CustomerPortal ~ AdminPortal - permissions / roles

[AswinC]

Hi all,

I'm planning to develop a customerportal in processwire.
The idea is basic, like a basic admin pannel.

for instance;

* viewing your domain names.

to protect a page from one user from another, I would have many many roles.

role: customerA-viewDNS
role: customerA-editDNS
role: customerB-viewDNS
role: customerB-editDNS

if I add something like: 
licensing O365 & ssl certificates; 
role:  customerA-view-license-O365
role:  customerA-view-sslcertificates
role:  customerB-view-license-O365
role:  customerB-view-sslcertificates

so the "Power" user of customerA
would have all roles who start with customerA 
 

It feels like there should be a better approach? 
how are pages like "my profile" in general done? 

Kind Regards

[LuisM]

You dont need an own role for each customer.

Just make a new Field->Page Reference and assign it to your User template and to every template you want to restrict for this particular user.

Create a new Page as Container which contains all your Customer Accounts and let your field reference the created account.

Also this give you the ability to have multiple users per account.

So the next time you do a Pages->find you could use a selector like this: account=$user->account->id

 

Regarding your Roles you now just need your basic roles like view edit delete for the particular action you want to deny based on Roles/Permissions

[LuisM]

Your tree should therefore look like this:

Access/Users - with n Users

Accounts - with n Account Pages

All your other pages...

 

[bernhard]

Hi, @AswinC and welcome to the forum! Sounds like a fun project ? I'd suggest something like this

Permissions:

• dns-view
• dns-edit
• licensing-view
• licensing-edit

Roles:

• customer (dns-view, licensing-view)
• manager (dns-edit, licensing-edit)

Then you build ProcessModules for those management interfaces and simply check for the role:

public function checkAccess() {
	// $su is true for superuser
	$su = $this->user->isSuperuser();

	// set user info object
	// for superusers all properties will be true
	$u = (object)[
		'isCustomer' => $su ?: $this->user->hasRole('customer'),
		'isManager' => $su ?: $this->user->hasRole('manager'),
	];

	// if user is neither customer nor manager we redirect
	if(!$u->isCustomer AND !$u->isManager) {
		$this->session->redirect('/your/admin/url/to/no-access-page');
		return;
	}

	// user has access, return info object
	return $u;
}

public function executeDNS {
	$u = $this->checkAccess();
	$user = $this->wire('user');

	$out = "<div>Hello $user, here are your dns settings...</div>";
	if($u->isManager) $out .= "<div>You are a Manager, so you can edit all settings!</div>";

	...

	return $out;
}

That was really quickly typed here in the browser. Maybe even more elegant would be to add $user->isCustomer and $user->isManager to your user object in an autoload module, then you'd have it available in all your API ? 

See 

You can then also prevent editing of pages via simple hooks that check if the user is a customer or manager. Then you can simply build your own logic like customers can only edit their own dns pages etc.; I'd really do that using ProcessModules and not via the page tree. The page tree has big problems hiding/showing stuff based on access related things (see AdminRestrictBranch and its limitations).

[bernhard]

Ugh... that was really ugly ? Here's a better version:

In your autoload module:

$this->addHookProperty("User::isCustomer", function(HookEvent $event) {
  $event->return = $this->user->isSuperuser();
  if($this->user->hasRole('manager')) $event->return = true;
  if($this->user->hasRole('customer')) $event->return = true;
});
$this->addHookProperty("User::isManager", function(HookEvent $event) {
  $event->return = $this->user->isSuperuser();
  if($this->user->hasRole('manager')) $event->return = true;
});

In your processModule:

public function checkAccess() {
	// if user is neither customer nor manager we redirect
	if(!$this->user->isCustomer AND !$this->user->isManager) {
		$this->session->redirect('/your/admin/url/to/no-access-page');
		return;
	}
}

public function executeDNS {
	$this->checkAccess();
	$user = $this->wire('user');

	$out = "<div>Hello $user, here are your dns settings...</div>";
	if($user->isManager) $out .= "<div>You are a Manager, so you can edit all settings!</div>";

	...

	return $out;
}

A lot better. Welcome to PW greatness ?