[Help] User Roles and Permissions

[drilonb]

Hello,

I need some help creating some user access and roles. For example I want users to have their own pages, Profile Page and News Page, so they can add CV on Profile Page and on news page some text updates. The page and user will be created by administrator.

All the users wil use the same template for profile page and same template for news page.

But what I don’t know how to do is that: how to make those users when they log in to see and edit only their pages, not the other users pages?

Example:

Category - Users:

                User 1

                                Profile Page ( viewable and editable only user 1 or Admin)

                                News Page  ( viewable and editable only user 1 or Admin)

                User 2

                                Profile Page ( viewable and editable only user 2 or Admin)

                                News Page ( viewable and editable only user 2 or Admin)

                User 3

                                Profile Page ( viewable and editable only user 3 or Admin)

                                News Page  ( viewable and editable only user 3 or Admin)

Thanks in advance for your time and help…

[Soma]

I assume you wan't this in the admin. (If front-end based profile pages , this could be quite different.)

There's possibility to create templates and add a for example "client" role to view and edit pages with the template. Not quiet there but we'll get there....

Now create and add page reference field "editablepages" (from the example code) to the "user" system template to be able to select pages you want the user to edit exclusively. If you make it recursive (see below) you will only need to select the top parent page of where the user has his pages and be done, all child pages will be editable.

To get this working, you need to create a module to hook into the editable method of Page class.

Following is an example module code I created adapted from one of Ryan's example here in the forum.

It checks recursively (remove foreach parent check to only have the single pages editable) up the parent of the current page if found a selected page the user has in his profile it's editable. This doesn't work with viewing. But not sure yet if this even possible. You could also consider creating custom admin page for only seeing the pages the user can edit. Depends on how fit you're with the system and php, this might help you getting started.

I'm not sure there's more possibilities. But Ryan will surely be helpful too.

see also this forum entry from where I got this far: http://processwire.com/talk/index.php/topic,258.0.html

<?php

class AccessPageEdit extends WireData implements Module{

public static function getModuleInfo() {
	return array(
		'title' => 'Access Control Page Edit', 
		'summary' => 'Control who can edit what page. If installed, create a inputfieldtype of page to select from site tree and add it to user template. Select page(s) to be edited', 
		'version' => 001, 
		'permanent' => false, 
		'autoload' => true, 
		'singular' => true, 
		);
}

public function init() {
    if($this->user->hasRole("client")) $this->addHookAfter("Page::editable", $this, 'checkpermission'); 
	if($this->user->hasRole("client")) $this->addHookAfter("Page::addable", $this, 'checkpermission');
	//if($this->user->hasRole("client")) $this->addHookAfter("Page::viewable", $this, 'checkpermission'); 
}

public function checkpermission(HookEvent $event) {

    // if it was already determined they don't have access, then abort
    if(!$event->return) return;

    $page = $event->object; 
    $parents = $page->parents;

	// run check for parent pages and allow recursive inherit access 
	foreach($parents as $p){
		if($this->user->editablepages->has($p)) return true;
	}
// then run check on selected single pages
    if(!$this->user->editablepages->has($page)) $event->return = false; 
}

}


?>

[ryan]

Great suggestions from Soma, thanks!

For these types of features, I recommend you build your own forms on the front end, and use the PW API to populate the pages. PW's admin is meant for administrators, not regular site users updating profiles. When you build your own forms on the front end, access control becomes quite simple. You can just give them a textarea field to edit and then keep some other field on the page that keeps track of what user is allowed to edit. That field could be a page reference to the users list, or it could even just be a text field with their username (whatever you prefer). Or, you could just repurpose the page's built-in 'name' field for this. If their username matches the page's name, they can edit. For example:

<?php

if($user->name == "user-" . $page->name) {
    // user can edit the 'about_me' field on this page
    if($input->post->submit) {
        // user is submitting a change
        $page->setOutputFormatting(false);
        $page->about_me = $sanitizer->textarea($input->post->about_me); 
        $page->save();
        $page->setOutputFormatting(true); 
        echo "<h2>Your change has been saved.</h2>";
    } else {
        // give user a form to edit
        echo "<h2>About " . ucfirst($user->name) . "</h2>";
        echo "<form action='./' method='post'>";
        echo "<textarea name='about_me'>{$page->about_me}</textarea>";
        echo "<input type='submit' name='submit' />";
        echo "</form>";
    }
}

[drilonb]

I have tried to make this work, but i cant do it, i dont how exactly to do that because i am not still professional in php but i am trying.

i have setup up code on template but i am not getting the editor in front end form. i have created users and pages with same name(id) but still is not working, for sure i am doing something wrong

My fileds for client page are: title, body, images, and file upload.

If you can explain more specificly how to do this again, where to put the code or which module to use?

I hope i didnt ask for too much

BR,

[ryan]

I think it might be easier for us to help if you can post the code that isn't working. Though if it's my example above that isn't working, let me know.

As with everything, we want to first get it working with the simplest possible scenario with code that only accomplishes the task at hand and nothing more. Then once we've got that working, you'll be able to build from it knowing it's got a strong foundation.

[drilonb]

this is code in individual.php page template in processwire site/templates/ * Template is original from processwire installation

<?php 
/**
* ProcessWire Home template
*/
include("./head.inc");

if($user->name == "user-" . $page->name) {
    // user can edit the 'body' field on this page
    if($input->post->submit) {
        // user is submitting a change
        $page->setOutputFormatting(false);
        $page->body = $sanitizer->textarea($input->post->body); 
$page->biog = $sanitizer->text($input->post->biog);  // I try and without it only with body
        $page->save();
        $page->setOutputFormatting(true); 
        echo "<h2>Your change has been saved.</h2>";
        } else {
        // give user a form to edit
        echo "<h2>About " . ucfirst("hello world") . "</h2>";
        echo "<form action='./' method='post'>";
        echo "<textarea name='body'>{$page->body}</textarea>";
	echo "<text name='biog'>{$page->biog}</text>"; // I try and without it only with body
        echo "<input type='submit' name='submit' />";
        echo "</form>";
    }
}

include("./foot.inc"); 

User have one role "client" and role "client" have Permissions only View Pages and Edit Pages

and user are like user-test and user-test1 and the pages have a same name like user .

for user-test and user-test1 i am using individual.php template where is the code copied.

[ryan]

Your user should just be named "test", without the preceding "user-". I only recommended having "user-" in the page name just for additional clarity and specificity in the page name, but it isn't actually necessary. Also, we are bypassing PW's permissions for this, so don't give them page-edit permission in PW. There's no reason to. And doing so would defeat the purpose of building your front-end forms.

[drilonb]

Now this code is Working, thanks Ryan / Soma  for support now its time to make own form,

<?php 
/**
* ProcessWire Home template
*/
include("./head.inc");

if($user->name == $page->name) {
    if($input->post->submit) {
        $page->setOutputFormatting(false);
        $page->body = $sanitizer->textarea($input->post->body); 
$page->title = $sanitizer->text($input->post->title); 
        $page->save();
        $page->setOutputFormatting(true); 
        echo "<h2>It's Working now</h2>";
echo "<a class='back' href='/profesorat/{$user->name}/'>Return Back</a><br />";
	} else {
        echo "<h2>About " . ucfirst($user->name) . "</h2> <a class='back' href='/processwire/login/logout/'>Log Out</a><br /> ";
        echo "<form action='/profesorat/{$user->name}/' method='post'>";
        echo "<textarea name='body'>{$page->body}</textarea>";
echo "<input type='text' value='{$page->title}' name='title' />";
        echo "<input type='submit' name='submit' />";
        echo "</form>";
    }
}
echo $page->body;
if(count($page->images)) {
	$image = $page->images->first(); 
	$thumb = $image->size(100, 100); 	
	echo "<img src='{$thumb->url}' alt='{$thumb->description}' width='{$thumb->width}' height='{$thumb->height}' />";
}
include("./foot.inc"); 

[ryan]

Great–thanks for the followup and glad you got it working. The main thing will be to watch out for the possibility of having a page with the same name as a user when it's not intended. Of course, if you are limiting this capability to just one parent then that will be less likely.