Jump to content

Admin Restrict Branch


adrian

Recommended Posts

Thanks @tpr - I did think about the breadcrumbs issue, but wasn't actually sure if it should be modified or not - perhaps it is actually useful for editors to know where their branch fits in the site (even though they don't have access to the rest of it). Perhaps this could be an optional change?

I am curious about your comment about setting up the roles and permissions being a huge amount of work - do you feel like it was extra work because of this module, or juts because of the way PW roles and permissions work? In my experience with this module so far, it actually reduces the complexity of the setup, because I can actually all roles full editing privileges inherited down from the "home" template, knowing that they can't actually mess with any pages that aren't in their restricted branch, but I can see situations where you still might want restrict what they can do within templates within the branch, but for that I am finding the new " Additional edit permissions and overrides" setting in the template access tab incredibly useful.

Link to comment
Share on other sites

  • 1 month later...

I guess you're aware of that inserting links using the autocomplete field in the CKEditor lists pages outside the restricted branch. Is there anything that can be done here? For me it's OK to only hide the autocomplete field for now.

Link to comment
Share on other sites

I guess you're aware of that inserting links using the autocomplete field in the CKEditor lists pages outside the restricted branch. Is there anything that can be done here? For me it's OK to only hide the autocomplete field for now.

Actually I hadn't noticed that - thanks for pointing it out.

Sorry it's taken so long to get to, but the latest version of the module now has a new config setting to optionally exclude pages outside the restricted branch from the search results of pages. 

Please test and let me know if you find any problems.

  • Like 3
Link to comment
Share on other sites

This is great, thanks!

Also seems to honor "Branch edit exclusions" so it's even better.

Just a side note: my current setup has identical page names so a few pages come up twice, but that's because of my custom path hook. However, this is only a cosmetic issue as those paths are the same, selecting any of those is OK.

Link to comment
Share on other sites

Hello Adrian,

Sorry to bother you.

References :

https://processwire.com/talk/topic/2074-module-page-edit-field-permission/?p=110862

https://processwire.com/talk/topic/2074-module-page-edit-field-permission/?p=111223

All of a sudden, almost everything seems restricted for this user.

"How to match user to branch" is set to "Specified Branch Parent".

"Branch parent to restrict access to" is (still) set to nothing for this user.

(Could it be that an old test setting has reappeared?)

Perhaps I should reinstall it and see what happens.

Edit: I've rapidly uninstalled it and then reinstalled it (without removing the folder via ftp).

I've set it to "Specified Branch Parent".

I've only restricted the access (to the "Membres" section of the tree) for 3 users (with the "membres" role).

But the user (with the simpleuser role) that I haven't restricted to anything is restricted to almost everything now. It wasn't the case before.

Link to comment
Share on other sites

Hello,

Do you mean the number of branches that are restricted?

There was only one.

I've just restricted the user (who has/had the issue) to the homepage and now it works.

Edit: perhaps it is what should always be done if the user doesn't have the superuser role...(?)

But I wonder why this happened, as, if I remember well, I had not changed anything for this user before I noticed this problem.

(I'm a little bit "worried" something like that could reappear. But now it shouldn't.)

Link to comment
Share on other sites

@Christophe - sorry you are having trouble - I am curious about "all of a sudden" - I feel like something must have changed. I did add some new functionality yesterday, but this shouldn't be an issue - what version of the module are you running?

Did you update PW or anything else between when it was working as expected and now?

But the user (with the simpleuser role) that I haven't restricted to anything is restricted to almost everything now.

I don't really understand this - "restricted to everything" - does that mean the user is restricted from access to everything or that they can see everything when they shouldn't?

I see in one of the threads you linked to that you are also using code in your ready.php - is the problem still there if you remove that code?

does it support multiple branches ?

@adrianmak - no it doesn't support multiple branches - it would have to be re-written completely for that and there are some core PW issues that would currently prevent this from working perfectly. It is also not really the goal of this module - it was designed for sites that have user specific parent branches - it is not really for hiding or restricting to a variety of sections. You might look at: https://processwire.com/talk/topic/1176-hiding-uneditable-pages-from-users/?p=84916 as a usable but not ideal solution.


Hello,

Do you mean the number of branches that are restricted?

There was only one.

Now, I have restricted the user (who has/had the issue) to the homepage and now it works.

But I wonder why this happened, as, if I remember well, I had not changed anything for this user before I noticed this problem.

I'm a little bit "worried" something like that could reappear.

I still don't fully understand what is going on - does restricting to the homepage mean they now have access to everything, but before they weren't getting access to anything?

I wonder if maybe there are some config setting being left in the system that are conflicting? Can you post the contents of the data field for module's settings - you'll need to get this via PHPMyAdmin or similar - modules table - grab the entry for this module - maybe there will be a clue in there?

Link to comment
Share on other sites

Hello,

Version 0.1.9. Now 0.2.0.

I don't remember updating something.

I've done what is here: https://processwire.com/talk/topic/2074-module-page-edit-field-permission/?p=110990

ready.php doesn't seem to change anything now.

"Restricting to the homepage means they now have access to everything, but before they weren't getting access to anything" -> Yes (it's just one user account involved). It was only getting access to this:

https://processwire.com/talk/topic/2074-module-page-edit-field-permission/?p=111223 (first two images attached).

Coming back with "the contents of the data field for module's settings".

Is this what you want?:

{"matchType":"specified_parent","branchesParent":null,"phpCode":"","restrictType":"editing_and_view","branchExclusions":[]}

Going to bed (it's very late/early). Perhaps going to eat before :).

Link to comment
Share on other sites

Thanks for those settings - everything looks normal for using the "specified_parent" option. 

I wonder if the "Branch parent to restrict access to" setting on the user's setting page was set to something unexpected before you changed it to "home". Can you try resetting it to the desired branch to see if the problem returns?

If it does return I wonder if you'd consider giving me access to the PW so I could investigate if there is some strange conflict?

Link to comment
Share on other sites

Just popped in to say that the module works pretty well. I've set up roles and permissions (which was a huge work), and I could achieve a state where everything is working as it should on the site.

The only glitch I see is that when editing a page (with a restricted branch user), the breadcrumb on the top shows items above the restricted branch too:

Home -> Page1 ->  Page2 (ARB top level) -> Page3 (-> Page4 under edit)

"Home" and "Page1" should not be visible as they are above the restricted branch. Fortunately clicking on them goes to the restricted branch top, so no harm is made. On the top level the breadcrumb is OK.

@tpr - I have just added an option to modify the breadcrumbs to remove pages that are outside the restricted branch. It seems to be working well here, but please let me know if you notice any problems.

It's a new config setting option that needs to be checked.

This example is for a user restricted to "Branch One"

Modified Breadcrumb:

post-985-0-81010300-1453357979_thumb.png

Full / Unmodified Breadcrumb:

post-985-0-77576400-1453357978_thumb.png

  • Like 4
Link to comment
Share on other sites

  • 1 month later...

Hello,

I can't get this module to work - perhaps you can help me.

I have a very simple page tree:

post-4233-0-33645900-1456996767_thumb.jp
All of the first level pages (under "home" ) have the same template. So it is not possible to restrict a branch via user roles. But AdminRestrictBranch sholud do this... - but how?
 
Lets say I woluld like to restrict the user "test" to the branch "projekte".
So in the module under "how to match user t branch" I choose "Role Name:
post-4233-0-55724700-1456997282_thumb.jp
 
Then I add a new role "projekte":
post-4233-0-02315500-1456997288_thumb.jp
Which boxes do I need to check there?
Then I add this role to the user "test:
post-4233-0-96893300-1456997270_thumb.jp
 
What do I have to set in the template options?
post-4233-0-85591400-1456997292_thumb.jp
 
Are there other permissions the user should get in oder to get this module to work?
Whatever I tried - the result is: The users have same permissions to all the first level pages in the tree. 
 
Would be great if you can give me some help ...!
 
Link to comment
Share on other sites

Hi @planmacher - it looks to me like your setup should work. The one obvious thing to check is that the "name" of the Projekte page is actually "projekte" - I assume it is, but it might be different. Can you confirm that first before we investigate further?

EDIT: I just realized - you also need to make sure that projekte role has edit permissions on the home template that inherit down, or on the template of the Projekte page.

Link to comment
Share on other sites

Hello and thanks for reply!

So again...

Module

post-4233-0-33218700-1457031104_thumb.jp

User:

post-4233-0-89548200-1457031150_thumb.jp

Hometemplate:

post-4233-0-12336800-1457030864_thumb.jp

And the name of the "projekte" page is really "projekte".

post-4233-0-76570400-1457031092_thumb.jp

Tried it even with another role and template name. Always the same: The permissions to the user are the same for all the pages.

Anny ideas??

Link to comment
Share on other sites

  • 1 month later...

FYI, just tried this in 3.0.10 using PHP to say what the branch is:

return ($user->hasRole('editor')) ? '/data/' : '';

   Edit: I see it wants a name, not a path. Made that change but no difference, still repeats.

The odd thing is that the page tree now shows up like this (note repetition):

Data

  Alpha

  Bravo

  Charlie

  Alpha

  Bravo

  Charlie

Link to comment
Share on other sites

Hi @SteveB, I just tested using that approach (with "data" instead of "/data/") and it looks to be working just fine here.

You have me thinking though that maybe the custom PHP code approach should be path, not name. I'll need to think about this more. 

In the meantime, is there any chance I can get access to this PW install to see if I can figure out why you are getting that repetition? I am sure it won't be hard to fix once I know why.

Link to comment
Share on other sites

Still waiting  to hear from you @SteveB!

But in the meantime I thought a little more about name vs path matching and I have made some additions in this area.

You can now either return a name or a path in the custom PHP code option. Path is the recommended option. This change doesn't affect the other two matching modes, but it should make this mode more efficient.

  • Like 1
Link to comment
Share on other sites

Sorry about the delay. If I pick a different branch I don't get repetition.

Thought maybe it's some conflict with something I've done but the only thing I'm doing with permissions is in a modified ProcessPageAdd where I changed ___executeNavJSON() and ___execute() so I can allow certain roles to add pages in certain places. It can override allowed parent and allowed template for a page add request but that's the extent of it.

What would make whatever builds the Page tree cycle through twice?

Edit...

Further tests:

Works fine if I specify the name of a child of the branch that repeats.

Tested without my modified ProcessPageAdd and it made no difference.

Link to comment
Share on other sites

Sorry about the delay. If I pick a different branch I don't get repetition.

Thought maybe it's some conflict with something I've done but the only thing I'm doing with permissions is in a modified ProcessPageAdd where I changed ___executeNavJSON() and ___execute() so I can allow certain roles to add pages in certain places. It can override allowed parent and allowed template for a page add request but that's the extent of it.

What would make whatever builds the Page tree cycle through twice?

It would be a good start to temporarily revert to the default core version of ProcessPageAdd to see if that fixes the repetition. 

This module does hook into Page:addable() and Page::editable() to prevent editing and adding to pages outside the restricted branch. We're getting off topic, but perhaps you should use those hooks rather than editing the core ProcessPageAdd - at least I think you should be able to achieve what you want with those hooks - btw, these are not listed in Captain Hook which is why you may not know about them.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...