Jump to content

Fieldset (Tab): not able to set permissions?


snck
 Share

Recommended Posts

Hello,

for a project I have pages with different “content areas“ that can be edited only by specific user roles. In the past I setup a fieldset (tab) containing all the fields that should be available to only one specific group of users and set the fields' view and edit permissions (in the Access tab) accordingly. The result was as expected: Users assigned to the specific role could see the tab, click on it, edit content, users without the role could not see the tab. After updating this installation to 3.0.148 yesterday I wanted to setup another tab following the same principle, but I have no "Access" tab for the fieldset to limit access to the specific role. I even tried cloning an existing (and still working) fieldset. The existing fieldset has some template overrides (screenshot attached) that lead to the desired behaviour, but I am not able to reproduce these settings because there is not "Access" tab for my fieldset in template context either.

Is this a bug in 3.0.148? Has the fieldset fieldtype changed? Am I missing anything here?

I am glad to hear from you guys.
Cheers,
Flo

154853571_Bildschirmfoto2020-03-31um19_44_48.thumb.png.434a6a1d562d6e97f758a99585a5657e.png

Link to comment
Share on other sites

5 hours ago, snck said:

After updating this installation to 3.0.148

What version did you update from? I think it hasn't been possible to set access controls on fieldsets for some time, maybe years.

I think there might be a couple of reasons for why you can't set access controls on fieldsets:

1. Edit access (in Page Edit) for a fieldset is meaningless because a fieldset doesn't store any user-editable data.

2. Generally speaking fields do not "know" that they belong to a fieldset. You can run your own logic like this...

...but there is no simple property of a field A that indicates that it is within fieldset B. So setting view/edit access on a fieldset doesn't actually set view/edit access for fields within that fieldset. Back when it was possible to set access controls on a fieldset it might have appeared that there was access control in that maybe the inputfields didn't get rendered, but I doubt that this was proper access control/security on the fields within the fieldset. So my guess is that Ryan removed that option so devs wouldn't get the wrong impression that they are setting access control on fields by setting it on a parent fieldset.

So I think your options are...

1. Set access control on the fields within your fieldset.

2. So long as you know and are comfortable with the fact that it isn't proper access control, you could remove the fieldset using a hook:

$wire->addHookAfter('ProcessPageEdit::buildFormContent', function (HookEvent $event) {
	/* @var InputfieldWrapper $wrapper */
	$wrapper = $event->return;
	// Do some test based on roles
	if($event->wire('user')->hasRole('some_role')) {
		// Remove fieldset
		$fs = $wrapper->getChildByName('your_fieldset_name');
		$wrapper->remove($fs);
	}
});

 

  • Like 1
Link to comment
Share on other sites

Dear @Robin S,

thanks for your explanation! My installation was on 3.0.62 before, but maybe the fieldset has been there even longer. I am doing the access control for my fields with the "Access" tab for the specific fields as well, but I want to hide the fieldsets/tabs for users that are not able to view them (and in the future there might be a lot of them). Your snippet seems to be the perfect starting point for the desired functionality, so thanks again!

Although this might be a rather specific issue, maybe fieldsets could somehow "inherit" properties from the contained fields like "if the user is not allowed to view a single field in this fieldset, he might not see the fieldset/tab as well."? This way one would keep the access logic on field level, but avoid the confusion of showing unpopulated fieldsets/tabs.

Cheers,
Flo

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By jonatan
      "Permission “page-sort” for template “ ... ” not allowed (requires “page-edit” permission)"

      – This lovely error message is thrown at me, if, as implied by it, I try to add (to my "editor" role) the permission "page-sort" for a specific template, without the permission "page-edit" enabled for the same template.
      Seems like it's been mentioned a few times before but never properly answered, by e.g. @Robin S ... :  
      "Allow the granting of page-sort permission independent of page-edit": https://github.com/processwire/processwire-requests/issues/29
       
       
       


      Why do I wanna do this?:

      I have a page tree structure  🌳  as so:

      ________________________

      Category [C1]
      – Page a [C1_p] – Page b [C1_p] Different category [C2]
      – Page c [C2_p] – Page d [C2_p] ________________________

      The page "Category" has the page-template "C1",
      the pages "Page a" and "Page b" both have the page-template "C1_p".
      The page "Different category" has the page-template "C2"
      the pages "Page c" and "Page d" both have the page-template "C2_p".
       
      The two pages called "Category" and "Different category" do not have any content, they only serve as containers for pages belonging to that category.
       
      I want my "editor" role not to be able to do anything at all with these pages "Category" and "Different category"; i.e. I do not want my editor to be able to edit, move, unpublish, hide, lock, delete (or do anything else to) these category pages. 
      – So, I want my "editor" role to have the "page-edit" permission for pages with the templates "C1_p" and "C2_p", but not for the pages with the category templates "C1" and "C2",
      Also, I want my "editor" role to be able to move the pages with the templates "C1_p" and "C2_p" within their parent-pages. 


      Problem:

      But if I just simply add the "page-edit" and the "page-move" permissions for the "C1_p" and "C2_p" templates, then, using the "editor" role, I am not able to move these "C1_p" (and "C2_p") -template-based pages. I can actually click "MOVE" next to them and then move them, but... then I will be met by the error message "You do not have permission to sort pages using this parent - /Category/".  
      – So, I try to add the "page-sort" (description: "permission to sort child pages") permission to the "C1" and "C2" templates... but then trying to do so I am met by the initially mentioned error message   ! Permission “page-sort” for template “C1” not allowed (requires “page-edit” permission)  . 
      And, as mentioned, I do not want my editor role users to be able to edit these category ("C1" and "C2") pages...
      – what to do about this? 😅 
       
      All the best,
      Jonatan 
    • By snck
      Hey there,
      for a client website I need to implement a "reviewer" role. "Reviewers" should be able to review new (unpublished) articles to give feedback to editors, but not have the permission to change them. 
      I built a new "reviewer" role that only has page-view permissions for the respective templates, but this permission does not include viewing unpublished pages. How can I grant them access to the unpublished articles without giving them page-edit permission?
      Cheers,
      Flo
    • By snck
      Hey,
      I want my editors to be able to use the page lister, especially the bookmarks. I added the page-lister permission to the editor role, but Page lister ("Find" menu item) does not show. Is there anything else I have to do? Links to bookmarks work for the editors, but I would be glad to show them the menu item as well.
      Maybe this has something to do with the long history of the site (started with ProcessWire 2.4 and upgraded to 3.0.148 over the years)?
      Thanks,
      Flo 
    • By fruid
      Hi,
      this is the first time I'm using ProcessWire.
      I thought I get how fields, template and pages work, but when I create a template in the CMS, it doesn't generate any file in site/templates/
      Then I thought I might need to create a blank file myself manually on the FTP (which already seems odd to me).
      Once I did that, I tried to add fields to the template but again, doesn't write to the php file.
      When I create a new page and apply said template to it, the page stay blank.
      AFAIK the mod_rewrite of the apache is on and I went for the worst case scenario described here https://processwire.com/docs/security/file-permissions/ and set all file-permissions for future files to 0666 and folders to 0777 in the config.php
      What am I not getting and what am I doing wrong?
      Help is appreciated, stay save everybody,
      Fred
    • By MarkE
      Having just wasted the best part of a day debugging an access issue because I hadn't realised that page-edit-created negated any related page-edit permissions, could I suggest that a note to this effect is included in the default title. I have amended the title on my system to read:
      Edit only pages user has created (IMPORTANT: This will negate any related page-edit permission - including permissions granted to a user by other roles) ..although it may be possible to make it briefer while not losing clarity and impact.
×
×
  • Create New...