I want to create a contributor user role and give this role restricted access to the Panel: they are only allowed to create a new blog page, not access anything else. Something in config.php like:
array( 'id' => 'contributor', 'name' => 'Contributor', 'default' => true, 'panel' => false, 'panel/pages/blogs/add' => true )
I read this older post but I don’t want to implement an entire front-end form to enable users to create a new page. I chose Kirby for its easy-to-use Panel, and I hoped it would be flexible enough to give restricted read-write permissions to certain pages.
Am I missing something, or has this been solved now? In the older post, it said that user permissions were on the pipeline, but I can’t find it on the user role documentation.
Or perhaps there is a quick solution that we can use for this problem for now?
Panel permissions are in the working but have not been implemented yet and we can’t promise when that feature will finally arrive.
So at the moment, creating a frontend form is the only way without modifying the panel yourself, I guess.
Is it the only user role ? If yes, you could hide all other pages but the blog and limit the template for the subpages of the blog to the one you need.
If not, you need to work around the limitations:
- Create a front-end form like you mentioned
- Create two instances of the panel, one as I mentioned above where you hide everything, the other on a separate server for admins. You’d then have to sync the content between the two repos.
We’re all wishing for the user roles to come soon but please trust that the reason it hasn’t come out yet is that the team is working on making it as good and flexible and robust as possible, as with all things Kirby.
Hiding pages does not make them inaccessible, so if you know the url of the page, anyone could still edit those pages.
Yes, as there’s no readonly state for pages 
This is just a quick idea to solve the OP’s problem 
Yeah, but all other users would not see any content anymore either. Unless you create two Kirby instances. With all the syncing which is probably more work then creating a frontend form. Therefore, a readonly state would not help with this problem either.
We definitely need panel permissions, but as long as there are none, we just have to keep waiting or use frontend forms.
Yes absolutely, which is why I asked:
We don’t need to discuss this any further, I think. The important thing here is to understand that hiding pages does not secure any panel pages against unauthorized access.
And you can’t have a single user role only, because you always need to have an admin user at least.
I did some websites where the “admin user” meant editing the files via FTP. I think that’s what @Thiousi meant 
Yes that’s what I meant. Thanks
Here’s an idea:
Use @pedroborges’s Pagelock field and modify it to lock the page based on the user’s role. This requires some work but would be a possible solution for you. You could just take some of his code.
In his plugin, here are the two lines that hide the form and sidebar:
https://github.com/pedroborges/kirby-pagelock/blob/master/assets/js/pagelock.js#L21-L22
EDIT: In reply to @lukasbestle and @texnixe’s warnings. This is indeed not a secure option but merely a suggestion to achieve what the original poster requested because we clearly don’t have any other possibilities while user roles don’t exist. It’s robust enough to prevent normal users from editing the page. If your contributors are evil minded and know their way around, they’ll be able to edit the page no matter what. One piece of advice though: don’t give panel access to evil minded contributors…
As Sonja wrote above, simply hiding stuff (with JS!!) won’t at all secure the Panel.
1 Like
@lukasbestle Thank you for clarifying this.