Jump to content
ridgedale

PW3 - Non-Superuser Roles Administration

Recommended Posts

Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.

I wonder if anyone might be able to point me in the right direction. I need to restrict the superuser role to overall administrators of a group of sites, but provide role and permission administration for the administrators of the individual sites. My searches unearthed the following thread:

However, after having already created the sitemanager role and given site administrators the user-admin permission and having then created the role-admin permission and assigned that to the sitemanager role, the users with sitemanager permissions are able to see the Roles item under the Access menu of the backend but no submenu is displayed showing the Add Role option or any of the roles that the administrator should have access to. My intention is that the individual site adminstrators should have access to assign the guest and sitemanager roles (but not edit them) and be able to create roles with privileges beneath that of sitemanager.

Any advice would be greatly appreciated.

 

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thanks again for responding.

What I was doing was following the guidelines provided here: https://processwire.com/api/user-access/permissions/#user-admin-permissions

I had missed the following little nugget of information:

Quote

... a user must have that (user-admin-all (my addition for clarity) permission (in addition to user-admin permission) in order to edit "all" users in the site (superusers excluded, as before)

Now that the sitemanager can add/remove users s/he still does not have any access to add/remove roles or assign permissions despite the role-admin permission having been added and assigned to sitemanager. The Role menu item is displayed but no sub-menus are available and no Permissions menu is displayed at all.

Not sure what I'm doing wrong, now. Any guidance appreciated.

Share this post


Link to post
Share on other sites

Right, I understand now. You are wanting to give a role (let's call the role "manager") the ability to edit roles/permissions and add new roles/permissions.

First thing to know is that in doing this you would be going well off the map of what is documented in ProcessWire and straying into some potentially dangerous territory. Normally only superusers manage roles and permissions, and if you decide to deviate from that you'll want to do your own thorough testing. It sounds risky to me and not something to be done lightly.

But I took a look at what's needed to enable this and it seems that the steps are...

Manage roles

1. Create new permission "role-admin".

2. Give this permission to the manager role.

3. Open the "role" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children".

Manage permissions

1. Create new permission "permission-admin".

2. Give this permission to the manager role.

3. Open the "permission" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children". You can skip this step if you already did it.

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thank you again for your reply and detailed instructions.

I am very conscious of the potential pitfalls. What I am aiming to achieve overall is that sitmanagers only have control to manage roles and assign permissions that are equal to and beneath their own assigned rights. I hope that makes sense.

The reason for not allowing sitemanagers to be superusers in this particular instance is that it is a multi-site installation where we don't want sitemanagers creating/editing/deleting templates/fields/logs and/or installing modules. All the sites are effectively run using identical templates and modules. If we allow sitemanagers that level of control it will inevitably lead to an administrative nightmre for the superusers in the long run.

I will delve deeper and look further into this.

Many thanks again for your guidance.

Share this post


Link to post
Share on other sites

Update:

I can see adding the permission-admin permission to the sitemanager role gives the sitemanager access to all site permissions effectively allowing him/her to create a superuser equivalent role. That is definitely not what I am aiming for.

Is it possible to restrict the permissions the sitemanager can give/remove to those assigned to the sitemanager role?

Otherwise are there any alternative suggestions as to how to restrict sitemanager access, so s/he does not have access to modules, templates, fields and logs, but can manage users, roles and permissions at their own level or below?

 

Share this post


Link to post
Share on other sites

Maybe create a Process Module (say, Manage Users) that only Superusers and Site Admins can view. Create a simple GUI >>> add foo, add bar, etc. Behind the scenes, you use the API to manage users, roles and permissions. Obviously, you restrict the roles, permissions, etc that the Site Admins can manage. It might seem like re-inventing the wheel, but you avoid the red lines/pitfalls you've mentioned (site admins seeing modules, etc). 

Just my 2p.

Share this post


Link to post
Share on other sites

Thank you for your feedback @kongondo and insight.

I think at this stage the solution in the short-term is to only allow superusers to create/edit/remove roles and enable just the user-admin and user-admin-all permissions for sitemanagers to allow them to be able to assign the roles pre-defined by superusers. It will also keep the administration simple for future supersusers.

Thanks again to both of you for your assistance.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By snck
      Hey there,
      for a client website I need to implement a "reviewer" role. "Reviewers" should be able to review new (unpublished) articles to give feedback to editors, but not have the permission to change them. 
      I built a new "reviewer" role that only has page-view permissions for the respective templates, but this permission does not include viewing unpublished pages. How can I grant them access to the unpublished articles without giving them page-edit permission?
      Cheers,
      Flo
    • By Pip
      Hi everyone!
      I'm trying out the Login/Register module for my site. Noted that the module assigns the newly registered user to login-register role. 
      Once you modify the login-register role's permissions, particularly adding page-edit, the new member role will be set to guest. 
      Thing is I'd like to grant my new users the power to create their own pages. Any advice? 
      Thanks. 
    • By snck
      Hey,
      I want my editors to be able to use the page lister, especially the bookmarks. I added the page-lister permission to the editor role, but Page lister ("Find" menu item) does not show. Is there anything else I have to do? Links to bookmarks work for the editors, but I would be glad to show them the menu item as well.
      Maybe this has something to do with the long history of the site (started with ProcessWire 2.4 and upgraded to 3.0.148 over the years)?
      Thanks,
      Flo 
    • By muzzer
      Existing PW site version 2.7.2 core running on php7.1. Site is perhaps 7 yrs old and never misses a beat. Can't speak highly enough about this solid version, but....
      As new php versions are released (v8 in the next year I think?) and each seems to get quicker I'm looking at upgrading to php7.3 or 7.4 and upgrading the site to PW v3.x.
      I've been away from the forums since v3 was released so don't know much about it. I guess it's stable as it's been around for ages now, but what I'm wondering is:
      what are the real advantages of upgrading to v3 for a site which is actively used but with only periodic development. And what are the disadvantages if any? Is there any speed impact (good or bad) in either general site speed under 3.x or admin-use speed/ease of use? any issues with either PW version with newer php versions (>7.1) I should know about? is there any good write-ups/vids about new features etc of v3 compared to v2.7? Thank you
       
    • By snck
      Hello,
      for a project I have pages with different “content areas“ that can be edited only by specific user roles. In the past I setup a fieldset (tab) containing all the fields that should be available to only one specific group of users and set the fields' view and edit permissions (in the Access tab) accordingly. The result was as expected: Users assigned to the specific role could see the tab, click on it, edit content, users without the role could not see the tab. After updating this installation to 3.0.148 yesterday I wanted to setup another tab following the same principle, but I have no "Access" tab for the fieldset to limit access to the specific role. I even tried cloning an existing (and still working) fieldset. The existing fieldset has some template overrides (screenshot attached) that lead to the desired behaviour, but I am not able to reproduce these settings because there is not "Access" tab for my fieldset in template context either.
      Is this a bug in 3.0.148? Has the fieldset fieldtype changed? Am I missing anything here?
      I am glad to hear from you guys.
      Cheers,
      Flo

×
×
  • Create New...