Jump to content

If there are multiple roles assigned, does PW use additive or restrictive permissions?


Vigilante
 Share

Recommended Posts

All users on our site are given Guest role, but also other roles, for example Guest and Admin or Guest and Member, etc.

When editing access rights for a template, it lets me set permission for each role, as well as what happens if a user doesn't have access, such as redirecting to another page.

My question is about a user with two roles. They have Guest and they have Member. I also want to redirect them to the registration/login page if they try to access this template.

The easiest way to do this (I thought) is remove View access to the Guest role. This way a Guest (non member, non logged in) would redirect to the login page. However it didn't work like that. When I am logged in (Member role), it STILL redirects me to the login page.

 

So the question is, when I have multiple roles, is PW choosing the most restrictive permissions, or are the permissions additive? Why would it redirect me based on the Guest role when I am also part of a role that DOES have permission? 

Also, if I'm forced to have View permission on the Guest role, it completely makes the automatic redirection useless. If Guest users have to have View access, the redirect system can never actually work. It doesn't make sense.

I'm assuming PW is choosing the most restrictive permissions when a person has multiple roles, but that seems wrong, I've only ever seen roles/permissions as being additive, gaining the permission of all roles assigned.

I must be missing something, or perhaps the site I'm working on is wrong for having every user also be a Guest role?

I've already read the docs for permissions and roles and it doesn't answer this question. How can my users be both Guest and Member, AND use the template redirection if not logged in?

Link to comment
Share on other sites

Hi. I am not sure if I got what what you want correctly. But have you checked th redirect isn’t cached? Topically browsers chance 301 redirects. 

Other than that, if a user with two roles assigned and one has view permission and one has not the user itself will have permission to view that page. 

  • Like 1
Link to comment
Share on other sites

I can't fully answer this question either, but I would never change the guest role. It's required, default for everyone.

Can you describe in more detail what your setup is and what you want to achieve? Which PW version do you use? There's a relatively new feature that makes role-assigning much easier. Did you check that out? https://processwire.com/blog/posts/processwire-3.0.81-upgrades-the-role-editor/

Furthermore, if you need even more fine-grained rights, there's Dynamic Roles: 

Go to page 3 of that thread to find a PW 3 compatible version.

 

  • Like 1
Link to comment
Share on other sites

4 hours ago, dragan said:

I can't fully answer this question either, but I would never change the guest role. It's required, default for everyone

I too wouldn’t change it nor use it for anything, but I believe guest role is not that important 

https://github.com/ryancramerdesign/ProcessWire/issues/588#issuecomment-52206316

Link to comment
Share on other sites

11 hours ago, suntrop said:

Other than that, if a user with two roles assigned and one has view permission and one has not the user itself will have permission to view that page. 

 

This is exactly what I would have thought, but I got the opposite happening. WIth Guest role (view permission off) and a member role (view permission on), the user was redirected from the page. 

 

I'll have to read up on the rest of the links posted here. Thanks!

Link to comment
Share on other sites

On 1.1.2018 at 12:33 AM, Vigilante said:

the user was redirected from the page. 

And you are sure it is not cached? 301 are tough to get rid of. 

Do you know there is a table on the settings tab that lists permissions formthat particlar page? 

Link to comment
Share on other sites

9 hours ago, suntrop said:

And you are sure it is not cached? 301 are tough to get rid of. 

Do you know there is a table on the settings tab that lists permissions formthat particlar page? 

Well, the 301 was wanted, But only for true guest users. These other users had multiple roles.

I ended up adding the logic to test if they are logged in from the template itself.

If this is a bug, it needs tested from a sandbox or fresh install. I don't know why it acted that way. I mainly wanted to confirm whether PW uses an additive or restrictive model for the permissions.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...