Permissions & panel.page.read

Hi Kirby fellas,

So I updated my kirby website from 2.4.1 to 2.5.5 yesterday. Everything works fine for now: I’m happy.

I’ve previously created roles with specific permissions (seller, writer, translator…) and It was all ok, each user was able to see only the pages according to his role:

return [
    'name'    => 'Sellet',
    'default' => false,
    'permissions' => [    
        'panel.page.read' => function() {
            return 
                $this->target()->page()->template()         === 'product' || 
                $this->target()->page()->template()         === 'products' || 
                $this->target()->page()->template()         === 'lab' ;
        },
    ]
];

But today, I was doing some tests by connecting with other user accounts (not as admin) and after a few minutes I realised that I can now see all the pages, no matter my role. It displays an error message on click on a restricted page (that’s something) but it doesn’t look as neat for the users as it used to be.

Is it a normal behavior of Kirby 2.5.5 (because it works) or is this a weird bug ?

Thanks in advance guys !

No, that should not be the case and I can’t reproduce this. Using your code above in a starter kit (and changing permission to only allow the user to see the projects and project pages), the restriction works perfectly. Could you elaborate a bit more how to reproduce this and post a screenshot, maybe?

Here are some screenshots and code snippets:

I’m logged as a “designer” as you can see below, I’m “Jonathan” and the fact that I can only edit myself shows that the permissions work:

Here is the code in roles/designer.php:

<?php

return [
    'name'    => 'Designer',
    'default' => false,
    'permissions' => [
        '*'                 => true,
        'panel.site.update' => false,
        'panel.user.*'      => false,
        'panel.page.delete' => false,
        'panel.user.read'   => true,
        'panel.file.*'      => true,
        'panel.page.visibility' => function() {
            return 
                $this->target()->page()->template() === 'products' ||
                $this->target()->page()->template() === 'product' || 
                $this->target()->page()->template() === 'job';
        },
        'panel.page.create' => function() {
            return 
                $this->site()->language()->default() &&
                $this->target()->page()->template() === 'products' ||
                $this->target()->page()->template() === 'job';
        },
        'panel.page.update' => function() {
            return 
                $this->target()->page()->template() === 'products' ||
                $this->target()->page()->template() === 'product' || 
                $this->target()->page()->template() === 'job';
        },     
        'panel.page.read' => function() {
            return 
                $this->target()->page()->template()         === 'product' || 
                $this->target()->page()->template()         === 'products' || 
                $this->target()->page()->template()         === 'lab' || 
                $this->target()->page()->template()         === 'jobs'|| 
                $this->target()->page()->template()         === 'job';
        },
        'panel.user.update' => function() {
            if($this->user()->is($this->target()->user())) {
                return true;
            } else {
                return false;
            }
        }
    ]
];

Logged as a designer I should be able to see only the products (and child product and lab) and jobs (child job) pages, right ? Here is what I end up with:

If I click on firm here is the result (sorry for the french error, it says: “you are not allowed to do this”) :

So it works… but it doesn’t work. I can’t get any error or find the reason of this behavior. I keep looking, but I’ve mainly done translation and blueprint fine-tuning between yesterday and today.

Can you reproduce the issue in a fresh langkit? Because I can’t. I created a new user role like the one above, changed the names of the templates a bit to fit a langkit example, created a user with the user role and logged in as that user. But I don’t see any pages apart the ones I’m supposed to see. I also wonder where those eye icons come from for those invisible pages or whatever they are.

Can you reproduce the issue in a fresh langkit? Because I can’t. I created a new user role like the one above, changed the names of the templates a bit to fit a langkit example, created a user with the user role and logged in as that user. But I don’t see any pages apart the ones I’m supposed to see. I also wonder where those eye icons come from for those invisible pages or whatever they are (or is that just a custom panel stylesheet?).

I’ll check this ou tomorrow. Yeah it is a custom panel stylesheet. So far what I’ve tried:

  • remove this particular stylesheet
  • duplicate / rename the role and assign it to a new user
  • rewrite the role from scratch to isolate an issue
  • empty cache and other stuff
  • rewrite my config from scratch to isolate an issue

Note that I did a manual update 2.4.1 > 2.5.5 by replacing /kirby/ and /panel/ with a good old copy/paste.

What I didn’t tried, and I should as it is the biggest change since yesterday, is removing the 3 site/languages/[lang].txt I’ve added.

As always I guess it is a silly issue, but this one looks tricky as it works, but not as expected, and I didn’t touched anything of Kirby’s core. Any idea on tests I should run, beside the clean langkit ?

I’ll keep you up to date ASAP.

One thing I’d try if it is not too complicated, is removing all plugins and see if it works then. Then add all plugins back in one by one to see if any one might be interfering.

Ok found it thanks to a clean reinstall.

I secured the website by removing the possibility to add any level 1 page. I did it like this in my site.yml:

pages: false

As soon as I put back the setting to true, the panel’s permissions (especially panel.page.read) are all working fine.