Pages permissions / users permissions: specific permissions for files

nicolasbulb · August 21, 2023, 11:40am

Hi,
I’m still diggin the permissions for both users and pages.

I have a page with images and I want the “editors” to see all the cards but not allowed to delete, swap, update, change the attached image.

So far, the editor user looks like this:

permissions:
  access:
    account: true
    panel: true
    site: true
    languages: false
    system: true
    users: false
  files:
    create: false
    changeName: false
    delete: false
    read: true
    replace: false
    update: false
  languages:
    create: true
    delete: true
  pages:
    changeSlug: true
    changeStatus: true
    changeTemplate: false
    changeTitle: false
    create: false
    delete: false
    duplicate: false
    preview: true
    read: true
    sort: true
    update: true
  site: false
  user:
    changeEmail: false
    changeLanguage: false
    changeName: false
    changePassword: false
    changeRole: false
    delete: false
    update: false
  users: false

and I have some specific options in the page:

options:
  delete:
    admin: true
    editor: false
    copyrights: false
    guest: false
  create:
    admin: true
    editor: true
    copyrights: false
    guest: false
  duplicate:
    admin: true
    editor: false
    copyrights: false
    guest: false
  changeTitle:
    admin: true
    editor: false
    copyrights: false
    guest: false
  read:
    admin: true
    editor: true
    copyrights: true
    guest: true
  update:
    admin: true
    editor: true
    copyrights: true
    guest: false

But with these settings, the Editor is still being able to change the image??
Please see the screenshot below

pixelijn · August 21, 2023, 11:49am

These look like files fields, so your file permissions have no influence here? Because the user will change the page content, not the files.

nicolasbulb · August 21, 2023, 11:56am

That means it’s a field related permission? Is it possible to do that kind of granularity? or there any other options?

pixelijn · August 21, 2023, 11:59am

Kirby doesn’t know permissions on the field level. The only way to prevent a user from making changes to certain fields would be via programmable blueprints (and then disable those fields for certain user types), or hooks that throw an error when such fields are changed. I’d recommend the first option.

nicolasbulb · August 21, 2023, 12:32pm

Okay, everything is set via Programmable blueprints but how do I let a specific “Editor” user to edit everyfield except these 2 but the user is still able to see the images:

cover:
            label: Recto
            translate: false
            type: files
            query: site.children.images
            multiple: false
            layout: cards
            size: small
            back: white
            store: id
            uploads:
              parent: page.parent
          verso:
            label: Verso
            translate: false
            type: files
            query: site.children.images
            multiple: false
            layout: cards
            size: small
            back: white
            store: id
            uploads:
              parent: page.parent

Many thanks.

pixelijn · August 21, 2023, 1:23pm

Check for the user role in the PHP blueprint and then disable the field.

nicolasbulb · August 21, 2023, 1:44pm

Yeah but if the field is disabled, the user would not be able to see the image anymore right? And this is not what we want? We just need the fields “cover” and “verso” to be uneditable but viewable.

pixelijn · August 21, 2023, 2:04pm

No, a disabled field is just disabled, not hidden.

nicolasbulb · August 21, 2023, 2:10pm

By disabled, it’s a status syntax specific to Kirby or do I use the standard?

  # disabled code here

pixelijn · August 21, 2023, 2:18pm

disabled is a field property: Files | Kirby CMS