Skip to content

v4.4.4 - Shield gating for the registration settings page

Choose a tag to compare

View all tags
@tallcms tallcms released this 30 Apr 09:55
· 30 commits to main since this release
v4.4.4
23111a1

Summary

Patch release that closes a Shield-gating gap on the registration settings page. The `tallcms/filament-registration` package ships its `RegistrationSettings` page intentionally without Shield (so the package stays Shield-optional). Without further wiring, that page sat on the admin panel accessible to anyone who could log in — `View:RegistrationSettings` permission rows in the DB were unread.

Same shape as the v1.8.2 ProSettings fix in tallcms/pro.

What changed

  • `composer.json` requires tallcms/filament-registration ^1.2 (1.2.0 added the `settingsPage()` setter for swapping in a Shield-gated subclass).

  • New `App\Filament\Pages\RegistrationSettings` subclass adds `HasPageShield`.

  • `AdminPanelProvider` wires it via the bridge plugin's new `settingsPage()` forwarder:

    ```php
    TallcmsRegistrationBridge::make()
    ->settingsPage(\App\Filament\Pages\RegistrationSettings::class)
    ```

Required: bridge plugin upgrade to 2.1.0

The host wiring assumes the bridge plugin (`tallcms/registration`) at v2.1.0+ because that's where `RegistrationPlugin::settingsPage()` was added. Older bridge versions (2.0.0) will throw `BadMethodCallException` on panel boot.

If you have the bridge plugin installed:

  1. Upgrade it to v2.1.0 via the admin's Plugin Manager (uploading the new zip), or pull the new version from the marketplace.
  2. After upgrade, run `php artisan shield:generate` to seed the `View:RegistrationSettings` permission for existing roles.
  3. Audit role assignments — site_owner / site_user / similar roles need `View:RegistrationSettings` granted explicitly if they should keep access.

If you don't have the bridge plugin installed (e.g. plugin-mode users, fresh CI checkouts), the `class_exists` guard in `AdminPanelProvider` skips the bridge cleanly — no boot failure.

Companion release

Same fix shipped to push.sg (`tallcms/push-tallcms`) in commit `eb51940` — push.sg uses `FilamentRegistrationPlugin` directly without the bridge plugin, so its wiring is one-call:

```php
FilamentRegistrationPlugin::make()
->defaultRole('site_owner')
->settingsPage(\App\Filament\Pages\RegistrationSettings::class)
```

Pull request

  • #79 — Shield-gate the RegistrationSettings page

Note on cms package contents

The cms package (`packages/tallcms/cms/`) itself has no functional changes between v4.4.3 and v4.4.4 — all changes ride on the standalone skeleton (`app/Filament/Pages/`, `app/Providers/Filament/AdminPanelProvider.php`, `composer.json`). The version bump exists so the standalone bundle ships via the standard release flow.

Assets 2
Loading