i created a âclientâ role for the frontend. When a user with the âclientâ-role is logged in, he has access to additional pages that other users donât (surprise).
In the docâs its mentioned that i can customize roles per page/file etc. from the page blueprint. But actually i want to edit which pages a client can see individually (different per client). Is there a solution to edit the pages a user (with the client role) has access to, from the panel?
Is it good practice to define additional fields for the user in the backend to manage such access?
I think if the easiest way would be select/multiselect or checkboxes field in each page that you can query in your templates where you assign either a role or individual users that can access a page from the frontend.
thanks for your answer. Maintaining permissions for each page is not feasible for the amount of pages I believe. I donât want the editors to update 300pages for a new client.
Say I define the permissions (checkboxes for top level pages that have children) for each user of role client. Can i check role and permissions of the user in a hook so that I donât have to constantly check permissions for each page in my templates when calling $page->children() for example or navigating to a page?
Yes, that doesnât make sense, but you asked for per page permissions.
Maybe Iâm missing something, but hooks are triggered if you do something in the Panel, so that doesnât make sense. Instead of checking permissions in every template, you could do this with a catch all route, though.
Maybe Iâm missing something, but hooks are triggered if you do something in the Panel,
Ah, i thought there are also some life cycle hooks available to add more functionalityâŚ
Actually, maybe let me try to rephrase the issue by giving an example.
I have set up a couple of user attributes that can be edited by admins in the backend. One of them is the checkbox âBackendâ [boolean]. âBackendâ is a page that shall be hidden for all visitors by default and should only be visible and accessable by my defined roles: clients, editors and admins.
Currently site->children()->listed()->not($site->homePage()) returns all visible pages on the top level, including âBackendâ. I donât want that âBackendâ page to be part of the list for regular visitors. Furthermore the visitor shall not be able to access such restricted pages without logging in. On top of that, subpages of restricted pages shall also not be accessable nor visible for unauthorized users and should only be displayed for clients (cleints role + where user has permission), editors or admins.
Maybe that makes it a little bit clearer what i am trying to archive. What i am looking for is a way to programmatically solve this issue by evaluating a users attributes and serve pages accordingly⌠But i donât know where kirby would resolve such rules.
I found this example for using hooks to blocking access to pages via route, but it will not hide pages from the being displayed in the front end without adjusting the templatesâŚ
I think if you want to loop through your collections, you would have to filter your pages by user permissions.
For displaying individual pages, you can use a catch all route orâif the number of parent pages that is protectedâan array of parent pages and their childrenâand inside that route determine if the page can be shown or not.
Using a hook here doesnât really make sense and wouldnât provide any advantages over a normal route-
thanks for taking your time to answer, i finally had some time to dig around in the documentation and think about alternative approaches.
Is it possible to overwrite the children() methods for $site and $pages as well as $page to check $kirby->user() for itâs role and permissions?
As you suggested the alternative is to add a siteMethod / pageMethod called permissions() with return $this->filterBy(âidâ, ânot inâ, $permissions) or similarâŚ