Problem with user permissions

[Slav]

Hey Guys, 

I found a problem with user permissions of a PW site that Im working on. Im new to PW and not sure if there is a problem in setting permissions or is it some bug.

It is difficult to explain properly but I will try... The problem is that I have a role called "exponent" and this role has permissions like page-edit, page-add, page-create etc... Now if I create a user and give that user a role of "exponent" and set permission to only edit a particular page (lets say the name of the page is "Test") then if I understand correctly, that user should have all the "exponent" role permissions only for "Test" and all the other pages are only viewable (considering that "Test" page template access is defined as well). Now if I log in as that user and look at the pages tree, then at first it looks that permissions work properly, but for some reason that I don't understand the user has permission to add new pages to the 2nd level child pages, everywhere. 

Here we see the only page that the user is allowed to edit.

Here is how the user sees other pages (he can only view).

And here is the problem. User has permission to add page to 2nd level child pages and he can do this everywhere. So my question is how is this possible or what should I do to fix this? Has anyone else had similar situation?

 

Thanks!

[BitPoet]

You could either remove the page-add permission from the role completely or remove the "add children" permission in the page's template for the exponent role.

[Robin S]

@Slav, you might find this module useful for understanding user permissions across your templates: https://modules.processwire.com/modules/process-access-overview/

[Slav]

@BitPoet, So basically there's no actual solution? Only work around? What if I want to create a user who has permission to edit a particular page and add child page's to that page and not any other page? And have many users with same permissions (particular that users page)?

@Robin S, oh thanks that module looks useful!

 

[Robin S]

2 hours ago, Slav said:

So basically there's no actual solution?

There's always a solution

First thing to understand is that the access control that is built into the PW core is based around templates, not around pages. So if you have given a role permission to add children for a template then a user with that role can add children to any page with that template. Or if you have allowed permissions to be inherited then a role might inherit the add children permission from the template of a parent page you have granted it on. Same goes for any other access permission.

But that is only the PW core - you can modify the way permissions work with your own hooks or by using existing modules.

A couple of modules that might suit your needs:

AdminRestrictBranch: If your users only have permission to work with a particular page and children of that page then this module might be ideal because it can hide everything outside of that branch.

UserGroups: Another module that implements page-based permissions. I haven't used this module but apparently it is pretty stable despite the "alpha" label in the support thread. You might need to tweak a couple of things to get it working smoothly in PW3 - see this and this.

And a third option...

You don't make this clear in your original post but I take it you have installed the PageEditPerUser module. This module allows you to define individual pages that a user may edit but it doesn't get involved with the permission to add children. However you could edit the module to include a hook to Page::addable

public function init() {
    $this->addHookAfter('Page::editable', $this, 'hookPageEditable'); 
    $this->addHookAfter('Page::viewable', $this, 'hookPageViewable'); // fixing a long-standing typo in the module
    $this->addHookAfter('Page::addable', $this, 'hookPageAddable'); //  the new addable hook
}

// ...

public function hookPageAddable($event) {
    if($event->return) return;
    $event->return = $this->onMyBranch($event->object);
}

Now child pages may only be added to pages that the user has been given edit access for in their user profile.

[szabesz]

Also: Dynamic Roles Module might me of interest here. I have not used it, to tell the truth, but Ryan has updated it recently so that it is installable on PW3, that is why I guess it works too, see: https://github.com/ryancramerdesign/DynamicRoles

more: 

 

 

[Slav]

1 hour ago, Robin S said:

AdminRestrictBranch: If your users only have permission to work with a particular page and children of that page then this module might be ideal because it can hide everything outside of that branch.

Oh this sounds exactly what I need! I will try this and see how it works! Cheers!

[Gideon So]

Hi,

This module is the best solution for user based access control. I highly recommend it.

Gideon