From addf529b5c26affd35a787529fc776d04d3dc15c Mon Sep 17 00:00:00 2001
From: Andrew Paxley <andrewandante@gmail.com>
Date: Thu, 19 Oct 2023 14:16:36 +1300
Subject: [PATCH 1/2] add canInit method and CAN_DEV_GRAPHQL permissions

---
 composer.json                |  2 +-
 src/Dev/DevelopmentAdmin.php | 42 +++++++++++++++++++++++++-----------
 2 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/composer.json b/composer.json
index 3352de9a..ca91d4e2 100755
--- a/composer.json
+++ b/composer.json
@@ -5,7 +5,7 @@
     "license": "BSD-3-Clause",
     "require": {
         "php": "^8.1",
-        "silverstripe/framework": "^5",
+        "silverstripe/framework": "^5.2",
         "silverstripe/vendor-plugin": "^2",
         "webonyx/graphql-php": "^15.0.1",
         "silverstripe/event-dispatcher": "^1",
diff --git a/src/Dev/DevelopmentAdmin.php b/src/Dev/DevelopmentAdmin.php
index f9a2f7d2..ccee22a6 100644
--- a/src/Dev/DevelopmentAdmin.php
+++ b/src/Dev/DevelopmentAdmin.php
@@ -8,14 +8,16 @@
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Dev\DebugView;
+use SilverStripe\Dev\DevelopmentAdmin as RootDevelopmentAdmin;
 use SilverStripe\Security\Permission;
+use SilverStripe\Security\PermissionProvider;
 use SilverStripe\Security\Security;
 use Exception;
 use Psr\Log\LoggerInterface;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\GraphQL\Schema\Logger;
 
-class DevelopmentAdmin extends Controller
+class DevelopmentAdmin extends Controller implements PermissionProvider
 {
     private static $allowed_actions = [
         'runRegisteredController'
@@ -30,21 +32,12 @@ protected function init()
     {
         parent::init();
 
-        if (DevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) {
+        if (RootDevelopmentAdmin::config()->get('deny_non_cli') && !Director::is_cli()) {
             return $this->httpError(404);
         }
-        // We allow access to this controller regardless of live-status or ADMIN permission only
-        // if on CLI.  Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.
-        $allowAllCLI = DevelopmentAdmin::config()->get('allow_all_cli');
-        $canAccess = (
-            Director::isDev()
-            || (Director::is_cli() && $allowAllCLI)
-            // Its important that we don't run this check if dev/build was requested
-            || Permission::check("ADMIN")
-        );
-        if (!$canAccess) {
+
+        if (!$this->canInit()) {
             Security::permissionFailure($this);
-            return;
         }
 
         // Define custom logger
@@ -104,6 +97,29 @@ public function runRegisteredController(HTTPRequest $request)
         }
     }
 
+    public function canInit(): bool
+    {
+        return (
+            Director::isDev()
+            // We need to ensure that DevelopmentAdminTest can simulate permission failures when running
+            // "dev/tasks" from CLI.
+            || (Director::is_cli() && RootDevelopmentAdmin::config()->get('allow_all_cli'))
+            || Permission::check(['ADMIN', 'ALL_DEV_ADMIN', 'CAN_DEV_GRAPHQL'])
+        );
+    }
+
+    public function providePermissions(): array
+    {
+        return [
+            'CAN_DEV_GRAPHQL' => [
+                'name' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_DESCRIPTION', 'Can view and execute /dev/graphql'),
+                'help' => _t(__CLASS__ . '.CAN_DEV_GRAPHQL_HELP', 'Can view and execute GraphQL development tools (/dev/graphql).'),
+                'category' => RootDevelopmentAdmin::permissionsCategory(),
+                'sort' => 80
+            ],
+        ];
+    }
+
     /**
      * @return array of url => description
      */

From b47487df198180f8ac9a37ebfacd0987953fb4ff Mon Sep 17 00:00:00 2001
From: Andrew Paxley <andrewandante@gmail.com>
Date: Wed, 1 Nov 2023 08:48:05 +1300
Subject: [PATCH 2/2] ENH use init_permissions to match core PR

---
 src/Dev/DevelopmentAdmin.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Dev/DevelopmentAdmin.php b/src/Dev/DevelopmentAdmin.php
index ccee22a6..14ae689b 100644
--- a/src/Dev/DevelopmentAdmin.php
+++ b/src/Dev/DevelopmentAdmin.php
@@ -28,6 +28,12 @@ class DevelopmentAdmin extends Controller implements PermissionProvider
         '$Action' => 'runRegisteredController',
     ];
 
+    private static $init_permissions = [
+        'ADMIN',
+        'ALL_DEV_ADMIN',
+        'CAN_DEV_GRAPHQL',
+    ];
+
     protected function init()
     {
         parent::init();
@@ -104,7 +110,7 @@ public function canInit(): bool
             // We need to ensure that DevelopmentAdminTest can simulate permission failures when running
             // "dev/tasks" from CLI.
             || (Director::is_cli() && RootDevelopmentAdmin::config()->get('allow_all_cli'))
-            || Permission::check(['ADMIN', 'ALL_DEV_ADMIN', 'CAN_DEV_GRAPHQL'])
+            || Permission::check(static::config()->get('init_permissions'))
         );
     }