ridgedale

PW3 - Non-Superuser Roles Administration

Recommended Posts

Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.

I wonder if anyone might be able to point me in the right direction. I need to restrict the superuser role to overall administrators of a group of sites, but provide role and permission administration for the administrators of the individual sites. My searches unearthed the following thread:

However, after having already created the sitemanager role and given site administrators the user-admin permission and having then created the role-admin permission and assigned that to the sitemanager role, the users with sitemanager permissions are able to see the Roles item under the Access menu of the backend but no submenu is displayed showing the Add Role option or any of the roles that the administrator should have access to. My intention is that the individual site adminstrators should have access to assign the guest and sitemanager roles (but not edit them) and be able to create roles with privileges beneath that of sitemanager.

Any advice would be greatly appreciated.

 

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thanks again for responding.

What I was doing was following the guidelines provided here: https://processwire.com/api/user-access/permissions/#user-admin-permissions

I had missed the following little nugget of information:

Quote

... a user must have that (user-admin-all (my addition for clarity) permission (in addition to user-admin permission) in order to edit "all" users in the site (superusers excluded, as before)

Now that the sitemanager can add/remove users s/he still does not have any access to add/remove roles or assign permissions despite the role-admin permission having been added and assigned to sitemanager. The Role menu item is displayed but no sub-menus are available and no Permissions menu is displayed at all.

Not sure what I'm doing wrong, now. Any guidance appreciated.

Share this post


Link to post
Share on other sites

Right, I understand now. You are wanting to give a role (let's call the role "manager") the ability to edit roles/permissions and add new roles/permissions.

First thing to know is that in doing this you would be going well off the map of what is documented in ProcessWire and straying into some potentially dangerous territory. Normally only superusers manage roles and permissions, and if you decide to deviate from that you'll want to do your own thorough testing. It sounds risky to me and not something to be done lightly.

But I took a look at what's needed to enable this and it seems that the steps are...

Manage roles

1. Create new permission "role-admin".

2. Give this permission to the manager role.

3. Open the "role" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children".

Manage permissions

1. Create new permission "permission-admin".

2. Give this permission to the manager role.

3. Open the "permission" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children". You can skip this step if you already did it.

  • Like 1

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thank you again for your reply and detailed instructions.

I am very conscious of the potential pitfalls. What I am aiming to achieve overall is that sitmanagers only have control to manage roles and assign permissions that are equal to and beneath their own assigned rights. I hope that makes sense.

The reason for not allowing sitemanagers to be superusers in this particular instance is that it is a multi-site installation where we don't want sitemanagers creating/editing/deleting templates/fields/logs and/or installing modules. All the sites are effectively run using identical templates and modules. If we allow sitemanagers that level of control it will inevitably lead to an administrative nightmre for the superusers in the long run.

I will delve deeper and look further into this.

Many thanks again for your guidance.

Share this post


Link to post
Share on other sites

Update:

I can see adding the permission-admin permission to the sitemanager role gives the sitemanager access to all site permissions effectively allowing him/her to create a superuser equivalent role. That is definitely not what I am aiming for.

Is it possible to restrict the permissions the sitemanager can give/remove to those assigned to the sitemanager role?

Otherwise are there any alternative suggestions as to how to restrict sitemanager access, so s/he does not have access to modules, templates, fields and logs, but can manage users, roles and permissions at their own level or below?

 

Share this post


Link to post
Share on other sites

Maybe create a Process Module (say, Manage Users) that only Superusers and Site Admins can view. Create a simple GUI >>> add foo, add bar, etc. Behind the scenes, you use the API to manage users, roles and permissions. Obviously, you restrict the roles, permissions, etc that the Site Admins can manage. It might seem like re-inventing the wheel, but you avoid the red lines/pitfalls you've mentioned (site admins seeing modules, etc). 

Just my 2p.

Share this post


Link to post
Share on other sites

Thank you for your feedback @kongondo and insight.

I think at this stage the solution in the short-term is to only allow superusers to create/edit/remove roles and enable just the user-admin and user-admin-all permissions for sitemanagers to allow them to be able to assign the roles pre-defined by superusers. It will also keep the administration simple for future supersusers.

Thanks again to both of you for your assistance.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      Despite my searches of the forum I'm somewhat confused about how to create new child pages on the frontend when a user clicks on a button on the parent page. I also have an equivalent button that is intended for uploading a .csv file to automatically create multiple new pages. This basically relates to a club (parent) and members (child) template configuration. Hopefully this explanation makes sense.
      A button should be able to launch the code needed to initiate the script required to create a new page using something like:
      <a href="/path/page.php">New +</a> <a href="/path/page.php">New ++</a> Does the code to create the new page or new pages need to be run from the template file for the child or the parent?
      A new individual member page will need to be editable manually at the point of page creation as well as subsequently, whereas multiple new pages will need to be editable after they have created and populated with data, again, as well as subsequently.
      I would very grateful for any advice or pointers as to how to achieve this.
       
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I was wondering if there is a way to restrict user navigation to specific pages.
      Login (home.php - not to be displayed)
          |__  About (not to be displayed)
          |__  Clubs (not to be displayed)
          |            |__ Club (to be displayed)
          |                       |__  Club Members (to be displayed)
          |__ League (not to be displayed)
          |            |__Season (not to be displayed)
          |                       |__  Match (not to be displayed)
          |__  News (blog.php -  to be displayed)
          |
      etc, etc
      Based on the above the navigation needs to appear simply as:
      ---------------------------------------------------------------------------
                           Club    Club Members    News    
      ---------------------------------------------------------------------------
      Any thoughts appreciated.
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I am trying to create a process whereby when a user logs in to their profile page (the user is automatically redirected to their profile page on login) and they then go to their 'members' page and creates a child page ('club-member'), the data stored in the user template ($user->usercode) is automatically added to the equivalent field on the club-member page.  This will be applicable only to the template used for the 'club-member' pages. Once the new page has been created the equivalent 'usercode' field on the 'club-member' page should not be subsequently editable.
      Below is the page hierarchy for visual reference:
      Login (home)
          |__  profile
                      |__  members
                                     |__  club-members
      It seems like an AddHookBefore might be the solution here such as:
      wire()->addHookBefore("Pages::saveReady", function($event) { $page = $event->arguments(0); if($page->template == 'club-member') { $clubcode = $user->club_code; $field = $page->club_code; $field->set('value', $clubcode); } }); I am I on the right track or is there a better way to achieve this?
      Any thoughts appreciated.
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I've setup a page where a member can edit contact details via the frontend displaying the field content using the <edit> ... </edit> tags.
      This works fine when the fields actually contain data. However fields that contain no data (i.e. empty) do not appear to be editable. No edit cursor appears (- possibly owing to the field width being 0px?)
      Is the only solution to recreate the page using a form, for example,  or is there a simple way to allow blank fields to be editable on the frontend?
      I wondered if anyone else has found a solution to this problem. Any assistance would be appreciated.
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I am trying to add a field that provides a dropdown menu but there are no Options or Selector(s) type available - see attached image of field types available.
      The following reference under the docs does not appear to be applicable any more:
      https://processwire.com/api/modules/select-options-fieldtype/
      I can't see how to achieve this. Any assistance would be appreciated.