Add Announcement read permissions and (possibly) attach announcementCreatePermission to the CategoriesPage element

[elaine-mattos]

Hi!

thanks for the awesome plugin as it'll save us a considerable amount of time.

However, I am missing an announcementReadPermission, a read permission to the Announcements.
This would be helpful preventing guest users from creating/updating/deleting announcemnts, while still being able to view them.

Also, even if a user is not able to create new announcements, they would still be able to create categories. Would it be possible to link the announcementCreatePermission to the CategoriesPage element?
Another possible solution would be to expose the CategoriesPage so that the users of your plugin could attach any permissions they judge interesting...

Please let me know if I can help in any way! :)

[jiteshy]

As per my understanding, a separate read permission is not required. Permissions framework allows specific features on a page to be restricted and that's how announcements page is built. Only the action buttons are removed/disabled if user does not have proper access.

Create, update & delete actions can be restricted with below permissions. Users not belonging to backstageAdminGroup can still see the announcements.

if (
  isPermission(request.permission, announcementCreatePermission) ||
  isPermission(request.permission, announcementUpdatePermission) ||
  isPermission(request.permission, announcementDeletePermission)
) {
  if (user?.identity.ownershipEntityRefs.includes(this.config.getConfig('permission').getString('backstageAdminGroup'))) {
     return { result: AuthorizeResult.ALLOW };
  }
  return { result: AuthorizeResult.DENY };
}

Do agree on the second point though. Categories page needs to be restricted for read only users. IMO, the categories button on the announcements page & the route itself can be restricted as I don't see a use case where category list will be of value to read only users.