Skip to content

[6.x] Forms 2: Permissions#14957

Merged
jasonvarga merged 15 commits into
forms-2from
forms-2-permissions
Jul 10, 2026
Merged

[6.x] Forms 2: Permissions#14957
jasonvarga merged 15 commits into
forms-2from
forms-2-permissions

Conversation

@duncanmcclean

@duncanmcclean duncanmcclean commented Jul 8, 2026

Copy link
Copy Markdown
Member

This pull request reworks form permissions as part of Forms 2.

New permissions

The Forms permission group now looks like this:

  • Configure forms
  • Edit forms
    • Create forms
    • Delete forms
  • View submissions
    • Delete submissions
  • Edit [form] form
  • View [form] submissions
    • Delete [form] submissions

Configure forms remains the "super permission" for forms — users with it can do anything form related.

Edit forms grants access to everything about every form (fields, logic, connect, configure), except submissions. Edit [form] form is the per-form equivalent.

View submissions grants read-only access to submissions across all forms, including exporting. Deleting them is behind the Delete submissions child permission. The per-form equivalents behave the same way, scoped to a single form.

Configure form fields

The configure form fields permission has been deprecated and is no longer registered, so it won't show in the roles UI. However, it's still supported: users with it may access the form builder and logic pages, but nothing else. These are the equivalent pages now that forms don't have blueprints.

It also no longer grants access to the blueprints area of the Control Panel.

Control Panel

  • The form section tabs (Edit/Logic/Connect/Results/Configure) only show when the user has the relevant ability. When only one page is accessible, the tabs are hidden entirely.
  • Clicking a form on the listing takes the user to the form builder or the submissions listing, depending on their permissions and how many submissions exist.
  • The submissions column and badges are hidden on the forms listing when the user can't view any submissions.

Closes statamic/ideas#1469

duncanmcclean and others added 4 commits July 8, 2026 12:08
Permissions can declare a broader permission that supersedes them. The
roles UI hides superseded permissions while the superseder is checked.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Adds "edit forms" (with create/delete children), global "view/delete
form submissions", and per-form "edit [form] form" permissions. The
form and submission policies now grant abilities from these instead of
everything hanging off "configure forms". The deprecated "configure
form fields" permission is no longer registered, but continues to
grant access to the form builder and logic pages.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The form section tabs, submissions badge, and header actions now only
show when the user has the relevant ability.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
jasonvarga and others added 5 commits July 9, 2026 16:47
# Conflicts:
#	resources/js/components/roles/PermissionTree.vue
#	src/Auth/CorePermissions.php
#	src/Auth/Permission.php
#	tests/Permissions/PermissionTest.php
#	tests/Permissions/PermissionsTest.php
FormsController::index() was computing the submission count for every
form the user could view, regardless of viewSubmissions permission.
The count was hidden client-side but still present in the Inertia
page props. Now the count is only computed and returned when the user
can actually view submissions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The wrapping div now carries the v-if that was previously only on the
nav element, so the trigger button doesn't render pointing at a
popover that no longer exists.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ortController

Cover the edit and viewSubmissions ability boundaries introduced by the
forms permissions rework: FormConnectController now requires edit forms
or per-form edit, and FormExportController requires viewSubmissions
rather than view.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jasonvarga and others added 4 commits July 10, 2026 14:33
The generate-fake endpoint and DeleteFakeSubmissions cleanup action
were authorized on viewSubmissions/deleteSubmissions, which are
ordinary content-editor permissions. Since the feature is developer-
only, add a generateFakeSubmissions ability to FormPolicy that only
super users and configure-forms users satisfy (via before()), and use
it for both the generate endpoint and the cleanup action. Fold the
same ability into canGenerateFakeSubmissions so the UI hides all
generate/cleanup controls for unauthorized users.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Super access is guaranteed by FormPolicy::before() for every ability;
asserting it per-ability tests the framework, not this feature. The
configure-forms allow case and the denial cases carry the coverage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Same reasoning: super is handled by FormPolicy::before() for every
ability, so a per-ability super test adds no coverage over the
permission-specific allow/deny cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jasonvarga jasonvarga merged commit 4df166b into forms-2 Jul 10, 2026
19 checks passed
@jasonvarga jasonvarga deleted the forms-2-permissions branch July 10, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants