Jump to content
Vigilante

If there are multiple roles assigned, does PW use additive or restrictive permissions?

Recommended Posts

All users on our site are given Guest role, but also other roles, for example Guest and Admin or Guest and Member, etc.

When editing access rights for a template, it lets me set permission for each role, as well as what happens if a user doesn't have access, such as redirecting to another page.

My question is about a user with two roles. They have Guest and they have Member. I also want to redirect them to the registration/login page if they try to access this template.

The easiest way to do this (I thought) is remove View access to the Guest role. This way a Guest (non member, non logged in) would redirect to the login page. However it didn't work like that. When I am logged in (Member role), it STILL redirects me to the login page.

 

So the question is, when I have multiple roles, is PW choosing the most restrictive permissions, or are the permissions additive? Why would it redirect me based on the Guest role when I am also part of a role that DOES have permission? 

Also, if I'm forced to have View permission on the Guest role, it completely makes the automatic redirection useless. If Guest users have to have View access, the redirect system can never actually work. It doesn't make sense.

I'm assuming PW is choosing the most restrictive permissions when a person has multiple roles, but that seems wrong, I've only ever seen roles/permissions as being additive, gaining the permission of all roles assigned.

I must be missing something, or perhaps the site I'm working on is wrong for having every user also be a Guest role?

I've already read the docs for permissions and roles and it doesn't answer this question. How can my users be both Guest and Member, AND use the template redirection if not logged in?

Share this post


Link to post
Share on other sites

Hi. I am not sure if I got what what you want correctly. But have you checked th redirect isn’t cached? Topically browsers chance 301 redirects. 

Other than that, if a user with two roles assigned and one has view permission and one has not the user itself will have permission to view that page. 

  • Like 1

Share this post


Link to post
Share on other sites

I can't fully answer this question either, but I would never change the guest role. It's required, default for everyone.

Can you describe in more detail what your setup is and what you want to achieve? Which PW version do you use? There's a relatively new feature that makes role-assigning much easier. Did you check that out? https://processwire.com/blog/posts/processwire-3.0.81-upgrades-the-role-editor/

Furthermore, if you need even more fine-grained rights, there's Dynamic Roles: 

Go to page 3 of that thread to find a PW 3 compatible version.

 

  • Like 1

Share this post


Link to post
Share on other sites
11 hours ago, suntrop said:

Other than that, if a user with two roles assigned and one has view permission and one has not the user itself will have permission to view that page. 

 

This is exactly what I would have thought, but I got the opposite happening. WIth Guest role (view permission off) and a member role (view permission on), the user was redirected from the page. 

 

I'll have to read up on the rest of the links posted here. Thanks!

Share this post


Link to post
Share on other sites
On 1.1.2018 at 12:33 AM, Vigilante said:

the user was redirected from the page. 

And you are sure it is not cached? 301 are tough to get rid of. 

Do you know there is a table on the settings tab that lists permissions formthat particlar page? 

Share this post


Link to post
Share on other sites
9 hours ago, suntrop said:

And you are sure it is not cached? 301 are tough to get rid of. 

Do you know there is a table on the settings tab that lists permissions formthat particlar page? 

Well, the 301 was wanted, But only for true guest users. These other users had multiple roles.

I ended up adding the logic to test if they are logged in from the template itself.

If this is a bug, it needs tested from a sandbox or fresh install. I don't know why it acted that way. I mainly wanted to confirm whether PW uses an additive or restrictive model for the permissions.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Pip
      Hi everyone!
      I'm trying out the Login/Register module for my site. Noted that the module assigns the newly registered user to login-register role. 
      Once you modify the login-register role's permissions, particularly adding page-edit, the new member role will be set to guest. 
      Thing is I'd like to grant my new users the power to create their own pages. Any advice? 
      Thanks. 
    • By pwFoo
      Hi,
      I try to add page-edit-own and page-delete-own permissions, but it's strange...
      If a add the custom permissions it looks like both are children of page-edit respectively page-delete. I played with added / revoked permissions, but I can't get it work, that a user of a role just can delete own content.
      First the user can't delete any content and now the user can delete own and foreign pages 🤪
      Is there a tutorial to learn more about the PW permissions?
      Or do I have to rename the permissions to page-own-edit and page-own-delete to be independent from page-edit and page-delete?
    • By angelo, italy
      Hi guys,
      I've always used WP but I want to swtich to PW. I'm not sure ....
      I'd like to know if it's possible to create a website for an online photo contest.
      The participants of the competition could create their own account, in which they upload their photos. The photos uploaded remain visible only to themselves and the judges.
      From their account they can make the "entrance fee" payment.
      The judges of the competition can create their own account... entering they see the photos of the participants and vote photos
      At the main page I imagine the title of the competition, a button to read the regulation, and a button to register.
      The website should be in Italian and English.
      Thank you!!
       
       
    • By Guy Incognito
      Hi all. We've created a private log-in area for a client on their site that is restricted on a roles basis. Is there a simple solution available to let them upload files to a file field and then choose individual users that can access individual files?
      Does that make sense?!... it's hard to search for answers to this as all results pertain to server file permissions.
       
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I wonder if anyone might be able to point me in the right direction. I need to restrict the superuser role to overall administrators of a group of sites, but provide role and permission administration for the administrators of the individual sites. My searches unearthed the following thread:
      However, after having already created the sitemanager role and given site administrators the user-admin permission and having then created the role-admin permission and assigned that to the sitemanager role, the users with sitemanager permissions are able to see the Roles item under the Access menu of the backend but no submenu is displayed showing the Add Role option or any of the roles that the administrator should have access to. My intention is that the individual site adminstrators should have access to assign the guest and sitemanager roles (but not edit them) and be able to create roles with privileges beneath that of sitemanager.
      Any advice would be greatly appreciated.
       
×
×
  • Create New...