DOC Document new dev admin permissions (#399)

en/02_Developer_Guides/02_Controllers/06_Builtin_Middlewares.md

@@ -6,20 +6,21 @@ summary: Middleware components that come with Silverstripe CMS
 # Built-in Middleware
 
 Silverstripe CMS has a number of Middleware components. Some of them are listed here.
-Many of them are in the [SilverStripe\Control\Middleware](api:SilverStripe\Control\Middleware) namespace.
+Many of them are in the [`SilverStripe\Control\Middleware`](api:SilverStripe\Control\Middleware) namespace.
 
 | Name | Description |
 | ---- | ----------- |
-| [AllowedHostsMiddleware](api:SilverStripe\Control\Middleware\AllowedHostsMiddleware) | Secures requests by only allowing a whitelist of Host values |
-| [AuthenticationMiddleware](api:SilverStripe\Security\AuthenticationMiddleware) | Handles authentication for the request |
-| [CanonicalURLMiddleware](api:SilverStripe\Control\Middleware\CanonicalURLMiddleware) | URL normalisation and redirection |
-| [ChangeDetectionMiddleware](api:SilverStripe\Control\Middleware\ChangeDetectionMiddleware) | Change detection via Etag / IfModifiedSince headers, conditionally sending a 304 not modified if possible. |
-| [ConfirmationMiddleware](api:SilverStripe\Control\Middleware\ConfirmationMiddleware) | Checks whether user manual confirmation is required for HTTPRequest |
-| [ExecMetricMiddleware](api:SilverStripe\Control\Middleware\ExecMetricMiddleware) | Display execution metrics in DEV mode |
-| [FlushMiddleware](api:SilverStripe\Control\Middleware\FlushMiddleware) | Triggers a call to flush() on all [Flushable](api:SilverStripe\Core\Flushable) implementors |
-| [HTTPCacheControlMiddleware](api:SilverStripe\Control\Middleware\HTTPCacheControlMiddleware) | Controls HTTP response cache headers |
-| [PasswordExpirationMiddleware](api:SilverStripe\Security\PasswordExpirationMiddleware) | Check if authenticated user has password expired |
-| [RateLimitMiddleware](api:SilverStripe\Control\Middleware\RateLimitMiddleware) | Access throttling, controls HTTP Retry-After header |
-| [SessionMiddleware](api:SilverStripe\Control\Middleware\SessionMiddleware) | PHP Session initialisation |
-| [TrustedProxyMiddleware](api:SilverStripe\Control\Middleware\TrustedProxyMiddleware) | Rewrites headers that provide IP and host details from upstream proxies |
-| [URLSpecialsMiddleware](api:SilverStripe\Control\Middleware\URLSpecialsMiddleware) | Controls some of the [URL special variables](../debugging/url_variable_tools) |
+| [`AllowedHostsMiddleware`](api:SilverStripe\Control\Middleware\AllowedHostsMiddleware) | Secures requests by only allowing a whitelist of Host values |
+| [`AuthenticationMiddleware`](api:SilverStripe\Security\AuthenticationMiddleware) | Handles authentication for the request |
+| [`CanonicalURLMiddleware`](api:SilverStripe\Control\Middleware\CanonicalURLMiddleware) | URL normalisation and redirection |
+| [`ChangeDetectionMiddleware`](api:SilverStripe\Control\Middleware\ChangeDetectionMiddleware) | Change detection via Etag / IfModifiedSince headers, conditionally sending a 304 not modified if possible. |
+| [`ConfirmationMiddleware`](api:SilverStripe\Control\Middleware\ConfirmationMiddleware) | Checks whether user manual confirmation is required for HTTPRequest |
+| [`DevelopmentAdminConfirmationMiddleware`](api:SilverStripe\Control\Middleware\DevelopmentAdminConfirmationMiddleware) | A specific subclass of `ConfirmationMiddleware` which handles the `/dev/*` routes. |
+| [`ExecMetricMiddleware`](api:SilverStripe\Control\Middleware\ExecMetricMiddleware) | Display execution metrics in DEV mode |
+| [`FlushMiddleware`](api:SilverStripe\Control\Middleware\FlushMiddleware) | Triggers a call to flush() on all [Flushable](api:SilverStripe\Core\Flushable) implementors |
+| [`HTTPCacheControlMiddleware`](api:SilverStripe\Control\Middleware\HTTPCacheControlMiddleware) | Controls HTTP response cache headers |
+| [`PasswordExpirationMiddleware`](api:SilverStripe\Security\PasswordExpirationMiddleware) | Check if authenticated user has password expired |
+| [`RateLimitMiddleware`](api:SilverStripe\Control\Middleware\RateLimitMiddleware) | Access throttling, controls HTTP Retry-After header |
+| [`SessionMiddleware`](api:SilverStripe\Control\Middleware\SessionMiddleware) | PHP Session initialisation |
+| [`TrustedProxyMiddleware`](api:SilverStripe\Control\Middleware\TrustedProxyMiddleware) | Rewrites headers that provide IP and host details from upstream proxies |
+| [`URLSpecialsMiddleware`](api:SilverStripe\Control\Middleware\URLSpecialsMiddleware) | Controls some of the [URL special variables](../debugging/url_variable_tools) |

en/04_Changelogs/5.2.0.md

@@ -11,6 +11,7 @@ title: 5.2.0 (unreleased)
   - [ErrorPage allowed codes configuration](#errorpage-allowed-codes-configuration)
   - [Create random passwords for new users](#create-random-passwords-for-new-users)
   - [Buttons to select all files and deselect all files](#bulk-action-buttons)
+  - [More nuanced permissions for `/dev/*` routes](#dev-route-permissions)
   - [Other new features](#other-new-features)
 - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
@@ -103,6 +104,14 @@ The files section of the CMS now has buttons to select and deselect all files an
 
 ![](../_images/asset-admin-select-all.png)
 
+### More nuanced permissions for `/dev/*` routes {#dev-route-permissions}
+
+Previously, all `/dev/*` routes registered with [`DevelopmentAdmin`](api:SilverStripe\Dev\DevelopmentAdmin) (for example `/dev/tasks/MyBuildTask`) could only be access by administrator users, and this couldn't be configured.
+
+Now, all of the controllers which handle these routes that come packaged in a core or supported module have a new `init_permissions` configuration property (e.g. [`TaskRunner.init_permissions`](api:SilverStripe\Dev\TaskRunner->init_permissions)). This new configuration can be used to grant non-administrative users access to these routes.
+
+You can also now optionally implement a `canView()` method on your `BuildTask` implementations to restrict accessed for specific tasks even further. This means you can grant access to _some_ tasks to specific users or groups without granting access to _all_ tasks.
+
 ### Other new features
 
 - A new [`SiteTree.hide_pagetypes`](api:SilverStripe\CMS\Model\SiteTree->hide_pagetypes) configuration property has been added. Unlike [`SiteTree.hide_ancestor`](api:SilverStripe\CMS\Model\SiteTree->hide_ancestor) (which has [now been deprecated](#api-silverstripe-cms)), this is an array. This allows you to define all page types that should be hidden in a single configuration property in your yaml configuration.