event handling framework after a user adds a page you might want to follow it up with a set of automated restrictions. The code below was our trial and error with comments of how to get there....
//Okay we need to set the permissions of this page so it's only seen
//by selected organisations.
$p = Page::getByPath('/my-secrets');
//Set the page to manual permission mode
$p->setPermissionsToManualOverride();
//Set the child pages to inherit these permissions (rather than default)
$p->setPermissionsInheritanceToOverride();
//We're changing the view permission, there's a handle for all the others
//if you are after, say, approve_versions just change the argument
$pk = PagePermissionKey::getByHandle("view_page");
//set the current page against the permission object we're scaffolding
$pk->setPermissionObject($p);
//Return the access object (the abstraction here is long winded, but
//you don't get anything this powerful for free!). Don't edit this without
//the line below, or you'll edit all pages!
$paGlobal = PermissionAccess::getByID($pk->getPermissionAccessID(), $pk);
//Duplicate the above access object so we can make our own bespoke permission
//modifications
$pa = $paGlobal->duplicate();
//Get your groups you wish to add to the view_page permission key
$addTheseGroups = array(
Group::getByName("Clever Users"),
Group::getByName("Beautiful Users")
);
//Assign your groups to our newly created permission access object
foreach ($addTheseGroups as $addMe)
{
$pe = GroupPermissionAccessEntity::getOrCreate($addMe);
$pa->addListItem($pe, false, 10);
}
//Get the groups you explicitly wish to remove from the permissions
$removeTheseGroups = array(
Group::getByName("Lawyers"),
Group::getByName("Politicians")
);
//And remove them from our newly created permissions access object
foreach ($removeTheseGroups as $removeMe)
{
$pe = GroupPermissionAccessEntity::getOrCreate(Group::getByName($removeMe));
$pa->removeListItem($pe);
}
//Save our newly created Permission Configuration
$pa->save(array('paID' => $pa->getPermissionAccessID()));
//Get the permission reference for our page
$pt = $pk->getPermissionAssignmentObject();
//And give it our new configuration
$pt->assignPermissionAccess($pa);
//and again, elevating the privileges for account holders of those organisations
$pae = GroupCombinationPermissionAccessEntity::getOrCreate(array_merge($groups, array(Group::getByName('Account Holders'))));
//And we're done!
We hope this saves you a few hours and at least one backup recovery of the permissions tables to get rolling your own advanced permissions out in your own sites!