Jump to content

Page-specific permissions?


doolak

Recommended Posts

Hi,

I tested the module "Custom Page Roles" but it´s not what I thougt.

I want to give a user an edit role to specific pages so, that he only has listened in PW-Admin the pages he has access to edit.

Is it possible to do that?

I don't think it's possible, I could be wrong. I saw a post about this but can't find it now. Such a user will be able to "view" but not edit pages. See also this module http://modules.processwire.com/modules/page-edit-per-user/ (page edit per user). This may also be of interest: http://processwire.com/talk/topic/2443-hide-pages-from-page-tree-asmselect-problem/ ("hiding" pages by putting them under Admin page)

Link to comment
Share on other sites

  • 3 months later...

Ryan, I am building new set of modules, that will create user access management easier for clients. Current way with roles, permissions and template access is fine for most needs, but very common scenario for our clients is "I want to allow these 5 groups of users to view this branch of pages and then these 3 groups of users to edit and add those pages". I cannot open the template editing, or start talking about roles and permissions to our clients - it is way above of their needs and thinking. What they want is to go into a page and choose groops that can view and choose groups that can edit this page and below it.

To solve this I thought ideal would be to introduce new "term" to PW user management: groups. Groups just collect users directly or by tieing users into groups through roles (so you can say that all users that have role "editor" or "superuser" belong to group "site editors"). This part I have already figured out and working nicely.

Now I am back basicly what CustomPageRoles does: altering the current way of user access. This time I want to go deeper - I want to check user access in DB query level. I need all working right: count and pagination also. This probably means keeping own version of "pages_access" table and altering how PageFinder filters results.

It would be very helpful for me, if you can describe little more how getQueryAllowedTemplates works and what it does? If I read the code correctly, it checks the allowed templates and based on that, it filters results. I think what makes it difficult for me to follow, I am not 100% sure how static properties work there .

When moving from template based ua to page based, would it be enough to replace getQueryAllowedTempaltes method with page specific filtering?

I would be happy to build upon the template based access, but I don't see how I can do that. I need to give client ability to give view/edit access to any group in any page, without me or them need to go editing roles, permissions or templates.

  • Like 1
Link to comment
Share on other sites

getQueryAllowedTemplates is basically a way to bypass inclusion of pages that use templates the user doesn't have access to. It deals with what pages will be allowed to be returned in a find/get result, and not anything to do with edit access. I tend to think you'd be better off going less low level than that. If the goal is to get things working right with count and pagination, then I think this can be bolted on to how the CustomPageRoles already works. Pretty much all page queries get routed through $pages->find() (including $pages->count()), so you can take advantage of that by hooking in before it and modifying the selector string (argument 0) to limit the found results to those within the users view access. For example, you might append "view_roles=$user->roles" to that selector string. That's a theoretical starting point at least. But if you'd prefer to do something like getQueryAllowedTemplates, let me know and I can make that method hookable (and thereby replaceable). 

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

I spent a couple of hours hacking/tweaking Ryan's module today as well, did some searching and found this thread.

The access control model isn't working so well for my needs. I also need to grant certain users view/edit permissions from a branch down.

How come access control is tied to Templates?

I mean, it makes sense in some instances - and it's easy to extend the security model and build custom authorization rules on the front-end, but on the back-end it's not as easy as I had hoped for.

I think part of the issue is that RBAC frameworks normally have two access control components - rights and permissions. Rights are the binary grants you give to users or groups - meaning you either have a given right or you don't. Rights don't traditionally have any parameters - therefore rights usually are more granular in their descriptions, e.g. "can edit all posts" and "can edit posts created by me" are two distinct rights. The rights are independent from permissions, which are defined in code - permissions are checks you can actually perform, and they usually have access to a "context" which might consist of current user, current page, current template, today's date, and of course the current user's rights - anything you might want to use for security checks. An example of a permission would be "can edit post", which might check for several rights, e.g. "can edit all posts", and "can edit posts created by me" which it would check by getting the current Page object from the "context".

I get why it's implemented the way it is - for one, you want to be able to filter pages based on rights, at query-time. With a traditional RBAC model, that is not possible. But so many other things aren't possible with a fixed security model - it grows increasingly complex with increasing requirements, and it gets more rigid the more you extend it. Traditional RBAC can be extended indefinitely and never really increases in complexity because all of it's part function independently.

I think a more traditional RBAC model could be really flexible and incredibly scalable if implemented using hooks in ProcessWire - modules could easily add new permission methods and new security context properties with hooks.

I could see this making ProcessWire much more attractive as a platform for multi-tenant applications, where free-form access control is really crucial.

  • Like 4
Link to comment
Share on other sites

I have used a lot of time with this issue. The bigger and more complex sites we build, the more "ad hoc" UA is needed. Defining access on "who can access/edit news" is not relevant when your site has 20 news archives for different groups. Or when you want to create new "workgroup" and choose who can access that. Of course all these can be build custom, but it is lots of work and PW doesn't provide anything as a base for that.

I have module baking that solves this very issue. It has basic functionality already made and it for most parts bypass the template based UA totally. This is by intention very simple at this first stage: just view and edit rights and user that belong to groups (one user can belong to many groups).

Not sure about the licensing yet, I might release this as a commercial module, but also happy to transform it to a open source project for community (if you guys feel this is promising). Ryan has seen the code and we did hit one core problem: circular reference. My module requires page field that many times references itself. This creates problems in certain situations: actually only when page is saved but no changes is made.

It is not ready yet, but the basic functionality should be there. I have build this few times already and always from different angle. I believe this is the most simple one (see the find hook that has been the problem in those previous modules).

Anyways, I know at least Teppo and Nik have been interested in this, so here we go: https://github.com/apeisa/UserGroups/

  • Like 7
Link to comment
Share on other sites

Hi apeisa,

your module sounds like a solution for a future project ;)

I thinking about a website with groups. The group owner can add users as members (reference user or a users profile page?). Group content can be public or private (group members only, maybe also private groups could be useful ). Group content (internal discussions, news or other type of pages) can be referenced to a group (page reference) and set to pub/ priv. 

Until now I thought about a solution build with another cms (Drupal for example), but maybe with your UserGroups module I could try to build it with PW :)

I following here to be up to date about your module ;)

Link to comment
Share on other sites

  • 3 weeks later...

Xeto, thanks for your comments. I am not planning to add "middle managers" - ie "group admins", that can manage users inside their group. Though that would be nice addon for this module. Other than that feature - this seems to be pretty much what you need.

There is some green light to get circular references working in PW: https://github.com/ryancramerdesign/ProcessWire/pull/258#issuecomment-30052142

Link to comment
Share on other sites

  • 1 year later...

Just wanted to mention, when i try to load the module from the repository i get :

 Session: Unable to open ZIP file, error code: 19

Usermanagement would be much more easy if we had something like chillds an parent in templates.

Right now i if i want a protected version of my basic page i need to copy the template and then change accessrights.  But if i change my basic  template i have to manually change all of its protected versions, thats ok if you have just a few templates, but becomes impossible if you have many templates. So it would be great to have something like child templates that always have all fields their parents have , but you can assign different accessright to them .  Even if this is not a perfect solution it would make accesscontroll a lot more easy .

Link to comment
Share on other sites

The error message was from  "CustomPageRoles" the zip seems to be corrupted.

UserGroups would be the perfect solution if its more or less production ready ?

When i look at this thread it seems to be not ready yet + i guess i have to use a certain dev version of PW ?

Template  inheritance would make using templates for usermanagement much more easy plus it would be good to have anyway . Just a thought .

Going to test usergroups now :-)

Link to comment
Share on other sites

We should probably update UserGroups into the public and add it to modules directory. It is definitely much more stable than any proof of concept modules introduced in this topic. We are using UserGroups in multiple big sites already.

  • Like 3
Link to comment
Share on other sites

@NorbertH: https://github.com/apeisa/ProcessUserExtended. UserGroups isn't in the directory either, so no big difference there.

Also, UserGroupsProcessUserExtendedIntegration (so proud of that name..) is a module that you install by hand, so just leave it out and this should be even less of a problem. It's only a bridge between UserGroups and ProcessUserExtended  :)

  • Like 2
Link to comment
Share on other sites

Ok when i install the module the page only generates a 500 Server Error.

Here is the error Log:

[Tue Dec 30 18:39:56.929767 2014] [core:error] [pid 26496] [client 84.60.116.85:59731] End of script output before headers: index.php
[Tue Dec 30 18:40:00.324062 2014] [fcgid:warn] [pid 26475] (104)Connection reset by peer: [client 84.60.116.85:59733] mod_fcgid: error reading data from FastCGI server
ProcessWire 2.5.10 dev

After Module is deinstalled everything is ok again.

Link to comment
Share on other sites

Does this module change file permissions in some ways , if yes i possibly can be a configuration problem in suEXEC,

i discuss this whith Server admin.

edit:...

Tested it on another Server runns smooth (2.5.10) .... trying a third one tomorrow.

One more edit:

Tested third server PW 2.4 no problems at all .

Link to comment
Share on other sites

This is going to be weird.

Installing all modules on the clean install did not produce any result

So i checked the template .

Finally after a lot of test i can switch the problem on and off by uncommenting the following line :

 
background: url(<?=$pages->get("/settings/template-spot/")->image->url?>) no-repeat center top;

If the module isn't installed it simply gives the image URL

There are quite a few PW installations on this server and such a problem was never encountered.

Edit: same problem whith files instead of image

Its too late i keep hunting this tomorrow.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...