Jump to content

Configuring access security


MarkE
 Share

Recommended Posts

It seems to me that access control in PW is powerful but quite complex. Does anyone know of a tutorial/blog etc. that covers these complexities. I particular, how to make sure that the end result achieves the required access control. From what I have learned so far, a number of things interact:
•    Whether a page is published, unpublished or hidden
•    The access given to users of a template
•    Field level access – both global and as over-ridden in a template
•    Whether or not a template has an associated php template file
•    The output formatting of a page, set in a php script (false can disable field-level access controls)
These need to be considered in combination to determine what is the actual level of access in any situation. Is there any way of getting an overview of all this?


For example, if there is no guest access to a template then that restriction will also apply to any API invoked by a guest action which requires access to a page instance of that template. The only way I can see to allow API access but to prevent direct access is to allow guest access to the template, but not provide a template php file. Is this secure?


Also, if fields have restricted access (e.g. no guest access), then any API invoked from the front-end (including webhooks) will not be allowed to see the contents (this is achieved by blanking the contents in formatting). Over-riding this can be achieved either by setting the relevant option on the Access tab of the restricted fields, or by turning off output formatting for the affected page just before accessing it (e.g. $p->of(false); ). See discussion at

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...