Flexible bypass Permissions and Controlled Access to Maintenance Mode Nav item

[iC00kScripts]

Hi, I came across your package while browsing the statamic addons and it would be perfect for a project I am working on with a few modifications.

1. control who gets to bypass maintenance mode with config defined permissions list
2. control who gets to see the maintenance mode CP nav item.

I am building an app where thousands of users will have the "access cp" permissions but just a few super users. By changing the maintenance mode bypass from hardcoded "access cp" to a defined array of permissions in config/maintenance-mode we are able to fine-tune the bypass.

The same applies to the maintenance mode control panel view as well. we would obviously not want ALL users with "access cp" to be able to take the website down. Depending on the scenario, we are able to open it up to supers only or all users with "access cp".

PS: array_filter is used instead of array_any for backward compatibility with Statamic 5.

[greptile-apps]

Greptile Summary

This PR adds two config-driven features: a configurable list of permissions that allow bypassing maintenance mode (allow_bypass_for_perms), and the option to restrict the Maintenance CP nav item to super users only (show_menu_for_supers_only). The bypass-permission refactor in the middleware and status controller is correct and backward-compatible. However, the nav-restriction feature has a boot-time evaluation bug that renders it non-functional.

• P1 — show_menu_for_supers_only is completely broken: the if (! $canDisplayforSupersOnly || User::current()?->isSuper()) guard in ServiceProvider::registerUtility() is evaluated at provider boot time, before any auth middleware has run. User::current() is always null, so when show_menu_for_supers_only = true the utility (and its routes) are never registered for any user. The check must be moved inside the UtilityFacade::extend() callback.

Confidence Score: 4/5

Safe to merge only after the boot-time user-check bug in ServiceProvider is fixed; the bypass-permission changes are correct.

One P1 defect: the show_menu_for_supers_only feature is non-functional as written because User::current() is always null at service-provider boot. Merging as-is would ship a silent regression where enabling that config option removes the utility for everyone. The bypass-permission changes are well-implemented and backward-compatible.

src/ServiceProvider.php — the boot-time user check must be moved inside the extend callback.

Important Files Changed

Filename	Overview
src/ServiceProvider.php	Adds conditional utility registration based on show_menu_for_supers_only config, but the user check runs at boot time (before auth middleware), so User::current() is always null, making the nav-restriction feature completely non-functional when enabled.
src/Http/Middleware/PreventRequestsDuringMaintenance.php	Replaces hardcoded 'access cp' permission check with a configurable allow_bypass_for_perms list using array_filter; logic is correct and default preserves prior behaviour.
src/Http/Controllers/MaintenanceStatusController.php	Same permission-check refactor as middleware; mirrors the middleware change correctly.
config/maintenance-mode.php	Adds two new config keys (show_menu_for_supers_only, allow_bypass_for_perms) with sensible defaults that preserve backward compatibility.
README.md	Documentation updated to reflect the new configurable bypass permission behaviour.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Incoming Request] --> B{App in maintenance?}
    B -- No --> C[Pass through]
    B -- Yes --> D{CP route?}
    D -- Yes --> C
    D -- No --> E{Maintenance status route?}
    E -- Yes --> C
    E -- No --> F{Authenticated CP user?}
    F -- Yes --> G{isSuper?}
    G -- Yes --> C
    G -- No --> H{has any perm in allow_bypass_for_perms?}
    H -- Yes --> C
    H -- No --> I{Whitelisted page?}
    F -- No --> I
    I -- Yes --> C
    I -- No --> J[Laravel maintenance handler]
    J -- 503 --> K[Custom maintenance response]

    subgraph CP_Nav [CP Nav Registration - ServiceProvider boot]
        L{show_menu_for_supers_only?}
        L -- false --> M[Register utility for all]
        L -- true --> N[User::current check - always null at boot]
        N --> O[Utility never registered]
    end

Loading

_{Reviews (1): Last reviewed commit: "update readme to show that users with at..." | Re-trigger Greptile}