Jump to content
snck

Fieldset (Tab): not able to set permissions?

Recommended Posts

Hello,

for a project I have pages with different “content areas“ that can be edited only by specific user roles. In the past I setup a fieldset (tab) containing all the fields that should be available to only one specific group of users and set the fields' view and edit permissions (in the Access tab) accordingly. The result was as expected: Users assigned to the specific role could see the tab, click on it, edit content, users without the role could not see the tab. After updating this installation to 3.0.148 yesterday I wanted to setup another tab following the same principle, but I have no "Access" tab for the fieldset to limit access to the specific role. I even tried cloning an existing (and still working) fieldset. The existing fieldset has some template overrides (screenshot attached) that lead to the desired behaviour, but I am not able to reproduce these settings because there is not "Access" tab for my fieldset in template context either.

Is this a bug in 3.0.148? Has the fieldset fieldtype changed? Am I missing anything here?

I am glad to hear from you guys.
Cheers,
Flo

154853571_Bildschirmfoto2020-03-31um19_44_48.thumb.png.434a6a1d562d6e97f758a99585a5657e.png

Share this post


Link to post
Share on other sites
5 hours ago, snck said:

After updating this installation to 3.0.148

What version did you update from? I think it hasn't been possible to set access controls on fieldsets for some time, maybe years.

I think there might be a couple of reasons for why you can't set access controls on fieldsets:

1. Edit access (in Page Edit) for a fieldset is meaningless because a fieldset doesn't store any user-editable data.

2. Generally speaking fields do not "know" that they belong to a fieldset. You can run your own logic like this...

...but there is no simple property of a field A that indicates that it is within fieldset B. So setting view/edit access on a fieldset doesn't actually set view/edit access for fields within that fieldset. Back when it was possible to set access controls on a fieldset it might have appeared that there was access control in that maybe the inputfields didn't get rendered, but I doubt that this was proper access control/security on the fields within the fieldset. So my guess is that Ryan removed that option so devs wouldn't get the wrong impression that they are setting access control on fields by setting it on a parent fieldset.

So I think your options are...

1. Set access control on the fields within your fieldset.

2. So long as you know and are comfortable with the fact that it isn't proper access control, you could remove the fieldset using a hook:

$wire->addHookAfter('ProcessPageEdit::buildFormContent', function (HookEvent $event) {
	/* @var InputfieldWrapper $wrapper */
	$wrapper = $event->return;
	// Do some test based on roles
	if($event->wire('user')->hasRole('some_role')) {
		// Remove fieldset
		$fs = $wrapper->getChildByName('your_fieldset_name');
		$wrapper->remove($fs);
	}
});

 

  • Like 1

Share this post


Link to post
Share on other sites

Dear @Robin S,

thanks for your explanation! My installation was on 3.0.62 before, but maybe the fieldset has been there even longer. I am doing the access control for my fields with the "Access" tab for the specific fields as well, but I want to hide the fieldsets/tabs for users that are not able to view them (and in the future there might be a lot of them). Your snippet seems to be the perfect starting point for the desired functionality, so thanks again!

Although this might be a rather specific issue, maybe fieldsets could somehow "inherit" properties from the contained fields like "if the user is not allowed to view a single field in this fieldset, he might not see the fieldset/tab as well."? This way one would keep the access logic on field level, but avoid the confusion of showing unpopulated fieldsets/tabs.

Cheers,
Flo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By snck
      Hey,
      I want my editors to be able to use the page lister, especially the bookmarks. I added the page-lister permission to the editor role, but Page lister ("Find" menu item) does not show. Is there anything else I have to do? Links to bookmarks work for the editors, but I would be glad to show them the menu item as well.
      Maybe this has something to do with the long history of the site (started with ProcessWire 2.4 and upgraded to 3.0.148 over the years)?
      Thanks,
      Flo 
    • By fruid
      Hi,
      this is the first time I'm using ProcessWire.
      I thought I get how fields, template and pages work, but when I create a template in the CMS, it doesn't generate any file in site/templates/
      Then I thought I might need to create a blank file myself manually on the FTP (which already seems odd to me).
      Once I did that, I tried to add fields to the template but again, doesn't write to the php file.
      When I create a new page and apply said template to it, the page stay blank.
      AFAIK the mod_rewrite of the apache is on and I went for the worst case scenario described here https://processwire.com/docs/security/file-permissions/ and set all file-permissions for future files to 0666 and folders to 0777 in the config.php
      What am I not getting and what am I doing wrong?
      Help is appreciated, stay save everybody,
      Fred
    • By MarkE
      Having just wasted the best part of a day debugging an access issue because I hadn't realised that page-edit-created negated any related page-edit permissions, could I suggest that a note to this effect is included in the default title. I have amended the title on my system to read:
      Edit only pages user has created (IMPORTANT: This will negate any related page-edit permission - including permissions granted to a user by other roles) ..although it may be possible to make it briefer while not losing clarity and impact.
    • By lenoir
      Is it possible to let people edit a page without having to have a user-role?
      My case is the following:
      Visitors fill in a form (Formbuilder) which is saved to pages. They get a confirmation email which could contain a unique editing link. In case they need to update some information, they can click on this link, edit the fields and save. 
      Am I totally off? Is there a better practice? 
    • By DV-JF
      Hi, 
      I'm using this kind of setup (https://processwire.com/blog/posts/language-access-control-and-more-special-permissions/#language-page-edit-permissions) in order to control the page edit permissions. Now I'm wondering if it's possible to hide the "none-ediable" language-tabs instead of striking them through.

      Many greets...
       
×
×
  • Create New...