Search the Community
Showing results for tags 'Access'.
-
Template Access A Process module that provides an editable overview of roles that can access each template. The module makes it quick and easy to see which templates have access control enabled (personally I like to ensure I've enabled it for every template) and to set the appropriate access per template. Usage The Template Access page under the Access menu shows access information for all non-system templates in a table. You can filter the table rows by template name if needed. Click an icon in the table to toggle its state. The changes are applied once you click the "Save" button. Sometimes icons cannot be toggled because of logical rules described below. When an icon cannot be toggled the cursor changes to "not-allowed" when the icon is hovered and if the icon is clicked an explanatory alert appears. A role must have edit access before it can be granted create access. If the guest role has view access for a template then all roles have view access for that template. https://github.com/Toutouwai/ProcessTemplateAccess https://processwire.com/modules/process-template-access/
-
Hi there! And thanks for Processwire! I've got an interesting case concerning access to current user page. It appears that PW somehow limits access to the frontend page of current user. I'm speaking about a specific PW configuration. We have two kind of users: 'regular' users with native user template and member users with specific member template and specific members parent page (by the way, it's so cool that PW allows to use custom user templates and custom parent for certain user pages!). So a member with name Joe has a page with member template and url like /members/joe . The members template has some access limitations: only member users can see pages with member template. It works like a charm in most situations. For example, user Bill (who has member template and is logged in) can browse a page with url /members/ann which also is a member page with member template. And now, meet the glitch! The above-mentioned Bill cannot get to his own page /members/bill ! PW generates 404 page instead. I see no reason for this behavior. From my point of view any member should have access to any member page in this situation. What am i doing wrong? Any advice is welcome!
-
Access By Query String Grant/deny access to pages according to query string. Allows visitors to view protected pages by accessing the page via a special URL containing an "access" GET variable. This allows you to provide a link to selected individuals while keeping the page(s) non-viewable to the public and search engines. The recipients of the link do not need to log in so it's very convenient for them. The view protection does not provide a high level of security so should only be used for non-critical scenarios. The purpose of the module was to prevent new websites being publicly accessible before they are officially launched, hence the default message in the module config. But it could be used for selected pages on existing websites also. Once a visitor has successfully accessed a protected page via the GET variable then they can view any other page protected by the same access rule without needing the GET variable for that browsing session. Superusers are not affected by the module. Usage Install the Access By Query String module. Define access rules in the format [GET variable]??[selector], one per line. As an example the rule... rumpelstiltskin??template=skills, title~=gold ...means that any pages using the "skills" template with the word "gold" in the title will not be viewable unless it is accessed with ?access=rumpelstiltskin in the URL. So you could provide a view link like https://domain.com/skills/spin-straw-into-gold/?access=rumpelstiltskin to selected individuals. Or you could limit view access to the whole frontend with a rule like... 4fU4ns7ZWXar??template!=admin You can choose what happens when a protected page is visited without the required GET variable: Replace the rendered markup Throw a 404 exception If replacing the rendered markup you can define a meta title and message to be shown. Or if you want to use more advanced markup you can hook AccessByQueryString::replacementMarkup(). $wire->addHookAfter('AccessByQueryString::replacementMarkup', function(HookEvent $event) { // Some info in hook arguments if needed... // The page that the visitor is trying to access $page = $event->arguments(0); // An array of access keys that apply to the page $access_keys = $event->arguments(1); // The title $title = $event->arguments(2); // The message $message = $event->arguments(3); // Return some markup $event->return = 'Your markup'; }); Screenshot https://github.com/Toutouwai/AccessByQueryString https://modules.processwire.com/modules/access-by-query-string/
- 11 replies
-
- 16
-
-
-
Some context: I want to use PHP variables in my CSS (more info below) and found a solution on CSS-tricks that looks fairly elegant and somewhat solid to me. It's pretty simple, I created a file style.css.php inside the site/templates/ directory and load that in my page head. In style.css.php is the following: <?php header("Content-type: text/css; charset: UTF-8"); header("Charset:utf-8"); if ($homepage->hero_image) { echo <<<CSS .hero { background: url($homepage->hero_image->url) no-repeat; } CSS; } ?> Because of the following RewriteCond (line 373) in the htaccess file the server sends a 403 error back when the file is requested: # Block access to any PHP or markup files in /site/templates/ or /site-*/templates/ RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))($|/) [NC,OR] (My htaccess file is @version 3.0 and @htaccessVersion 301) This is how I thought I could fix that (based on these answers on stack overflow) but it does not work: # Block access to any PHP or markup files in /site/templates/ or /site-*/templates/ RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/((?!style\.css).)*\.(php|html?|tpl|inc))($|/) [NC,OR] I tested the rule with htacess tester and htaccess check and both worked for me, but on my site I still get a 403 instead of the file. I'm working on localhost, using MAMP (not sure if that's relevant). A bit more about what I want to do achieve specifically: I want to use an image as a background-image for an element, not place it as an image. This image is provided by the user via a field and can therefore change. I know I can achieve this like this: echo "<section class='hero' style='background-image: url($page->hero_image->url)'></section>"; But I would prefer a method other than inlining because of scalability and cleanliness. (I admit the extra link in the page head is not ideal either) P.s. this is my first post here, I hope it's submitted in the right forum and my explanation is clear. -
Hi guys and ladies! And thanks for Processwire! It appears i've got an interesting issue concerning the template-settings-based PW redirects dealing with access control. Any PW template has some access control options i.e. "Login redirect URL or page ID to render". If this option is used for a page having a template with this option filled, a redirect will occur if user is not logged in and/or has insufficient access rights. I like to hook PW events. In one of my current projects i decided to write an addHookBefore('Session::redirect', ...) which should store the page we are being redirected from. With "regular" redirects like $session->redirect('/somewhere/') this hook works like a charm. But it was strange to see that it doesn't work with the template-settings-based redirect. I'm too dumb to dive deep inside PW and to examine the whole PW session mechanism. But it could be rather logical if ANY redirect ( no matter template-settings-based or using $session->redirect() ) could be hooked in the same manner. Okay okay i can forget about template-settings-based redirect and write my own. Just a couple of lines of code, and it works. But it's less elegant than hooking the template-settings-based redirects. So am i missing something? It this behavior a bug, or is it intended by PW team? Thanks in advance for any comment! -
Hi. I'm currently stuck at the login page in my project. Once I enter my admin username and my password and press login, nothing happens. The page just reloads. However, the URL changes from http://myipaddress/processwire to http://myipaddress/processwire/?login=1. I've checked all of my server settings, and to my knowledge, all seems to be fine there. I don't know where to go from here.. Thanks in advance!
-
Hi, this is the first we are trying to make a page that has only one type of user that has access to every page. The other users should only have a given access to specific pages, not to the whole template. My structure -Field -Organisation -Project -Report I want that the "measurer" role only has access to "project x" and it's children, but no view access to every project, organisation or field. I've tried to do this with https://modules.processwire.com/modules/page-edit-per-user/ but it still needs a view access to the whole tree to see the "project x" page. Or is there something I haven't figured out? Maybe I have to make it via the API: a select field in the "organisation" template where the admins could add the users and then I use hook to update the privileges? Have you done something like this and how did you accomplish it? Any help would be appreciated.
-
It seems to me that access control in PW is powerful but quite complex. Does anyone know of a tutorial/blog etc. that covers these complexities. I particular, how to make sure that the end result achieves the required access control. From what I have learned so far, a number of things interact: • Whether a page is published, unpublished or hidden • The access given to users of a template • Field level access – both global and as over-ridden in a template • Whether or not a template has an associated php template file • The output formatting of a page, set in a php script (false can disable field-level access controls) These need to be considered in combination to determine what is the actual level of access in any situation. Is there any way of getting an overview of all this? For example, if there is no guest access to a template then that restriction will also apply to any API invoked by a guest action which requires access to a page instance of that template. The only way I can see to allow API access but to prevent direct access is to allow guest access to the template, but not provide a template php file. Is this secure? Also, if fields have restricted access (e.g. no guest access), then any API invoked from the front-end (including webhooks) will not be allowed to see the contents (this is achieved by blanking the contents in formatting). Over-riding this can be achieved either by setting the relevant option on the Access tab of the restricted fields, or by turning off output formatting for the affected page just before accessing it (e.g. $p->of(false); ). See discussion at
-
Hey, - we made a page as admins - as admins each <img> tag is loaded and images are displayed - we tested the page as a pre-definded test user which is "guest" (Admin Theme: Reno) - as test user each <img> is missing and so no image is displayed I checked this in dev-mode on firefox and chrome. Does anyone have an idea or has had similar issues? Thank you in advance. Marcel
-
Hi all. We've created a private log-in area for a client on their site that is restricted on a roles basis. Is there a simple solution available to let them upload files to a file field and then choose individual users that can access individual files? Does that make sense?!... it's hard to search for answers to this as all results pertain to server file permissions.
-
Note - I've not set this up, I'm not experienced, I'm probably omitting much relevant information as a result so this post will be a bit of a work in progress. The answer may be on the forum here - If it is I can't tell for lack of experience (I've looked). I cannot for the life of me get an install to work and I've tried a lot, and I've asked others who're also struggling but I'll try posting here before another CMS as I've heard it's nice. Info about the server : https://gist.github.com/65086fbc7b5dd03abd0f0461b9c0ec8b I'm using the `stable` version of Processwire. My `htaccess` file is working - you can test here http://rightangle.space/ and click on the admin page to see the internal server error. Here is the htaccess file https://gist.github.com/3b805b8ab3c7978aca90a6e39773da00 Here is the /etc/apache2/apache2.conf file https://gist.github.com/2b2f2518ce7df4af4739413bc967cf56 Here is the /etc/apache2/sites-enabled/000-default.conf file https://gist.github.com/400cc958ff32dfb6df80693fd8531f08 Here's the output of tree -fa /var/www/ https://gist.github.com/a3569becd9889b4b05c4f0d0a8a561d7
-
Being a newbie in ProcessWire I was wondering, whether I could have simple subdirectories on my webserver (serving specific self-developed php-apps) and use PW's built-in user management, to grant or deny access to those directories for specific users and groups. I was trying to wrap my head around LDAP for this, but it's not too easy to install on virtual servers running Plesk from my experience. So I thought I could possibly use PW's built in mechanisms for this purpose. Any ideas? Thanks in advance to the community!
-
I used Profields: repeater Matrix to create a field. One of the repeater matrix types contains a repeater field. As a superuser I can create new entries within the nested repeater field. Any user that does not have superuser access cannot create new entries or expand existing entries. When a non-superadmin tries, the following JQuery error can be seen in the console: Uncaught Error: Syntax error, unrecognized expression: {"error":false,"message":"The requested process does not exist"}. “Repeater item visibility in editor” and “Repeater dynamic loading (AJAX) in editor” options are set to the default entries. I am using ProcessWire 3.0.62 and Profields Repeater Matrix 0.0.4
-
Hi there, I'm trying to imitate an application built on Microsoft Access, so far I have been able to create most of the functionality, I only lack a part destined to enter records that depend on a parent. I am attaching an image from Microsoft Access, where you can see the functionality that I need to create. I would like to be able to add each of those child records on the same template form for the Parent, then when I list the records of the Parent, I can get all the reports per client and in each of those reports the children records. It would be possible to build this with Processwire? Thank you!
-
Hi, I know this may be trivial question but please forgive newbie. I would like to implement a set of pages that each collect email address from the target audience and in exchange sends small pdf attachment to the customer with perhaps WireMailMailgun?
-
I'm working on a production site from 2012, running Processwire 2.3. We have an image field called 'main_teaser_image' that's used by various teasers/widgets across the site. When the image field is used in a standard widget, both Superusers and Editors can edit/crop the image. However, when the image is inside a Repeater field (used to create slider/carousel widgets), only Superusers can edit/crop the image. Editors receive the error: 'Not Editable' (see screenshot). I have tried to adjust the main role permissions, the page permissions and template (widget) permissions, all to no avail Any help would be greatly appreciated... I'm gonna get a coffee...
-
I hid/set aside the old /wire/, index.php, and .htaccess, as well as /site/config.php. Debug=1. $config->urls->admin = /pw/, as it's set as. I'm finding that others are encountering a similar issue but haven't found any solution yet, at least none that works for me. Please help, thanks much -
I'm not sure that I really follow this page; http://imgur.com/a/hCxqg I've created a database when setting up the server, so I'm presuming that this is what's being asked for here? The page linked for getting setup http://webdesign.tutsplus.com/tutorials/how-to-install-and-setup-processwire-cms--cms-25509 doesn't really mention anything about these fields. After trying to use the user name on the server, and the password that I entered when setting up the mySQL to start with I got the following error (so I had filled in "DB Name"={some name that I thought up }, "DB user" = {name of user on server}, "DB pass" = {pass i set up for mySQL}); http://imgur.com/a/cgFKq After this i tried using db name; {whatever} db user; {name of user on server} db pass; {password for user on server} This didn't work either, so I'm not sure what I'm meant to put here.
-
Hey! I just finished working on a website for a client. To restrict the use of PW for the client (so he can't brake the website), I created a new User and asigned some permissions. The problem is, that the link to the page tree is missing, when I login with the new user (see screenshot). Only the "Add New" shortcut works. When Iam logged in as admin, everything works fine. I never had this problem before. Iam using PW 3.0.25 Any Ideas? THX!
-
I have a template that is used for one page, "tracks" (tpl & pg name). Under the Access tab the "uploader" role is checked for View Pages, Edit Pages, and Add Children. I even added a page-edit-tracks_upload permission via Page Edit Field Permission module which is enabled for "uploader" and yet when I try to edit the tracks page as a regular uploader, I get "ProcessWire: You don't have access to edit", "The process returned no content." The uploader in question did not create the page but I want any uploader to be able to edit this one field of the page (none others exist besides the title and settings fields). How can I achieve that?
-
Short question: Is it possible? Longer explanation: I have a rather big product cataloque which is viewable for registered users only. We now want to open it to the public. In the valued spirit of "I'd rather take 30 minutes to script something than 20 minutes to do it manually" I am looking for a way to change the access of 50 or so templates to "viewable for guest" but I can't find an API method. Can anyone help? Thanks, thomas
-
I'm trying to hide some of the pages on my website from users that are not logged in. I'm trying to achieve this by changing the settings of the page's template like so: This hides the page from my navigation which is good, but it doesn't block the user from surfing to the page directly which I think should be happening if I interpret the settings correctly? When I first encountered this issue I was running PW 2.6 but I've since updated to 2.6.8 alas to no avail. I hope someone will be able to help me out and I will be happy to provide more information about this issue if need be. I'm currently working around this issue by adding a $user->isLoggedin() include to my pages but this isn't as clean as setting the permissions directly from the CMS imo.
-
I have a system set up in processwire whereas I have an Editor role that can edit content of pages. On my site I have pages like the Home Page, Contact Us, etc, whereas I want them to be able to edit the page content. On the other hand, I have a page set up with children for a product gallery that I want them to be able to add, edit and delete categories and products within each category. For example: (edit only) Home [edit] Contact Us [edit] Product Categories ..... Celing Fans [edit] [add] [delete] ............ ceiling fan #1 [edit] [add] [delete] ..... Lamps [edit] [add] [delete] ............. lap #1 [edit][add][delete] And so on. In my Editor role I enabled page-delete, however, I want page-delete not to show up on the home page, contact us, only in the product category and product pages. Any help is appreciated. thanks,
-
We have an internal company site that we use to document specifications for software development. Currently, we use Adrian's ProtectedMode module to restrict the site to logged-in users, but one of the engineers just noted that uploaded files are (naturally, given the scope of the module) visible without authentication. While this isn't a huge risk (you have to know the URL to view an uploaded file), it is technically a security issue since we have lots of proprietary things attached to pages on the site. Any ideas on how I could lock down these files so you have to be logged in to view them?
-
Hello together, this is my first post in this forum. I like to do the following: I have some users, let’s say 20-30 people that should only be able to edit their own pages. By using the "Page Edit Per User" module it’s mostly working in this way, that the user can edit his own page, okay. The problem is, that the user must be given the rights to add children pages, edit and sort them in the page tree inside "his" main page and it seems that the "Page Edit Per User" module is just limited. Let me give you an example. I have the following tree: Home Page 1 - Children 1.1 - Children 1.2 - Children 1.3 Page 2 - Children 2.1 - Children 2.2 - Children 2.3 . . . So, I also have two users: User 1 and User 2. User 1 needs to be the following rights: Edit, Delete, Move all children pages for Page 1 all other actions are not allowed. So, User 1 can NOT delete his main page, Page 1 or any other page "outside" Page 1. Any ideas on how to solve that? Thanks so much in advance for your ideas. -Thomas
