Jump to content
adrian

Admin Restrict Branch

Recommended Posts

I'm not sure whether it's relating to having this module installed or Lister/ListerPro by @ryan but I seem to be having issues displaying unpublished pages in Lister/ListerPro, and Ryan did mention to check on any other modules that modify permissions.

Is anyone else using this with custom Listers or ListerPro? If so, are users able to view their own unpublished pages OK?

Share this post


Link to post
Share on other sites

@Kiwi Chris - even on a site without this module installed, I have to do this for users to see unpublished pages in ListerPro:

image.thumb.png.75cf4e2b5bb977753c2745b05a0763e3.png

Does that help?

Share this post


Link to post
Share on other sites

@adrian I already have that option configured. In lister I get a message: 

Quote

Not all specified templates are editable. Only 'include=hidden' is allowed

I know this issue has come up before, and Ryan has asked people to check if they have anything that is hooking permissions.

With my site structure I have multiple clients who are restricted to what they can edit via this module, however they all have pages they can edit using common templates, so there will be some pages using a given template a user can edit and others they can't.

The template in question in my lister definitely is editable for the user, and published pages for the user show up fine.

I think AdminRestrictBranch is the only module I have installed that does hook permissions, so I thought it would be worth checking whether other people are using it and Lister/ListerPro together successfully. 

Share this post


Link to post
Share on other sites
4 hours ago, Kiwi Chris said:

Not all specified templates are editable. Only 'include=hidden' is allowed

I see that notice with non-superusers even without this module installed. Have you tested with the module uninstalled, disabled, or with a user with no restricted branches?

Share this post


Link to post
Share on other sites

@Kiwi Chris

Just looked at one of my sites and this is what I put in ready.php

// lets non superusers view unpublished and hidden pages in listers
// https://processwire.com/talk/topic/9346-not-all-specified-templates-are-editable-only-includehidden-is-allowed/?do=findComment&comment=143068
$this->wire()->addHookBefore('ProcessPageLister::getSelector', function($event) {
    $event->object->allowIncludeAll = true;
});

Does this solve your problems?

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, adrian said:

@Kiwi Chris

Just looked at one of my sites and this is what I put in ready.php


// lets non superusers view unpublished and hidden pages in listers
// https://processwire.com/talk/topic/9346-not-all-specified-templates-are-editable-only-includehidden-is-allowed/?do=findComment&comment=143068
$this->wire()->addHookBefore('ProcessPageLister::getSelector', function($event) {
    $event->object->allowIncludeAll = true;
});

Does this solve your problems?

Thanks. This provided the result I needed. I actually added it to a custom module that added the hook, but same result.

  • Like 1

Share this post


Link to post
Share on other sites
5 hours ago, Kiwi Chris said:

Thanks. This provided the result I needed. I actually added it to a custom module that added the hook, but same result.

So just to confirm, do you agree that this module isn't having any impacts on the issue?

Share this post


Link to post
Share on other sites
4 hours ago, adrian said:

So just to confirm, do you agree that this module isn't having any impacts on the issue?

Yes, I've now also confirmed on a site that doesn't have this module installed. I'll go back to @ryan and ask him about ListerPro. It has an option to include hidden + unpublished but doesn't actually do anything. Thanks for the workaround. If I get ListerPro working as expected without this module without needing a workaround, I'll recheck again with this module to confirm it has no side effects.

Share this post


Link to post
Share on other sites
3 minutes ago, Kiwi Chris said:

I'll go back to @ryan and ask him about ListerPro. It has an option to include hidden + unpublished but doesn't actually do anything.

Did you read this thread? 

 

Share this post


Link to post
Share on other sites
On 11/7/2019 at 8:28 AM, Kiwi Chris said:

Yes, I've now also confirmed on a site that doesn't have this module installed. I'll go back to @ryan and ask him about ListerPro. It has an option to include hidden + unpublished but doesn't actually do anything. Thanks for the workaround. If I get ListerPro working as expected without this module without needing a workaround, I'll recheck again with this module to confirm it has no side effects.

I've done some further investigation, and on a site without this module, Lister/Lister Pro will show hidden + unpublished as long as the template itself has access control set.

It won't work if only the parent has access control set. Access control must be explicitly set on the template in question, as Lister (Pro) doesn't appear to look at access control inheritance.

With AdminRestrictBranch installed, even if a template does have explicit access control, and no other modifications to access control, it does seem that the hidden + unpublished option in Lister/Lister Pro doesn't work, although using the include all hook, or doing the equivalent creating the lister via the API, setting allowIncludeAll property to true, and including include=all in initSelector property of the lister does provides provides the expected results.

Share this post


Link to post
Share on other sites
2 hours ago, Kiwi Chris said:

Lister/Lister Pro will show hidden + unpublished as long as the template itself has access control set.

I see that too but it's weird to me that access permissions aren't inherited from the home template in this case. Why should we have to explicitly set permissions for the specific template for this to work? Do you agree or am I missing something?

2 hours ago, Kiwi Chris said:

With AdminRestrictBranch installed, even if a template does have explicit access control, and no other modifications to access control, it does seem that the hidden + unpublished option in Lister/Lister Pro doesn't work

Thanks, I can also confirm this - will see if it's fixable.

Share this post


Link to post
Share on other sites

Ok, so I found the source of the problem: https://github.com/processwire/processwire/blob/4e4b3afdcbe9aef27d03170dab64dc6e8e6c5a4d/wire/modules/Process/ProcessPageLister/ProcessPageLister.module#L1100-L1106

Lister (the base version in the core) checks to see if a test page is editable but it doesn't ever set the parent:

// determine how many templates are editable
$test = $this->wire('pages')->newPage();
foreach($templates as $template) {
    $test->template = $template;
    $test->id = 999; // required (any ID number works)
    if($test->editable()) $numEditable++;
}

Without knowing the parent, when AdminRestrictBranch hooks into editable() it has to return false. If you want to test this out, add:

$test->parent = xxxx;

where xxxx is the ID of the branch parent you are restricting to - with that in place, you won't need the ProcessPageLister::getSelector hook.

I feel like that code in Lister is a bit hacky and will cause problems with lots of modules that hook into editable(). 

I am not sure this is a good way for me to workaround this. Perhaps I could have an option in AdminRestrictBranch to automatically add this hook:

$this->wire()->addHookBefore('ProcessPageLister::getSelector', function($event) {
    $event->object->allowIncludeAll = true;
});

rather than having to add it manually.

But I still think it's really weird that for Lister to work as expected you can't rely on inherited template edit permissions in the first place. Although this reason for this is obviously the lack of parent for the $test page - it can't rely on inherited permissions because it doesn't have a template to inherit from.

Share this post


Link to post
Share on other sites

Hi Adrian,

we use your excellent module for a customer, who wants restrict access to users in exactly that way, that your module gives (by role name). Now, they want to let some users act for more than one role name. This seems to be possible by activating the desired roles in user settings, but isn't working. I.e., the user always has access to the branch of the first limiting role, but not to further one(s). 

So, it looks like it ist not possible to combine two ore more restricted roles for one user?

Greeting, Thomas.

Share this post


Link to post
Share on other sites

@xportde - hi Thomas.

Unfortunately with the way this module is built, it can only ever work for one branch.

There are other ways to achieve what you are looking for - this thread (https://processwire.com/talk/topic/1176-hiding-uneditable-pages-from-users/) contains lots of useful info, but keep in mind there are lots of hooks you'll need to implement to ensure everything is locked down - it's one thing to hide part of the page tree, but you also need to hide the pages from the top-level nav under Pages > Tree. You also need to prevent direct edit access to pages outside the allowed branches. You may also want to consider modifying the breadcrumbs (like this module allows). 

Honestly I think it's a shame that the core doesn't support this natively.

 

Share this post


Link to post
Share on other sites

Hi Adrian,

thanks for clearing this out! No problem, if your module is intended for restricting to one branch, then we will suggest our client to use it that way.

Greeting, Thomas.

  • Like 1

Share this post


Link to post
Share on other sites

Will the custom PHP code option work with multiple statements? I have a tree structure like:
Members
-Member 1
 -page 1
 -page 2
-Member 2
Competitions
...

I want to restrict logins with role member to just their own member branch, and that works fine currently with: return "/members/" . ($user->name);

What I'd like to do is if a login has the role 'membership-secretary' set their branch to Members, and then any other admin roles to home, as I can use template permissions to prevent them accessing parts of the site they shouldn't, but I'm trying to make it easier on the 'membership-secretary' role so they only have to see the branch of tree they'll work with.

I understand the module doesn't support restricting to multiple branches simultaneously, but I don't think that's what I'm trying to do. I only want to grant access to a single branch to a given user, however depending on their role, they will have access at a different level in the page tree.

I had a go with 

if($user->hasRole('competition-secretary') || $user->hasRole('membership-secretary'){return "/members/";}else if($user->hasRole('member'){return "/members/" . ($user->name);}else{return "/"}

statement, but that caused a 500 error, so I'm just checking whether this kind of use case scenario is possible?

 

Share this post


Link to post
Share on other sites

I think that should work, but your if statements are missing the closing ")"

You have:

if($user->hasRole('competition-secretary') || $user->hasRole('membership-secretary') {
    return "/members/";
}
else if($user->hasRole('member') {
    return "/members/" . ($user->name);
}
else {
    return "/"
}

instead of:

if($user->hasRole('competition-secretary') || $user->hasRole('membership-secretary')) {
    return "/members/";
}
else if($user->hasRole('member')) {
    return "/members/" . ($user->name);
}
else {
    return "/"
}

The error should go away if you fix the syntax.

I think you might also need a closing slash after $user->name to complete the path.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By MoritzLost
      This is a new module that provides a simple solution to clearing all your cache layers at once, and an extensible interface to perform various cache-related actions.
      The simple motivation behind this module was that I was tired of manually clearing caches in several places after deploying a change on a live site. The basic purpose of this module is a simple Clear all caches link in the Setup menu which clears out all caches, no matter where they hide. You can customize what exactly the module does through it's configuration menu:
      Expire or delete all cache entries in the database, or selectively clear caches by namespace ($cache API) Clear the the template render cache. Clear out specific folders inside your site's cache directory (/site/assets/cache) Refresh version strings for static assets to bust client-side browser caches (this requires some setup, see the full documentation for details). This is the basic function of the module. However, you can also add different cache management action through the API and execute them through the module's interface. For this advanced usage, the module provides:
      An interface to see all available cache actions and execute them. A system log and logging output on the module page to see verify what the module is doing. A CacheControlTools class with utility functions to clear out different caches. An API to add cache actions, execute them programmatically and even modify the default action. Permission management, allowing you granular control over which user roles can execute which actions. The complete documentation can be found in the module's README.
      Beta release
      Note that I consider this a Beta release. Since the module is relatively aggressive in deleting some caches, I would advise you to install in on a test environment before using it on a live site.
      Let me know if you're getting any errors, have trouble using the module or if you have suggestions for improvement!
      In particular, can someone let me know if this module causes any problems with the ProCache module? I don't own or use it, so I can't check. As far as I can tell, ProCache uses a folder inside the cache directory to cache static pages, so my module should be able to clear the ProCache site cache as well, I'd appreciate it if someone can test that for me.
      Future plans
      If there is some interest in this, I plan to expand this to a more general cache management solution. I particular, I would like to add additional cache actions. Some ideas that came to mind:
      Warming up the template render cache for publicly accessible pages. Removing all active user sessions. Let me know if you have more suggestions!
      Links
      https://github.com/MoritzLost/ProcessCacheControl ProcessCacheControl in the Module directory

    • By joshua
      This module is (yet another) way for implementing a cookie management solution.
      Of course there are several other possibilities:
      - https://processwire.com/talk/topic/22920-klaro-cookie-consent-manager/
      - https://github.com/webmanufaktur/CookieManagementBanner
      - https://github.com/johannesdachsel/cookiemonster
      - https://www.oiljs.org/
      - ... and so on ...
      In this module you can configure which kind of cookie categories you want to manage:

      You can also enable the support for respecting the Do-Not-Track (DNT) header to don't annoy users, who already decided for all their browsing experience.
      Currently there are four possible cookie groups:
      - Necessary (always enabled)
      - Statistics
      - Marketing
      - External Media
      All groups can be renamed, so feel free to use other cookie group names. I just haven't found a way to implement a "repeater like" field as configurable module field ...
      When you want to load specific scripts ( like Google Analytics, Google Maps, ...) only after the user's content to this specific category of cookies, just use the following script syntax:
      <script type="optin" data-type="text/javascript" data-category="statistics" data-src="/path/to/your/statistic/script.js"></script> <script type="optin" data-type="text/javascript" data-category="marketing" data-src="/path/to/your/mareketing/script.js"></script> <script type="optin" data-type="text/javascript" data-category="external_media" data-src="/path/to/your/external-media/script.js"></script> <script type="optin" data-type="text/javascript" data-category="marketing">console.log("Inline scripts are also working!");</script> The type has to be "optin" to get recognized by PrivacyWire, the data-attributes are giving hints, how the script shall be loaded, if the data-category is within the cookie consents of the user. These scripts are loaded asynchronously after the user made the decision.
      If you want to give the users the possibility to change their consent, you can use the following Textformatter:
      [[privacywire-choose-cookies]] It's planned to add also other Textformatters to opt-out of specific cookie groups or delete the whole consent cookie.
      You can also add a custom link to output the banner again with a link / button with following class:
      <a href="#" class="privacywire-show-options">Show Cookie Options</a> <button class="privacywire-show-options">Show Cookie Options</button> This module is still in development, but we already use it on several production websites.
      You find it here: https://github.com/blaueQuelle/privacywire/tree/master
      Download: https://github.com/blaueQuelle/privacywire/archive/master.zip
      I would love to hear your feedback 🙂
      Edit: Updated URLs to master tree of git repo
       
    • By David Karich
      Admin Page Tree Multiple Sorting
      ClassName: ProcessPageListMultipleSorting
      Extend the ordinary sort of children of a template in the admin page tree with multiple properties. For each template, you can define your own rule. Write each template (template-name) in a row, followed by a colon and then the additional field names for sorting.
      Example: All children of the template "blog" to be sorted in descending order according to the date of creation, then descending by modification date, and then by title. Type:
      blog: -created, -modified, title  Installation
      Copy the files for this module to /site/modules/ProcessPageListMultipleSorting/ In admin: Modules > Check for new modules. Install Module "Admin Page Tree Multible Sorting". Alternative in ProcessWire 2.4+
      Login to ProcessWire backend and go to Modules Click tab "New" and enter Module Class Name: "ProcessPageListMultipleSorting" Click "Download and Install"   Compatibility   I have currently tested the module only under PW 2.6+, but think that it works on older versions too. Maybe someone can give a feedback.     Download   PW-Repo: http://modules.processwire.com/modules/process-page-list-multiple-sorting/ GitHub: https://github.com/FlipZoomMedia/Processwire-ProcessPageListMultipleSorting     I hope someone can use the module. Have fun and best regards, David
    • By dimitrios
      Hello,
      this module can publish content of a Processwire page on a Facebook page, triggered by saving the Processwire page.
      To set it up, configure the module with a Facebook app ID, secret and a Page ID. Following is additional configuration on Facebook for developers:
      Minimum Required Facebook App configuration:
      on Settings -> Basics, provide the App Domains, provide the Site URL, on Settings -> Advanced, set the API version (has been tested up to v3.3), add Product: Facebook Login, on Facebook Login -> Settings, set Client OAuth Login: Yes, set Web OAuth Login: Yes, set Enforce HTTPS: Yes, add "https://www.example.com/processwire/page/" to field Valid OAuth Redirect URIs. This module is configurable as follows:
      Templates: posts can take place only for pages with the defined templates. On/Off switch: specify a checkbox field that will not allow the post if checked. Specify a message and/or an image for the post.
      Usage
      edit the desired PW page and save; it will post right after the initial Facebook log in and permission granting. After that, an access token is kept.
       
      Download
      PW module directory: http://modules.processwire.com/modules/auto-fb-post/ Github: https://github.com/kastrind/AutoFbPost   Note: Facebook SDK for PHP is utilized.


×
×
  • Create New...