Jump to content

Problem with access rules


doolak
 Share

Recommended Posts

I have the following problem:

The editor role has this permission:

- delete pages

- edit pages

- move pages

- sort child pages

- view pages

- user can update profile/password

I have a template "teams"with the following access rules for the editor:

- view pages

- add children

The children of the page are using the template "teams" and have this rules for the editor:

- view pages

- edit pages

- create pages

But although it usually should work, the editor cannot moce the child parents - he gets an error message which says that he has not the right to move a page with the parent "team".

If I add "edit" to the editors access rules of the "team" template, than it works.

But i don't want the editor to have the right to edit the parent page...

Any body else who can confirm this problem? Or do i just have a mistake in thinking?

Link to comment
Share on other sites

WillyC isn't quite correct there, if I understand what he's trying to say.

page-edit is the minimum permission required to to do edit-related activities on the page. Sorting a page's children is considered an edit-related activity. Why? Because it's feasible a user might have edit access to some siblings and not others, so it's a bit of an access control problem for edit access to one page to affect placement of pages a user doesn't have edit access to. So I don't know of a way to get around that without installing other modules. But for the most part, if you've got limited access editors, your sorting mechanisms are ideally predefined so that they don't have to do that. But I will put on my to-do list, to think of other solutions for that particular case. Though I think where we are is probably about right from a security standpoint. 

For now there are a couple of ways you could accomplish this with modules. One way would be to install the Page Edit Field Permission module. Have it create permissions for all the fields you want to limit access to on the parent. Then create a new role in addition to your existing editor role. Call it "editor-parent" or something like that. Give that role page-edit and page-sort permissions, nothing more. Edit the template used by the parent page, and check the box to give it edit access to the parent with the sortable children. Give your editor users that role as well. Your editors will be able to sort the children and edit the parent, but only the fields you designate (which you might decide to be, none). 

Another alternative is to add a custom module to take care of it for you. This one essentially changes the behavior of ProcessWire so that if you have access to edit a page, and you have page-sort permission, you also have access to sort it among siblings (written in browser, not tested). 

class PageSortableCustom extends WireData implements Module {  
  public static function getModuleInfo() {
    return array(
      'title' => 'Page Sortable Custom',
      'version' => 1,
      'summary' => 'Let a user sort siblings they have access to edit.',
      'autoload' => true,
      );
  }
  public function init() {
    $this->addHookAfter('Page::sortable', $this, 'hookPageSortable');
  }
  public function hookPageSortable(HookEvent $event) {
    if($event->return) return; // already sortable, so exit
    $page = $event->object; 
    if($page->id == 1 || !$page->editable()) return; 
    if($this->user->hasPermission('page-sort', $page)) $event->return = true; 
  }
}
  • Like 2
Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...