Skip to content

Flexible bypass Permissions and Controlled Access to Maintenance Mode Nav item#2

Open
iC00kScripts wants to merge 5 commits into
el-schneider:mainfrom
iC00kScripts:use-config-defined-bypass-permissions-list
Open

Flexible bypass Permissions and Controlled Access to Maintenance Mode Nav item#2
iC00kScripts wants to merge 5 commits into
el-schneider:mainfrom
iC00kScripts:use-config-defined-bypass-permissions-list

Conversation

@iC00kScripts
Copy link
Copy Markdown

@iC00kScripts iC00kScripts commented Apr 15, 2026

Hi, I came across your package while browsing the statamic addons and it would be perfect for a project I am working on with a few modifications.

  1. control who gets to bypass maintenance mode with config defined permissions list
  2. control who gets to see the maintenance mode CP nav item.

I am building an app where thousands of users will have the "access cp" permissions but just a few super users. By changing the maintenance mode bypass from hardcoded "access cp" to a defined array of permissions in config/maintenance-mode we are able to fine-tune the bypass.

The same applies to the maintenance mode control panel view as well. we would obviously not want ALL users with "access cp" to be able to take the website down. Depending on the scenario, we are able to open it up to supers only or all users with "access cp".

PS: array_filter is used instead of array_any for backward compatibility with Statamic 5.

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 15, 2026

Greptile Summary

This PR adds two config-driven features: a configurable list of permissions that allow bypassing maintenance mode (allow_bypass_for_perms), and the option to restrict the Maintenance CP nav item to super users only (show_menu_for_supers_only). The bypass-permission refactor in the middleware and status controller is correct and backward-compatible. However, the nav-restriction feature has a boot-time evaluation bug that renders it non-functional.

  • P1 — show_menu_for_supers_only is completely broken: the if (! $canDisplayforSupersOnly || User::current()?->isSuper()) guard in ServiceProvider::registerUtility() is evaluated at provider boot time, before any auth middleware has run. User::current() is always null, so when show_menu_for_supers_only = true the utility (and its routes) are never registered for any user. The check must be moved inside the UtilityFacade::extend() callback.

Confidence Score: 4/5

Safe to merge only after the boot-time user-check bug in ServiceProvider is fixed; the bypass-permission changes are correct.

One P1 defect: the show_menu_for_supers_only feature is non-functional as written because User::current() is always null at service-provider boot. Merging as-is would ship a silent regression where enabling that config option removes the utility for everyone. The bypass-permission changes are well-implemented and backward-compatible.

src/ServiceProvider.php — the boot-time user check must be moved inside the extend callback.

Important Files Changed

Filename Overview
src/ServiceProvider.php Adds conditional utility registration based on show_menu_for_supers_only config, but the user check runs at boot time (before auth middleware), so User::current() is always null, making the nav-restriction feature completely non-functional when enabled.
src/Http/Middleware/PreventRequestsDuringMaintenance.php Replaces hardcoded 'access cp' permission check with a configurable allow_bypass_for_perms list using array_filter; logic is correct and default preserves prior behaviour.
src/Http/Controllers/MaintenanceStatusController.php Same permission-check refactor as middleware; mirrors the middleware change correctly.
config/maintenance-mode.php Adds two new config keys (show_menu_for_supers_only, allow_bypass_for_perms) with sensible defaults that preserve backward compatibility.
README.md Documentation updated to reflect the new configurable bypass permission behaviour.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Incoming Request] --> B{App in maintenance?}
    B -- No --> C[Pass through]
    B -- Yes --> D{CP route?}
    D -- Yes --> C
    D -- No --> E{Maintenance status route?}
    E -- Yes --> C
    E -- No --> F{Authenticated CP user?}
    F -- Yes --> G{isSuper?}
    G -- Yes --> C
    G -- No --> H{has any perm in allow_bypass_for_perms?}
    H -- Yes --> C
    H -- No --> I{Whitelisted page?}
    F -- No --> I
    I -- Yes --> C
    I -- No --> J[Laravel maintenance handler]
    J -- 503 --> K[Custom maintenance response]

    subgraph CP_Nav [CP Nav Registration - ServiceProvider boot]
        L{show_menu_for_supers_only?}
        L -- false --> M[Register utility for all]
        L -- true --> N[User::current check - always null at boot]
        N --> O[Utility never registered]
    end
Loading

Reviews (1): Last reviewed commit: "update readme to show that users with at..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 15, 2026
View reviewed changes
Comment thread src/ServiceProvider.php Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iC00kScripts