@@ -21,4 +21,5 @@ $GLOBALS['BE_MOD']['content']['modals'] = array

 $GLOBALS['TL_MODELS']['tl_vr_modal'] = ModalModel::class;

 // Add permissions

+$GLOBALS['TL_PERMISSIONS'][] = 'modals';

 $GLOBALS['TL_PERMISSIONS'][] = 'modalp';

@@ -15,12 +15,20 @@ use Contao\CoreBundle\DataContainer\PaletteManipulator;

 // Extend the default palette

 PaletteManipulator::create()

     ->addLegend('modal_legend', 'amg_legend', PaletteManipulator::POSITION_BEFORE)

-    ->addField(array('modalp'), 'modal_legend', PaletteManipulator::POSITION_APPEND)

+    ->addField(array('modals','modalp'), 'modal_legend', PaletteManipulator::POSITION_APPEND)

     ->applyToPalette('extend', 'tl_user')

     ->applyToPalette('custom', 'tl_user')

 ;

 // Add fields to tl_user_group

+$GLOBALS['TL_DCA']['tl_user']['fields']['modals'] = array

+(

+    'inputType'               => 'checkbox',

+    'foreignKey'              => 'tl_vr_modal.title',

+    'eval'                    => array('multiple'=>true),

+    'sql'                     => "blob NULL"

+);

+

 $GLOBALS['TL_DCA']['tl_user']['fields']['modalp'] = array

 (

     'exclude'                 => true,

@@ -15,11 +15,19 @@ use Contao\CoreBundle\DataContainer\PaletteManipulator;

 // Extend the default palette

 PaletteManipulator::create()

     ->addLegend('modal_legend', 'amg_legend', PaletteManipulator::POSITION_BEFORE)

-    ->addField(array('modalp'), 'modal_legend', PaletteManipulator::POSITION_APPEND)

+    ->addField(array('modals','modalp'), 'modal_legend', PaletteManipulator::POSITION_APPEND)

     ->applyToPalette('default', 'tl_user_group')

 ;

 // Add fields to tl_user_group

+$GLOBALS['TL_DCA']['tl_user_group']['fields']['modals'] = array

+(

+    'inputType'               => 'checkbox',

+    'foreignKey'              => 'tl_vr_modal.title',

+    'eval'                    => array('multiple'=>true),

+    'sql'                     => "blob NULL"

+);

+

 $GLOBALS['TL_DCA']['tl_user_group']['fields']['modalp'] = array

 (

     'exclude'                 => true,

@@ -13,6 +13,8 @@ declare(strict_types=1);

 use Contao\DC_Table;

 use Contao\DataContainer;

+$GLOBALS['TL_LANG']['tl_user']['modals'][0] = 'PopUps';

+$GLOBALS['TL_LANG']['tl_user']['modals'][1] = 'Hier können Sie den Zugriff auf ein oder mehrere PopUps erlauben.';

 $GLOBALS['TL_LANG']['tl_user']['modalp'][0] = 'PopUp-Rechte';

 $GLOBALS['TL_LANG']['tl_user']['modalp'][1] = 'Hier können Sie PopUp-Rechte festlegen.';

@@ -13,6 +13,8 @@ declare(strict_types=1);

 use Contao\DC_Table;

 use Contao\DataContainer;

+$GLOBALS['TL_LANG']['tl_user_group']['modals'][0] = 'PopUps';

+$GLOBALS['TL_LANG']['tl_user_group']['modals'][1] = 'Hier können Sie den Zugriff auf ein oder mehrere PopUps erlauben.';

 $GLOBALS['TL_LANG']['tl_user_group']['modalp'][0] = 'PopUp-Rechte';

 $GLOBALS['TL_LANG']['tl_user_group']['modalp'][1] = 'Hier können Sie PopUp-Rechte festlegen.';

@@ -20,6 +20,8 @@ use Contao\DataContainer;

 use Contao\Image;

 use Contao\Input;

 use Contao\StringUtil;

+use Contao\System;

+use Doctrine\DBAL\Connection;

 use Symfony\Component\HttpFoundation\Session\SessionInterface;

 use Symfony\Component\Security\Core\Security;

 use vonRotenberg\ModalBundle\Security\ModalPermissions;

@@ -43,11 +45,64 @@ class ModalDataContainerListener

         $user = $this->security->getUser();

         $userId = $user instanceof BackendUser ? (int)$user->id : 0;

+        $objSession = System::getContainer()->get('session');

+        $session = $objSession->all();

+

         if ($user->isAdmin)

         {

             return;

         }

+        // Set root IDs

+        if (empty($user->modals) || !is_array($user->modals))

+        {

+            $root = array(0);

+        }

+        else

+        {

+            $root = $user->modals;

+        }

+

+        if (is_array($session['CURRENT']['IDS'] ?? null))

+        {

+            $edit_all = array();

+            $delete_all = array();

+

+            foreach ($session['CURRENT']['IDS'] as $id)

+            {

+                if ($this->security->isGranted(ModalPermissions::USER_CAN_EDIT_MODALS, $id))

+                {

+                    $edit_all[] = $id;

+                }

+

+                if ($this->security->isGranted(ModalPermissions::USER_CAN_DELETE_MODALS, $id))

+                {

+                    $delete_all[] = $id;

+                }

+            }

+

+            $session['CURRENT']['IDS'] = (Input::get('act') == 'deleteAll') ? $delete_all : $edit_all;

+        }

+

+        // Set allowed clipboard IDs

+        if (!empty($session['CLIPBOARD']['tl_vr_modal']['id']) && is_array($session['CLIPBOARD']['tl_vr_modal']['id']))

+        {

+            $clipboard = array();

+

+            foreach ($session['CLIPBOARD']['tl_vr_modal']['id'] as $id)

+            {

+                if ($this->security->isGranted(ModalPermissions::USER_CAN_EDIT_MODALS, $id))

+                {

+                    $clipboard[] = $id;

+                }

+            }

+

+            $session['CLIPBOARD']['tl_article']['id'] = $clipboard;

+        }

+

+        // Overwrite the session

+        $objSession->replace($session);

+

         // Check permissions to add modals

         if (!$this->security->isGranted(ModalPermissions::USER_CAN_CREATE_MODALS))

         {

@@ -65,14 +120,27 @@ class ModalDataContainerListener

         // Check current action

         switch (Input::get('act'))

         {

-            case 'overrideAll':

-            case 'editAll':

-            case 'show':

-            case 'edit':

             case 'select':

                 // Allow

                 break;

+            case 'edit':

+            case 'show':

+                if (!in_array(Input::get('id'), $root))

+                {

+                    throw new AccessDeniedException('Not enough permissions to ' . Input::get('act') . ' form ID ' . Input::get('id') . '.');

+                }

+                break;

+

+            case 'editAll':

+            case 'overrideAll':

+                $session = $objSession->all();

+

+                $session['CURRENT']['IDS'] = array_intersect((array) $session['CURRENT']['IDS'], $root);

+

+                $objSession->replace($session);

+                break;

+

             case 'copy':

             case 'create':

                 if (!$this->security->isGranted(ModalPermissions::USER_CAN_CREATE_MODALS))

@@ -115,6 +183,95 @@ class ModalDataContainerListener

     }

     /**

+     * @Callback(table="tl_vr_modal", target="config.oncreate")

+     * @Callback(table="tl_vr_modal", target="config.oncopy")

+     */

+    public function adjustPermissions($insertId)

+    {

+        $user = $this->security->getUser();

+        $userId = $user instanceof BackendUser ? (int)$user->id : 0;

+

+        // The oncreate_callback passes $insertId as second argument

+        if (func_num_args() == 4)

+        {

+            $insertId = func_get_arg(1);

+        }

+

+        if ($user->isAdmin)

+        {

+            return;

+        }

+

+        // Set root IDs

+        if (empty($user->modals) || !is_array($user->modals))

+        {

+            $root = array(0);

+        }

+        else

+        {

+            $root = $user->modals;

+        }

+

+        // The form is enabled already

+        if (in_array($insertId, $root))

+        {

+            return;

+        }

+

+        /** @var AttributeBagInterface $objSessionBag */

+        $objSessionBag = System::getContainer()->get('session')->getBag('contao_backend');

+        $arrNew = $objSessionBag->get('new_records');

+

+        if (is_array($arrNew['tl_vr_modal']) && in_array($insertId, $arrNew['tl_vr_modal']))

+        {

+            /** @var Connection $db */

+            $db = System::getContainer()->get('database_connection');

+

+            // Add the permissions on group level

+            if ($user->inherit != 'custom')

+            {

+                $objGroup = $db->executeQuery("SELECT id, modals, modalp FROM tl_user_group WHERE id IN(" . implode(',', array_map('\intval', $user->groups)) . ")");

+

+                foreach ($objGroup->fetchAllAssociative() as $group)

+                {

+                    $arrModalp = StringUtil::deserialize($group['modalp']);

+

+                    if (is_array($arrModalp) && in_array('create', $arrModalp))

+                    {

+                        $arrModals = StringUtil::deserialize($group['modals'], true);

+                        $arrModals[] = $insertId;

+

+                        $db->prepare("UPDATE tl_user_group SET modals=? WHERE id=?")

+                            ->executeQuery([serialize($arrModals), $group['id']]);

+                    }

+                }

+            }

+

+            // Add the permissions on user level

+            if ($user->inherit != 'group')

+            {

+                $objUser = $db->prepare("SELECT modals, modalp FROM tl_user WHERE id=? LIMIT 1")

+                    ->executeQuery([$user->id]);

+

+                $arrModalp = StringUtil::deserialize($objUser->fetchOne());

+

+                if (is_array($arrModalp) && in_array('create', $arrModalp))

+                {

+                    $arrModals = StringUtil::deserialize($objUser->modals, true);

+                    $arrModals[] = $insertId;

+

+                    $db->prepare("UPDATE tl_user SET modals=? WHERE id=?")

+                        ->executeQuery([serialize($arrModals), $user->id]);

+                }

+            }

+

+            // Add the new element to the user object

+            $root[] = $insertId;

+            $user->forms = $root;

+        }

+    }

+

+    /**

      * @Callback(table="tl_vr_modal", target="list.operations.copy.button")

      */

     public function copyModal($row, $href, $label, $title, $icon, $attributes): string

@@ -129,4 +286,20 @@ class ModalDataContainerListener

     {

         return $this->security->isGranted(ModalPermissions::USER_CAN_DELETE_MODALS) ? '<a href="' . Backend::addToUrl($href . '&amp;id=' . $row['id']) . '" title="' . StringUtil::specialchars($title) . '"' . $attributes . '>' . Image::getHtml($icon, $label) . '</a> ' : Image::getHtml(preg_replace('/\.svg$/i', '_.svg', $icon)) . ' ';

     }

+

+    /**

+     * @Callback(table="tl_vr_modal", target="list.operations.edit.button")

+     */

+    public function editModal($row, $href, $label, $title, $icon, $attributes): string

+    {

+        return $this->security->isGranted(ModalPermissions::USER_CAN_EDIT_MODALS, $row['id']) ? '<a href="' . Backend::addToUrl($href . '&amp;id=' . $row['id']) . '" title="' . StringUtil::specialchars($title) . '"' . $attributes . '>' . Image::getHtml($icon, $label) . '</a> ' : Image::getHtml(preg_replace('/\.svg$/i', '_.svg', $icon)) . ' ';

+    }

+

+    /**

+     * @Callback(table="tl_vr_modal", target="list.operations.editheader.button")

+     */

+    public function editHeaderModal($row, $href, $label, $title, $icon, $attributes): string

+    {

+        return $this->security->isGranted(ModalPermissions::USER_CAN_EDIT_MODALS, $row['id']) ? '<a href="' . Backend::addToUrl($href . '&amp;id=' . $row['id']) . '" title="' . StringUtil::specialchars($title) . '"' . $attributes . '>' . Image::getHtml($icon, $label) . '</a> ' : Image::getHtml(preg_replace('/\.svg$/i', '_.svg', $icon)) . ' ';

+    }

 }

@@ -14,6 +14,7 @@ namespace vonRotenberg\ModalBundle\Security;

 final class ModalPermissions

 {

+    public const USER_CAN_EDIT_MODALS = 'contao_user.modals';

     public const USER_CAN_CREATE_MODALS = 'contao_user.modalp.create';

     public const USER_CAN_DELETE_MODALS = 'contao_user.modalp.delete';

 }