Jump to content

Best method for restricting page access?


Lance O.
 Share

Recommended Posts

My client has a need to create a new PW admin user and assign permissions that restrict access to only one assigned page of the site on the frontend.

Each user only has access to the single page that is assigned to them. Example:

User #1 -> Page #1 -> Access
User #1 -> Page #2 -> No Access
User #1 -> Page #3 -> No Access

User #2 -> Page #1 -> No Access
User #2 -> Page #2 -> Access
User #2 -> Page #3 -> No Access

User #3 -> Page #1 -> No Access
User #3 -> Page #2 -> No Access
User #3 -> Page #3 -> Access
etc.

There may be 100 different users that all need access to just their page. Without having to create 100 templates and manage access through the template, what is currently considered the best method for restricting page access? All of these pages should use the same template.

Link to comment
Share on other sites

  On 1/13/2017 at 7:21 PM, Lance O. said:

adrian, are you suggesting that the username and the page names should be the same? 

Expand  

Just seems like it would be an easy way to check access. You could of course do a partial match, or match a custom field on the user template for each user against the page name. Lots of options - just depends what suits your needs the best and is easiest to maintain depending on how the users are added to the system.

  • Like 1
Link to comment
Share on other sites

Let's throw in one more... 

How about using created_users_id/createdUser? It depends on your workflow though. Who creates the users? How are they created? Same for their respective pages. Doing it manually would mean your client heading over to settings tab when editing a page and changing the created user there (would have to be first enabled in the template). This may not be ideal. You could automatically change the created user ID using the API via an autoload module, but that depends on how the users are created since you want to synchronise the two actions. The advantage of this approach is that you can give your user pages whatever name you want to give them. You would use it like:

if($page->createdUser->id != $user->id) {// @note: here you'd also need to add logic to let superadmin and some editor to have access :-)
// don't allow access
}

// in a selector
$userPage = $pages->get("template=members, created_users_id={$user->id}");

 

Edited by kongondo
Typo in code
  • Like 1
Link to comment
Share on other sites

  • 3 years later...
  On 1/14/2017 at 5:24 PM, kongondo said:

Let's throw in one more... 

How about using created_users_id/createdUser? It depends on your workflow though. Who creates the users? How are they created? Same for their respective pages. Doing it manually would mean your client heading over to settings tab when editing a page and changing the created user there (would have to be first enabled in the template). This may not be ideal. You could automatically change the created user ID using the API via an autoload module, but that depends on how the users are created since you want to synchronise the two actions. The advantage of this approach is that you can give your user pages whatever name you want to give them. You would use it like:

if($page->createdUser->id != $user->id) {// @note: here you'd also need to add logic to let superadmin and some editor to have access :-)
// don't allow access
}

// in a selector
$userPage = $pages->get("template=members, created_users_id={$user->id}");

 

Expand  

@kongondo, is this also useable for pages in the admin? 

If you did not create that page, you can not see or edit it.

I tried this, but it only work on the frontend and does not block the edit page.

// redirect users from pages that are not theirs
$this->addHookBefore('Page::render'function ($event) {
    $page = $event->object;
 
    if ($page->template == 'admin') {
        if (wire('input')->post->id) {
            $id = wire('input')->post->id;
            //$notices = $id;
            if ($id != wire('user')->id) {
                wire('session')->redirect(wire('config')->urls->admin . "dashboard/");
            }
        }
    }
 
    if ($page->template == 'basic-page') {
        if ($page->created_users_id != wire('user')->id) {
            wire('session')->redirect(wire('config')->urls->admin . "dashboard/");
        }
    }
});

I am trying to block the smart one's that try to access other pages through the get variable.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...