Jump to content
MarkE

Configuring access security

Recommended Posts

It seems to me that access control in PW is powerful but quite complex. Does anyone know of a tutorial/blog etc. that covers these complexities. I particular, how to make sure that the end result achieves the required access control. From what I have learned so far, a number of things interact:
•    Whether a page is published, unpublished or hidden
•    The access given to users of a template
•    Field level access – both global and as over-ridden in a template
•    Whether or not a template has an associated php template file
•    The output formatting of a page, set in a php script (false can disable field-level access controls)
These need to be considered in combination to determine what is the actual level of access in any situation. Is there any way of getting an overview of all this?


For example, if there is no guest access to a template then that restriction will also apply to any API invoked by a guest action which requires access to a page instance of that template. The only way I can see to allow API access but to prevent direct access is to allow guest access to the template, but not provide a template php file. Is this secure?


Also, if fields have restricted access (e.g. no guest access), then any API invoked from the front-end (including webhooks) will not be allowed to see the contents (this is achieved by blanking the contents in formatting). Over-riding this can be achieved either by setting the relevant option on the Access tab of the restricted fields, or by turning off output formatting for the affected page just before accessing it (e.g. $p->of(false); ). See discussion at

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Robin S
      Access By Query String
      Grant/deny access to pages according to query string.
      Allows visitors to view protected pages by accessing the page via a special URL containing an "access" GET variable. This allows you to provide a link to selected individuals while keeping the page(s) non-viewable to the public and search engines. The recipients of the link do not need to log in so it's very convenient for them.
      The view protection does not provide a high level of security so should only be used for non-critical scenarios. The purpose of the module was to prevent new websites being publicly accessible before they are officially launched, hence the default message in the module config. But it could be used for selected pages on existing websites also.
      Once a visitor has successfully accessed a protected page via the GET variable then they can view any other page protected by the same access rule without needing the GET variable for that browsing session.
      Superusers are not affected by the module.
      Usage
      Install the Access By Query String module.
      Define access rules in the format [GET variable]??[selector], one per line.
      As an example the rule...
      rumpelstiltskin??template=skills, title~=gold ...means that any pages using the "skills" template with the word "gold" in the title will not be viewable unless it is accessed with ?access=rumpelstiltskin in the URL. So you could provide a view link like https://domain.com/skills/spin-straw-into-gold/?access=rumpelstiltskin to selected individuals.
      Or you could limit view access to the whole frontend with a rule like...
      4fU4ns7ZWXar??template!=admin You can choose what happens when a protected page is visited without the required GET variable:
      Replace the rendered markup Throw a 404 exception If replacing the rendered markup you can define a meta title and message to be shown. Or if you want to use more advanced markup you can hook AccessByQueryString::replacementMarkup().
      $wire->addHookAfter('AccessByQueryString::replacementMarkup', function(HookEvent $event) { // Some info in hook arguments if needed... // The page that the visitor is trying to access $page = $event->arguments(0); // An array of access keys that apply to the page $access_keys = $event->arguments(1); // The title $title = $event->arguments(2); // The message $message = $event->arguments(3); // Return some markup $event->return = 'Your markup'; }); Screenshot

       
      https://github.com/Toutouwai/AccessByQueryString
      https://modules.processwire.com/modules/access-by-query-string/
    • By Marcel
      Hey, 
      - we made a page as admins
      - as admins each  <img> tag is loaded and images are displayed
      - we tested the page as a pre-definded test user which is "guest" (Admin Theme: Reno)
      - as test user each <img> is missing and so no image is displayed
      I checked this in dev-mode on firefox and chrome. Does anyone have an idea or has had similar issues?
       
      Thank you in advance.
       
      Marcel
    • By Guy Incognito
      Hi all. We've created a private log-in area for a client on their site that is restricted on a roles basis. Is there a simple solution available to let them upload files to a file field and then choose individual users that can access individual files?
      Does that make sense?!... it's hard to search for answers to this as all results pertain to server file permissions.
       
    • By datomtom
      Being a newbie in ProcessWire I was wondering, whether I could have simple subdirectories on my webserver (serving specific self-developed php-apps) and use PW's built-in user management, to grant or deny access to those directories for specific users and groups. I was trying to wrap my head around LDAP for this, but it's not too easy to install on virtual servers running Plesk from my experience. So I thought I could possibly use PW's built in mechanisms for this purpose. Any ideas? Thanks in advance to the community!
    • By zenboy
      I used Profields: repeater Matrix to create a field. One of the repeater matrix types contains a repeater field. As a superuser I can create new entries within the nested repeater field.
      Any user that does not have superuser access cannot create new entries or expand existing entries. When a non-superadmin tries, the following JQuery error can be seen in the console: Uncaught Error: Syntax error, unrecognized expression: {"error":false,"message":"The requested process does not exist"}.
      “Repeater item visibility in editor” and “Repeater dynamic loading (AJAX) in editor” options are set to the default entries.
       I am using ProcessWire 3.0.62 and Profields Repeater Matrix 0.0.4
       
×
×
  • Create New...