Jump to content
ridgedale

PW3 - Non-Superuser Roles Administration

Recommended Posts

Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.

I wonder if anyone might be able to point me in the right direction. I need to restrict the superuser role to overall administrators of a group of sites, but provide role and permission administration for the administrators of the individual sites. My searches unearthed the following thread:

However, after having already created the sitemanager role and given site administrators the user-admin permission and having then created the role-admin permission and assigned that to the sitemanager role, the users with sitemanager permissions are able to see the Roles item under the Access menu of the backend but no submenu is displayed showing the Add Role option or any of the roles that the administrator should have access to. My intention is that the individual site adminstrators should have access to assign the guest and sitemanager roles (but not edit them) and be able to create roles with privileges beneath that of sitemanager.

Any advice would be greatly appreciated.

 

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thanks again for responding.

What I was doing was following the guidelines provided here: https://processwire.com/api/user-access/permissions/#user-admin-permissions

I had missed the following little nugget of information:

Quote

... a user must have that (user-admin-all (my addition for clarity) permission (in addition to user-admin permission) in order to edit "all" users in the site (superusers excluded, as before)

Now that the sitemanager can add/remove users s/he still does not have any access to add/remove roles or assign permissions despite the role-admin permission having been added and assigned to sitemanager. The Role menu item is displayed but no sub-menus are available and no Permissions menu is displayed at all.

Not sure what I'm doing wrong, now. Any guidance appreciated.

Share this post


Link to post
Share on other sites

Right, I understand now. You are wanting to give a role (let's call the role "manager") the ability to edit roles/permissions and add new roles/permissions.

First thing to know is that in doing this you would be going well off the map of what is documented in ProcessWire and straying into some potentially dangerous territory. Normally only superusers manage roles and permissions, and if you decide to deviate from that you'll want to do your own thorough testing. It sounds risky to me and not something to be done lightly.

But I took a look at what's needed to enable this and it seems that the steps are...

Manage roles

1. Create new permission "role-admin".

2. Give this permission to the manager role.

3. Open the "role" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children".

Manage permissions

1. Create new permission "permission-admin".

2. Give this permission to the manager role.

3. Open the "permission" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children". You can skip this step if you already did it.

  • Like 1

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thank you again for your reply and detailed instructions.

I am very conscious of the potential pitfalls. What I am aiming to achieve overall is that sitmanagers only have control to manage roles and assign permissions that are equal to and beneath their own assigned rights. I hope that makes sense.

The reason for not allowing sitemanagers to be superusers in this particular instance is that it is a multi-site installation where we don't want sitemanagers creating/editing/deleting templates/fields/logs and/or installing modules. All the sites are effectively run using identical templates and modules. If we allow sitemanagers that level of control it will inevitably lead to an administrative nightmre for the superusers in the long run.

I will delve deeper and look further into this.

Many thanks again for your guidance.

Share this post


Link to post
Share on other sites

Update:

I can see adding the permission-admin permission to the sitemanager role gives the sitemanager access to all site permissions effectively allowing him/her to create a superuser equivalent role. That is definitely not what I am aiming for.

Is it possible to restrict the permissions the sitemanager can give/remove to those assigned to the sitemanager role?

Otherwise are there any alternative suggestions as to how to restrict sitemanager access, so s/he does not have access to modules, templates, fields and logs, but can manage users, roles and permissions at their own level or below?

 

Share this post


Link to post
Share on other sites

Maybe create a Process Module (say, Manage Users) that only Superusers and Site Admins can view. Create a simple GUI >>> add foo, add bar, etc. Behind the scenes, you use the API to manage users, roles and permissions. Obviously, you restrict the roles, permissions, etc that the Site Admins can manage. It might seem like re-inventing the wheel, but you avoid the red lines/pitfalls you've mentioned (site admins seeing modules, etc). 

Just my 2p.

Share this post


Link to post
Share on other sites

Thank you for your feedback @kongondo and insight.

I think at this stage the solution in the short-term is to only allow superusers to create/edit/remove roles and enable just the user-admin and user-admin-all permissions for sitemanagers to allow them to be able to assign the roles pre-defined by superusers. It will also keep the administration simple for future supersusers.

Thanks again to both of you for your assistance.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By pwFoo
      Hi,
      I try to add page-edit-own and page-delete-own permissions, but it's strange...
      If a add the custom permissions it looks like both are children of page-edit respectively page-delete. I played with added / revoked permissions, but I can't get it work, that a user of a role just can delete own content.
      First the user can't delete any content and now the user can delete own and foreign pages 🤪
      Is there a tutorial to learn more about the PW permissions?
      Or do I have to rename the permissions to page-own-edit and page-own-delete to be independent from page-edit and page-delete?
    • By angelo, italy
      Hi guys,
      I've always used WP but I want to swtich to PW. I'm not sure ....
      I'd like to know if it's possible to create a website for an online photo contest.
      The participants of the competition could create their own account, in which they upload their photos. The photos uploaded remain visible only to themselves and the judges.
      From their account they can make the "entrance fee" payment.
      The judges of the competition can create their own account... entering they see the photos of the participants and vote photos
      At the main page I imagine the title of the competition, a button to read the regulation, and a button to register.
      The website should be in Italian and English.
      Thank you!!
       
       
    • By benbyf
      not sure why but PW adds any uploads as permissions 600 (e.g. images wont load after upload unless i go in with the same server user and change permissions to 755 or similar). This ever happened to any one else?
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      Despite my searches of the forum I'm somewhat confused about how to create new child pages on the frontend when a user clicks on a button on the parent page. I also have an equivalent button that is intended for uploading a .csv file to automatically create multiple new pages. This basically relates to a club (parent) and members (child) template configuration. Hopefully this explanation makes sense.
      A button should be able to launch the code needed to initiate the script required to create a new page using something like:
      <a href="/path/page.php">New +</a> <a href="/path/page.php">New ++</a> Does the code to create the new page or new pages need to be run from the template file for the child or the parent?
      A new individual member page will need to be editable manually at the point of page creation as well as subsequently, whereas multiple new pages will need to be editable after they have created and populated with data, again, as well as subsequently.
      I would very grateful for any advice or pointers as to how to achieve this.
       
×
×
  • Create New...