Jump to content

Getting into a tangle with access


MarkE
 Share

Recommended Posts

The access mechanisms for PW seem pretty powerful, but a bit complicated. I'm struggling to do something that i thought would be quite simple but I keep tripping up.

The pages in my site include a large number which are not rendered - essentially a database - but they are outside the "admin" section. I have a number of roles to which I need to provide access to selected groups of these pages in the back end. It is easy enough to limit the "edit" access by template. Because it would be confusing for the users to see a tree with a load of pages not relevant to their roles, I would also like for them not to see the pages to which they don't have edit access. So I removed their "view" access to these templates. However, they can still see them in the back end, because of inherited rights from the "guest" role.

Now, I needed the "guest" role to be able to view many of the pages because that is the role used by webhooks and batch runs invoked by LazyCron. So I thought perhaps I could set up separate roles for them and add those roles to their guest role in the API when they run - that way I could reduce the default "guest" access to just renderable pages and give enhanced access to other roles as needed. However, this does not seem to work. The role is shown as being added, but doesn't actually seem to provide the additional access rights to the "guest" user.

What is wrong with my approach and is there a better way of doing this?

Link to comment
Share on other sites

Yes I have, thanks - but that limits users to just one branch. In my case, I need them to access more than one branch. I tried the "role-based" approach, thinking I could set up a role for each of the relevant branches and then assign those, but I couldn't get it working. In any case it wouldn't really meet my requirement which is to just display pages of the relevant templates - restricting page-view for the templates does this, but with the consequences I described.

Link to comment
Share on other sites

1 hour ago, MarkE said:

I would also like for them not to see the pages to which they don't have edit access. So I removed their "view" access to these templates.

The view permission controls viewing on the front-end, it doesn't relate to pages being listed in Page List.

For more advanced control over page permissions try hooking after the following Page methods, returning true/false as needed. $page->listable() is the one related to which pages appear in Page List.

 

$page->listable()
bool Returns true if the page is listable by the current user, false if not. 
Can also be used as property: $page->listable
 
$page->moveable()
bool Returns true if the current user can move this page. Optionally specify the new parent to check if the page is moveable to that parent. 
Can also be used as property: $page->moveable
 
$page->publishable()
bool Returns true if the page is publishable by the current user, false if not. 
Can also be used as property: $page->publishable
 
$page->restorable()
bool Returns true if page is in the trash and is capable of being restored to its original location. @since 3.0.107  
$page->sortable()
bool Returns true if the current user can change the sort order of the current page (within the same parent). 
Can also be used as property: $page->sortable
 
$page->trashable()
bool Returns true if the page is trashable by the current user, false if not. 
Can also be used as property: $page->trashable
 
$page->viewable()
bool Returns true if the page (and optionally field) is viewable by the current user, false if not. 
Can also be used as property: $page->viewable

  

An example of a Page::listable hook - note that such hooks do not restrict the superuser role:

$wire->addHookAfter('Page::listable', function(HookEvent $event) {
	$page = $event->object;
	if($this->wire()->user->hasRole('editor') && $page->template == 'basic_page') $event->return = false;
});

 

  • Like 4
Link to comment
Share on other sites

That's 5

Here's my code (slightly generalized)

//Restrict page-list view in back-end
wire()->addHookAfter('Page::listable', function(HookEvent $event) {
    $page = $event->object;
    $allowedViews = [
        'membership-secretary' => ['home', 'template_1', 'template_2'],
        'treasurer' => ['home', 'template_3', 'template_4'],
// etc.
        'site-content-editor' => ['home', 'basic-page']
    ];
    $event->return = false;
    foreach ($allowedViews as $role => $templates) {
        if ($this->wire()->user->hasRole($role) and in_array($page->template->name, $templates)) $event->return = true;
    }
	if ($this->wire()->user->hasRole('webmaster')) $event->return = true;
});

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...