MarkE

Configuring access security

Recommended Posts

It seems to me that access control in PW is powerful but quite complex. Does anyone know of a tutorial/blog etc. that covers these complexities. I particular, how to make sure that the end result achieves the required access control. From what I have learned so far, a number of things interact:
•    Whether a page is published, unpublished or hidden
•    The access given to users of a template
•    Field level access – both global and as over-ridden in a template
•    Whether or not a template has an associated php template file
•    The output formatting of a page, set in a php script (false can disable field-level access controls)
These need to be considered in combination to determine what is the actual level of access in any situation. Is there any way of getting an overview of all this?


For example, if there is no guest access to a template then that restriction will also apply to any API invoked by a guest action which requires access to a page instance of that template. The only way I can see to allow API access but to prevent direct access is to allow guest access to the template, but not provide a template php file. Is this secure?


Also, if fields have restricted access (e.g. no guest access), then any API invoked from the front-end (including webhooks) will not be allowed to see the contents (this is achieved by blanking the contents in formatting). Over-riding this can be achieved either by setting the relevant option on the Access tab of the restricted fields, or by turning off output formatting for the affected page just before accessing it (e.g. $p->of(false); ). See discussion at

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Marcel
      Hey, 
      - we made a page as admins
      - as admins each  <img> tag is loaded and images are displayed
      - we tested the page as a pre-definded test user which is "guest" (Admin Theme: Reno)
      - as test user each <img> is missing and so no image is displayed
      I checked this in dev-mode on firefox and chrome. Does anyone have an idea or has had similar issues?
       
      Thank you in advance.
       
      Marcel
    • By Guy Incognito
      Hi all. We've created a private log-in area for a client on their site that is restricted on a roles basis. Is there a simple solution available to let them upload files to a file field and then choose individual users that can access individual files?
      Does that make sense?!... it's hard to search for answers to this as all results pertain to server file permissions.
       
    • By datomtom
      Being a newbie in ProcessWire I was wondering, whether I could have simple subdirectories on my webserver (serving specific self-developed php-apps) and use PW's built-in user management, to grant or deny access to those directories for specific users and groups. I was trying to wrap my head around LDAP for this, but it's not too easy to install on virtual servers running Plesk from my experience. So I thought I could possibly use PW's built in mechanisms for this purpose. Any ideas? Thanks in advance to the community!
    • By zenboy
      I used Profields: repeater Matrix to create a field. One of the repeater matrix types contains a repeater field. As a superuser I can create new entries within the nested repeater field.
      Any user that does not have superuser access cannot create new entries or expand existing entries. When a non-superadmin tries, the following JQuery error can be seen in the console: Uncaught Error: Syntax error, unrecognized expression: {"error":false,"message":"The requested process does not exist"}.
      “Repeater item visibility in editor” and “Repeater dynamic loading (AJAX) in editor” options are set to the default entries.
       I am using ProcessWire 3.0.62 and Profields Repeater Matrix 0.0.4
       
    • By Krlos
      Hi there,
      I'm trying to imitate an application built on Microsoft Access, so far I have been able to create most of the functionality, I only lack a part destined to enter records that depend on a parent.
      I am attaching an image from Microsoft Access, where you can see the functionality that I need to create.

      I would like to be able to add each of those child records on the same template form for the Parent, then when I list the records of the Parent, I can get all the reports per client and in each of those reports the children records.
      It would be possible to build this with Processwire?
      Thank you!