Module: Dynamic Roles (for PW 2.4.6+)

[apeisa]

Nope - there is also view access.

[ryan]

I'd like to be able to create a role called newusers within Roles and then select all users who have that role via the use of Dynamic Roles. Then I can use the Dynamic Roles to select what that user group has access to as it's clearly more flexible. However, it seems when I choose custom (field=value) and input roles=newuser it doesn't work. 

Sorry for my late reply to this. First question here would by why not just select Roles and then choose "newuser" in the select box? It doesn't seem like it's necessary to use custom (field=value) here. However, if you want or need to use custom (field=value) for some reason, then you would need to specify the property of roles that you are trying to match because "roles=" would require an integer of the role ID. I think what you intended was "roles.name=newuser" ? However, I really recommend just choosing "Roles" as your field and then select "newuser". 

Now as expected, the pages using the basic-page template appear again. However, if I now go back into the Dynamic role settings and delete (template - Equals - basic-page) and then save, the pages using the basic-page template are still visible when logged in as testuser when they shouldn't be. The only way to correct this is to delete the whole Dynamic role, and then it works as expected again.

Are you sure that "testuser" session had ended? (i.e. logged out and logged back in?). DynamicRoles caches some information about the user's access within the session (server side) at login. There's no way that the user can change that since it is all server side, but if you are making big changes to the access for a user that's logged in, they may not see those changes till their next session. Or you could clear the server side session files/db to force clearing of the cache. But I'll assume you may have already tried logout/login, so unless I hear back I'll try to duplicate here. 

Also, I have just installed the latest PW build https://processwire....e-11#entry71331 and I can no longer edit Dynamic Roles as there is no edit link to click.

I've not been able to duplicate that here, but I do think I know how to fix it. Go to the DynamicRoles module settings and select the fields that should appear in your dynamic roles listing. It looks like you've got Title selected right now, which you don't want (since there is no title for dynamic roles). I would suggest selecting name and permissions. Please let me know if that fixes it?

[GuruMeditation]

Sorry for my late reply to this. First question here would by why not just select Roles and then choose "newuser" in the select box? It doesn't seem like it's necessary to use custom (field=value) here. However, if you want or need to use custom (field=value) for some reason, then you would need to specify the property of roles that you are trying to match because "roles=" would require an integer of the role ID. I think what you intended was "roles.name=newuser" ? However, I really recommend just choosing "Roles" as your field and then select "newuser".

No worries with the delay, I know you're a busy man

Yeah that is now fixed, as Roles weren't showing for me at the time, but you fixed that issue a while ago.

I've not been able to duplicate that here, but I do think I know how to fix it. Go to the DynamicRoles module settings and select the fields that should appear in your dynamic roles listing. It looks like you've got Title selected right now, which you don't want (since there is no title for dynamic roles). I would suggest selecting name and permissions. Please let me know if that fixes it?

Adding the name field did indeed fix it. Maybe it would be an idea to have a note suggesting that we at least select the name field when we install it?

Are you sure that "testuser" session had ended? (i.e. logged out and logged back in?). DynamicRoles caches some information about the user's access within the session (server side) at login. There's no way that the user can change that since it is all server side, but if you are making big changes to the access for a user that's logged in, they may not see those changes till their next session. Or you could clear the server side session files/db to force clearing of the cache. But I'll assume you may have already tried logout/login, so unless I hear back I'll try to duplicate here. 

I have just tested it again on a clean install and in a different browser and it is still the same. If I log out and then back in, the page is still visible.

Thanks for your time.

[ryan]

Adding the name field did indeed fix it. Maybe it would be an idea to have a note suggesting that we at least select the name field when we install it?

On a fresh installation, I'm not seeing this issue. Name and Permissions are the defaults if you don't select anything. I'm guessing maybe you had it installed before we had this fully configured, but as far as I can tell it's not an issue anymore. Though let me know if you experience something different on a fresh install. 

Now as expected, the pages using the basic-page template appear again. However, if I now go back into the Dynamic role settings and delete (template - Equals - basic-page) and then save, the pages using the basic-page template are still visible when logged in as testuser when they shouldn't be. The only way to correct this is to delete the whole Dynamic role, and then it works as expected again.

@GuruMeditation thanks for the excellent instructions. I was able to reproduce it easily and likewise fix it easily. The latest version fixes this issue.

[GuruMeditation]

I have just tested it, and everything seems to be working fine now. Thanks Ryan.

If it's one thing I'm good at, it's breaking things. So if I break anything else, I'll let you know.

[thmsnhl]

Hi, I have some trouble with this module. I already described it in another thread but here's the summary: 

 

So, now I have the info you needed.

PHP v.5.6 MySQL v.5.5.38  PW v.2.5.0 
And to complete my post: I created a dynamic role called "philipp-dynamic" with the following configuration:

who? > name equals philipp

template=user, include=all, name=philipp

permissions
page-delete, page-edit, page-view, profile-edit

what can they view? > title contains text philipp
title%=philipp

what can they edit? > id equals 2231 (page called philipp)

where can they add new pages? > id equals 2231 

Which leads the user called philipp to be able to edit every page which is in the page-tree except from the homepage, but there is no possibility to add pages anywhere. 

The "matches X page(s)"-field in dynamic roles page tells me, that every condition should fit to the correct pages, but the reality looks different.


 

I cant figure out what is wrong there.

[kongondo]

@Tommy,

Add page-publish to the Permissions.

[thmsnhl]

@Kongondo 
 

in my permissions-list there was no page-publish, so I added it manually in the permissions-tab. Is that all I need to do or is there anything I have to code to get this permission working?
Maybe I could pm you credentials so that you can take a look at it?!

[kongondo]

@Tommy,

Just to clarify, by not working, you mean the user 'Philip' is NOT able to edit his designated page(s) or do you mean he is ABLE to EDIT everything, i.e. including stuff he shouldn't?

The only other thing you need to follow are the notes describing the "What they can view" and "What they can edit" sections, e.g. the lines starting 'Focus on pages...' If you've followed these and it still doesn't work, sure, PM me some credentials to check it out but clarify 'not working' as well

[thmsnhl]

By not working I mean that philipp is not able to add pages to the designated page. Now he is not even able to edit or add any pages... 

I'll send you the credentials and cross my fingers, that you find the bug I created.

[Qualtext]

Hi,

i cant install the module, because ther is an error in DynamicRolesSupport.module-file.
So the installation brakes, and many errors came up in processwire...

Error on install

Error: Call to a member function save() on a non-object...

Replace Line 724

724: $droleEditSelector .= $multiplierNote;

with

724: $droleEditSelector->description .= $multiplierNote;

in DynamicRoleSupport.module an than $droleEditSelector->save(); working well.

Error after repairing .module-file:

Unable to install module 'DynamicRoleSupport': SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'droles-28' for key 'name_parent_id'

If the module installation had this error before and you try to reinstall it, you have to delete the latest droles-templates and the created drole-page from the database – else the module cant install again.

Hope somebody helps this.

[cstevensjr]

Can you please open an issue at https://github.com/r...micRoles/issues and reference this topic, so that any correction to the module can be made?  Thanks

[joshuag]

Just tried this module with PW 2.5.3 and can confirm that it's broken like described above. 

[ryan]

Looks like a bad typo on my part, sorry guys. I've corrected it. 

[krisj]

This is a super useful module for multi admin sites. However I am really missing a crucial feature - language support. e.g. a way to separate multilanguage supported fields/templates/users.

example scenario:

english (main) admins have full access

japanese translator - has japanese edit only access

spanish editor - has spanish edit only + "spanish only" publish access

or can any of this be achieved in some other way?

I have a small site where they need to give content translator access to edit their language but they are not comfortable with them being able to change around the main language content. Any suggestions on how to achieve this? we are trying to figure it out here: https://processwire.com/talk/topic/9833-creating-permission-based-access-to-field-languages/

[LostKobrakai]

I'm using dynamic roles to let users have access to client specific parts of a website depending on a pagefield in their user page. Now I just retracted access for one of those users, but the page was still accessable. Not until saving the dynamic role again the access was gone. Is this by design?

[LostKobrakai]

The above issue was due to the session, so as soon as the user relogs it's gone, but I noticed that api created pages where not initially visible. I fixed it by adding this, but I don't know if this will trigger the rebuild trice if pages are added in the backend: https://github.com/LostKobrakai/DynamicRoles/commit/5548722a566f7e4e23d326bd64a0783098b67108

[LostKobrakai]

Is there a way to limit module access in the backend by page-id? Without the needed permission the whole module isn't accessible, while, with the permission given, each instance of the module is viewable. I would need the user to only be able to access few instances of those existing ones.

[LostKobrakai]

Is there a way to limit module access in the backend by page-id? Without the needed permission the whole module isn't accessible, while, with the permission given, each instance of the module is viewable. I would need the user to only be able to access few instances of those existing ones.

Found the solution for this. The "permissionMethod" setting for process modules allows for dynamic access rules on modules.

[LostKobrakai]

I've a really strange issue. I've a page, where all children should be accessible by a dynamic role. But somehow one of the users assigned the role can only see two of the seven children. All those pages are not accessible without the dynamic role and the drole interface shows all the children, which should be accessible. And thought on that or tips on how to debug this?

[Ivan Gretsky]

Is there a way to define dynamic role on runtime based on user role? I have a number of similar roles named similarly (and they will be adding) for each of which I need to make a few dynamic roles. So I am looking for a way to make it DRY.

Edit: I mean something like making a hook that generates a dynamic role via API.

Edited October 12, 2015 by Ivan Gretsky

[Soma]

I found there's some issues with pages changing values that are used on rules for a dynamic role.

It's when I have a filter viewable that says: "on the parent of this page the value on a page select must match, then the user can view the page", as soon as I start change value on that parent page field, subpages won't get updated to reflect this. But they are rebuilt when I change and save the dynamic role. I guess that's by design that it doesn't check for children/parent relations. Which is limiting to how I was trying to use dynamic roles.

[adrian]

I have a similar (I think) issue to soma - I need to restrict a role to only be able to edit all pages in one branch of the page tree. Initially it looks like this module makes very easy work of it, but what happens when a new page is added to the page tree - the index is not rebuilt, which means that the new child page won't be editable by the dynamic role.

At the moment it seems like the only fix is to open this module, change one of the selectors, save, then change it back to what I want and then save again - then the new page is added to the index of pages that are editable by the dynamic role.

Am I missing something?

[adrian]

I decided to have a look around and discovered the problem is that the rebuildForPage method is not being called when a new page is added.

This fixes it for me (note the addition of !$page->created):

} else if(count($changes) || !$page->created) {
    $this->rebuildForPage($page);
}

[renobird]

I'm trying to use this module to dynamically assign a permission that would give access to an admin page.

I have a dynamic role called "scholarships", and the criteria are that the user has 2 roles: music, faculty.

If they do, then they are given the "scholarships" dynamic role, which has 2 permissions: "scholarships" and "page-view".

That should give them access to an admin page that requires the "scholarships" permission, but it doesn't seem to work.

Works fine with a traditional role that has the same permissions.

Any pointers?