Getting into a tangle with access

[MarkE]

The access mechanisms for PW seem pretty powerful, but a bit complicated. I'm struggling to do something that i thought would be quite simple but I keep tripping up.

The pages in my site include a large number which are not rendered - essentially a database - but they are outside the "admin" section. I have a number of roles to which I need to provide access to selected groups of these pages in the back end. It is easy enough to limit the "edit" access by template. Because it would be confusing for the users to see a tree with a load of pages not relevant to their roles, I would also like for them not to see the pages to which they don't have edit access. So I removed their "view" access to these templates. However, they can still see them in the back end, because of inherited rights from the "guest" role.

Now, I needed the "guest" role to be able to view many of the pages because that is the role used by webhooks and batch runs invoked by LazyCron. So I thought perhaps I could set up separate roles for them and add those roles to their guest role in the API when they run - that way I could reduce the default "guest" access to just renderable pages and give enhanced access to other roles as needed. However, this does not seem to work. The role is shown as being added, but doesn't actually seem to provide the additional access rights to the "guest" user.

What is wrong with my approach and is there a better way of doing this?

[louisstephens]

Have you looked into Admin Restrict Branch: https://modules.processwire.com/modules/admin-restrict-branch/ ? This should allow you to achieve the first part of your post. 

[MarkE]

Yes I have, thanks - but that limits users to just one branch. In my case, I need them to access more than one branch. I tried the "role-based" approach, thinking I could set up a role for each of the relevant branches and then assign those, but I couldn't get it working. In any case it wouldn't really meet my requirement which is to just display pages of the relevant templates - restricting page-view for the templates does this, but with the consequences I described.

[Robin S]

1 hour ago, MarkE said:

I would also like for them not to see the pages to which they don't have edit access. So I removed their "view" access to these templates.

The view permission controls viewing on the front-end, it doesn't relate to pages being listed in Page List.

For more advanced control over page permissions try hooking after the following Page methods, returning true/false as needed. $page->listable() is the one related to which pages appear in Page List.

 

$page->listable()	bool	Returns true if the page is listable by the current user, false if not.  Can also be used as property: $page->listable
$page->moveable()	bool	Returns true if the current user can move this page. Optionally specify the new parent to check if the page is moveable to that parent.  Can also be used as property: $page->moveable
$page->publishable()	bool	Returns true if the page is publishable by the current user, false if not.  Can also be used as property: $page->publishable
$page->restorable()	bool	Returns true if page is in the trash and is capable of being restored to its original location. @since 3.0.107
$page->sortable()	bool	Returns true if the current user can change the sort order of the current page (within the same parent).  Can also be used as property: $page->sortable
$page->trashable()	bool	Returns true if the page is trashable by the current user, false if not.  Can also be used as property: $page->trashable
$page->viewable()	bool	Returns true if the page (and optionally field) is viewable by the current user, false if not.  Can also be used as property: $page->viewable

  

An example of a Page::listable hook - note that such hooks do not restrict the superuser role:

$wire->addHookAfter('Page::listable', function(HookEvent $event) {
	$page = $event->object;
	if($this->wire()->user->hasRole('editor') && $page->template == 'basic_page') $event->return = false;
});

 

[MarkE]

Thanks a lot. I’ll give that a go. 

[MarkE]

That's 5⭐

Here's my code (slightly generalized)

//Restrict page-list view in back-end
wire()->addHookAfter('Page::listable', function(HookEvent $event) {
    $page = $event->object;
    $allowedViews = [
        'membership-secretary' => ['home', 'template_1', 'template_2'],
        'treasurer' => ['home', 'template_3', 'template_4'],
// etc.
        'site-content-editor' => ['home', 'basic-page']
    ];
    $event->return = false;
    foreach ($allowedViews as $role => $templates) {
        if ($this->wire()->user->hasRole($role) and in_array($page->template->name, $templates)) $event->return = true;
    }
	if ($this->wire()->user->hasRole('webmaster')) $event->return = true;
});

 

[adrian]

@MarkE - just be aware that hook doesn't prevent a user getting access to the pages via Pages > Find and also via the Live Search in the menu bar. There are some hooks in the Admin Restrict Branch module that will help you with that though.

[MarkE]

Ta @adrian. I'll look into that where there are privacy issues - my first concern was to make things easier to use, but I need to think about privacy also.