Deny Control Panel

[Thor]

Is there a way I can restrict the admin backend only to administrators? I changed it to a random name so users can't access it by mistake but there certainly should be a better way. I noticed that if I'm logged as a user, I can access the admin side and change profile, view pages, etc. I don't want this, even without permissions, they can still view it, and while I do want users to be able to change their username and password in the future, I think I would be better off creating a template page just for those functions rather than allowing them to access the admin side.

[Robin S]

1 hour ago, Thor said:

I noticed that if I'm logged as a user, I can access the admin side and change profile, view pages, etc. I don't want this, even without permissions, they can still view it

If the role doesn't have page-edit permission and doesn't have profile-edit permission then they cannot see the page list or edit their profile. They just see this:

But to prevent them from seeing the admin interface at all you can add this at the top of /site/templates/admin.php...

if($user->isLoggedin() && !$user->hasPermission('page-edit')) {
    // Uncomment whichever you prefer
    // $session->redirect('/');
    // throw new Wire404Exception();
}

 

[Thor]

Yes, they only see the Continue page as now, but I don't like them to see anything at all, not even that its ProcessWire.

I guess editing the admin page would be the quickest way, thank you. 

I see you used the page-edit as a variable check before redirection. Isn't it better to test the role group? Like if not super admin or administrator, then redirect?

[Robin S]

6 minutes ago, Thor said:

I see you used the page-edit as a variable check before redirection. Isn't it better to test the role group? Like if not super admin or administrator, then redirect?

Depends how many roles you have, whether any of those non-superuser roles need admin access, whether you will be adding new roles in the future, etc. But in general if a role has no permission to edit pages then you could say they have no business accessing the admin, and that way you don't have to maintain some list of authorised/non-authorised roles.

[Thor]

Well, only me will have access to the admin side. 

And since there is a superuser role built into PW (which you can't delete) would it not better to instruct it by role instead of page edit? Like, "superuser" allow, everyone else deny redirecting to another page. Just asking because maybe in the future, you want a user role that has page-edit permissions for another page (not admin.php).

[szabesz]

6 hours ago, Thor said:

Like, "superuser" allow, everyone else deny redirecting to another page.

Sure. You can always tweak it later on if necessary.