Permission per user/page

[norboo]

Hi!

I've been trying to put together the bits I found on the forums about permissions/users/ login etc but still can figure it out.

I want to have a simple Network application that will list the students from a certain University involved in some common projects.

Projects:

-Project1

--Student1

--Student2

--StudentX

-Project2

--Student3

--Student4

--StudentY

StudentX is a page where UserX can write updates for his assignment. How can I create permissions for UserX to be able to edit only his page, StudentX. StudentX can't edit/create any other page.

If you can point me into the right direction I'd really appreciated.

Norboo

[diogo]

StudentX is a page where UserX can write updates for his assignment.

This will happen in the backend or frontend?

edit: I think I can deduce from your other post that you want to do it on the backend

[norboo]

Hi!

I don't really know. Which way will be better?

Probably backend, because I'll not have to create another login form and another admin template. Right?

Can you explain me a bit what it will imply for each solution (backend/frontend). It may be helpful for other newbies like me. )

Thanks!

Paul

[diogo]

If you do it on the backend, I'm not sure how to.

If, on the frontend, you can easily put on your template some logic that only allows user with the same name as the page to see it:

if($user->name === $page->name){
 echo "you are allowed ";
}else{
 echo "you are NOT allowed ";
}

[ryan]

PW's admin is built with the intention of administrative users, so doesn't do what you are asking out of the box unless you give each user their own template to edit. However, you may code your front end (site template files) to provide access to any page fields that you want to, and that's the recommended way to give non-administrative users access to manipulate data in your site. From that standpoint, you can do nearly anything, but it does take a little code. The option Diogo mentioned is a nice simple way of handing this kind of stuff. If you can go into more detail about what fields on a page a student might edit, we maybe able to get a rough example going in this thread. Also wanted to mention that you can achieve this on the back-end with a custom module, and it's not that hard to do. But since you mentioned students, I was thinking that sounds more like a front-end scenario.

[norboo]

Ryan, Diogo,

Thank you very much for your replies.

The structure of my website will be:

-------------

Project

-------------

-project name

-project description ->textarea field

-list of students involved in this project

-simple login form so students involved can edit their Profile or Student page.

<<Join this Project>> (a link to a registration for for students who want to join this project)

------------

Student

------------

Here I want to have three tabs easily outputed on frontpage with jqueryUI and on backend with "jquery wire tabs"

[1]About Tab

----Profile Image->image field (retrieved from the Registration Form)

----Student bio->textarea field (each student can write a bit about him/herself/ also retrieved from the Registration Form)

[2]Project Updates

----Repeater

---------Update Image->image field

---------Update details->textarea field

[3]Contact

---a very simple contact for sending direct messages to each student (email retrieved from the Registration Form)

----------------------

Registration Form

----------------------

---Student Name (all the users will be students. No other type of users will be allowed)

---Bio (used on the About Tab)

---Profile Image (used on the About Tab)

---Email (used on the Contact Tab form, hidden for the public)

---Project (a dropdown list of existing Projects. Field already populated if sent from <<Join Project link>> displayed on each Project page)

I don't know if it will be possible to create automatically a StudentX page on UserX registration using the above form under the Project they choose from the dropdown menu.

Thanks a lot! I'd really appreciate your help. I've been trying to accomplish this with other CMS/ CMF but none supports the user/page permission I want and also the automation of Student page.

[ryan]

I'm not sure that I understand the question, but I think I get roughly what you are trying to do here. Because your building something pretty custom, I think you'll be using ProcessWire as a framework more than a CMS here. Though the work involved may be less than if you were using just a framework, though many of the tasks are likely to be similar. I think it would be best to build all of your student-editor needs on the front-end using old fashioned HTML forms rather than PW's admin. Then use PW's API to perform the creating and/or modifying of pages, which you would populate from your forms. That way you've got full control over everything, and are not trying to repurpose the PW admin as something it wasn't designed for. Though you certainly could use the PW admin, but I would be shy about any system that lets someone register and then have admin access (even if limited). Security will be a major consideration here as you build this out.

[norboo]

Hi Ryan,

Thank you very much for your reply. I bet you are an extremely busy man and I appreciate taking time to answer my questions.

Yes, you are right, I'm looking for a framework and as I mentioned in my previous post, I tried several CMFs and even though they are extremely flexible, when it comes to very customized applications only you realize their limitations.

Just looking through the PW's API documentation, it seems to be able to do most of the things I want, but I only have to find the right flow.

I want strip down the structure I posted before and have the following scenarios:

1. StudentX is a simple page with the following fields:

--title

--author (a hidden field to show the relationship with UserX)

--content->a textarea field

UserX is already registered and he loges in to edit his page. He has permission only to edit his own page and nothing else.

What will be the security concerns in this case if we allow the UserX to edit StudentX page in the Backend?

2. UserY is not registred yet.

He accesses the Registration form and StudentY page is created and he's redirected to that page and he will be able to add the content of the page.

Probably the Registration Form is not that difficult to create. Just create a template and add the right Processes to it. Right?

The biggest problem is the Editing. How can I accomplish that in the Frontend?

Diogo posted this chunk of code

if($user->name === $page->name){
 echo "you are allowed ";
}else{
 echo "you are NOT allowed ";
}

Can you elaborate a bit? What should I add in the "you are allowed case"?

And I was thinking that the condition should be in my case

if($user->name === $page->author){
 echo "you are allowed ";
}else{
 echo "you are NOT allowed ";
}

because I don't see the logic in user and page name to be the same.

Thanks again! And I hope you'll have time to help me with more advises concerning this application.

[diogo]

if($user->name === $page->author){
 echo "you are allowed ";
}else{
 echo "you are NOT allowed ";
}

Of course you can do it, given that the user creates the page. The code I posted would allow you to do what you asked even if the page wouldn't be created by this user.

He accesses the Registration form and StudentY page is created

You can create a page on the fly like this

$p = new Page();
 $p->template = $templates->get("person");
 $p->parent = $pages->find(1015); // whatever page you want to be the parent
 $p->name = $user->name; // I insist on this, like this you don't need the hidden field that you mentioned 
 $p->title = $user->name . "'s personal page";
 $p->content = "write here something";
 $p->save();

creating the form on the front end is not that difficult, in your case you can do something like this:

<?php
$myPage = $pages->find("name=$user->name");

if ($input->post->content){
 $value = $sanitizer->textarea($input->post->content);
 $myPage->content = $value;
 $myPage->setOutputFormatting(false);
 $myPage->save();
}?>

<form name="form" method="post" action="<?php echo $page->url ?>">
 <label for="content">Content</label>
 <textarea name="content" id="content"><?php echo $value ?></textarea>
 <input type="submit" value="Submit" />
</form>

[norboo]

Wooow!

Thanks Diogo! I did something similar, but my solution wasn't as clean and clear as yours!

This forum is amazing!

I have two more questions, and probably more after those those two will be answered

1. The registration form must contain the User creation also and I don't know the API for that, and after User and Student are created I have to redirect the User to the newly created Student page in order to add real content to it.

2. One reason I still have doubts about the Frontend solution is because I wanted to have a Repeater field as content, where users could post only "chunks" containing an image and some text. Is it possible to create a Module to do the same as above, but in the Backend? In this way all the fields would be already styled.

Thanks again! Really appreciate your help!

[diogo]

1.

True, I didn't find it on the API or on the cheatsheet... but to get the creation timestamp of page you use $page->created, so I tried $user->created, and it worked

You can use it like this:

$created = date('Y-m-d H:i:s', $user->created);

edit: forgot the second part of 1.

you can use

$session->redirect($myPage->url);

after the page creation code (this must be done before any markup output)

2.

I guess it's possible to create the module, or maybe it's even easier to reproduce the repeaters on the frontend. But I will let others help you with that...

[ryan]

1. The registration form must contain the User creation also and I don't know the API for that, and after User and Student are created I have to redirect the User to the newly created Student page in order to add real content to it.

$student = $users->add('norboo'); 
$student->pass = 'some password';
$student->save();

$studentPage  = new Page();
$studentPage->parent = '/path/to/student/pages/';
$studentPage->template = 'student';
$studentPage->name = 'norboo';
$studentPage->title = "Norboo's Student page";
$studentPage->save();

$session->redirect($studentPage->url); 

2. One reason I still have doubts about the Frontend solution is because I wanted to have a Repeater field as content, where users could post only "chunks" containing an image and some text. Is it possible to create a Module to do the same as above, but in the Backend? In this way all the fields would be already styled.

If you need something to hold an image and some text, this is what the Image fieldtype already does. No reason to use repeaters when the Image fieldtype can already do this more efficiently. The fieldtype's settings will let you specify how many images you want to allow and how big of a text field should be provided with each image.