Jump to content
MarkE

Getting into a tangle with access

Recommended Posts

The access mechanisms for PW seem pretty powerful, but a bit complicated. I'm struggling to do something that i thought would be quite simple but I keep tripping up.

The pages in my site include a large number which are not rendered - essentially a database - but they are outside the "admin" section. I have a number of roles to which I need to provide access to selected groups of these pages in the back end. It is easy enough to limit the "edit" access by template. Because it would be confusing for the users to see a tree with a load of pages not relevant to their roles, I would also like for them not to see the pages to which they don't have edit access. So I removed their "view" access to these templates. However, they can still see them in the back end, because of inherited rights from the "guest" role.

Now, I needed the "guest" role to be able to view many of the pages because that is the role used by webhooks and batch runs invoked by LazyCron. So I thought perhaps I could set up separate roles for them and add those roles to their guest role in the API when they run - that way I could reduce the default "guest" access to just renderable pages and give enhanced access to other roles as needed. However, this does not seem to work. The role is shown as being added, but doesn't actually seem to provide the additional access rights to the "guest" user.

What is wrong with my approach and is there a better way of doing this?

Share this post


Link to post
Share on other sites

Yes I have, thanks - but that limits users to just one branch. In my case, I need them to access more than one branch. I tried the "role-based" approach, thinking I could set up a role for each of the relevant branches and then assign those, but I couldn't get it working. In any case it wouldn't really meet my requirement which is to just display pages of the relevant templates - restricting page-view for the templates does this, but with the consequences I described.

Share this post


Link to post
Share on other sites
1 hour ago, MarkE said:

I would also like for them not to see the pages to which they don't have edit access. So I removed their "view" access to these templates.

The view permission controls viewing on the front-end, it doesn't relate to pages being listed in Page List.

For more advanced control over page permissions try hooking after the following Page methods, returning true/false as needed. $page->listable() is the one related to which pages appear in Page List.

 

$page->listable()
bool Returns true if the page is listable by the current user, false if not. 
Can also be used as property: $page->listable
 
$page->moveable()
bool Returns true if the current user can move this page. Optionally specify the new parent to check if the page is moveable to that parent. 
Can also be used as property: $page->moveable
 
$page->publishable()
bool Returns true if the page is publishable by the current user, false if not. 
Can also be used as property: $page->publishable
 
$page->restorable()
bool Returns true if page is in the trash and is capable of being restored to its original location. @since 3.0.107  
$page->sortable()
bool Returns true if the current user can change the sort order of the current page (within the same parent). 
Can also be used as property: $page->sortable
 
$page->trashable()
bool Returns true if the page is trashable by the current user, false if not. 
Can also be used as property: $page->trashable
 
$page->viewable()
bool Returns true if the page (and optionally field) is viewable by the current user, false if not. 
Can also be used as property: $page->viewable

  

An example of a Page::listable hook - note that such hooks do not restrict the superuser role:

$wire->addHookAfter('Page::listable', function(HookEvent $event) {
	$page = $event->object;
	if($this->wire()->user->hasRole('editor') && $page->template == 'basic_page') $event->return = false;
});

 

  • Like 4

Share this post


Link to post
Share on other sites

That's 5

Here's my code (slightly generalized)

//Restrict page-list view in back-end
wire()->addHookAfter('Page::listable', function(HookEvent $event) {
    $page = $event->object;
    $allowedViews = [
        'membership-secretary' => ['home', 'template_1', 'template_2'],
        'treasurer' => ['home', 'template_3', 'template_4'],
// etc.
        'site-content-editor' => ['home', 'basic-page']
    ];
    $event->return = false;
    foreach ($allowedViews as $role => $templates) {
        if ($this->wire()->user->hasRole($role) and in_array($page->template->name, $templates)) $event->return = true;
    }
	if ($this->wire()->user->hasRole('webmaster')) $event->return = true;
});

 

Share this post


Link to post
Share on other sites

@MarkE - just be aware that hook doesn't prevent a user getting access to the pages via Pages > Find and also via the Live Search in the menu bar. There are some hooks in the Admin Restrict Branch module that will help you with that though.

  • Like 2

Share this post


Link to post
Share on other sites

Ta @adrian. I'll look into that where there are privacy issues - my first concern was to make things easier to use, but I need to think about privacy also.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...