Restrict user access to a specific project

Kirby 3 Solved ✅
1

Hi all,
I’m still discovering Kirby and would really need some help on this one.
FreeBSD 12.1 / Nginx 1.16.1 / PHP 7.3.17 / Kirby 3.3.6

I have a site structure as such, aimed mostly at school teachers and their students, coming from various establishments. Teacher-a from school-a is responsible for project-a, etc. :

root
  projects
  	project-a
  		page-a-1
  		page-a-2
  		page-a-3
  		...
  	project-b
  	  	page-b-1
  		page-b-2
  		page-b-3
  		...
  	project-c
  		...

What I need is to have a role 'teacher-a’ to be able to edit (via panel access) only project-a and childs, role ‘teacher-b’ to be able to edit only project-b and childs, etc.

(And ideally one day, have a role ‘project-a-student1’ only able to edit page-a-1, ‘project-a-student2’ able to edit only page-a-2, etc. But that would be the cherry on top, my main concern for now is to prevent ‘editor-a’ from editing/deleting other projects.)

I had high hopes with the Bouncer plugin as it seems to do exactly what I need, but cannot get it working using the github documentation, my ‘editor-a’ role cannot even log-in the panel following instructions.

My /site/blueprints/users/teacher-a.yml role :

title: teacher-a
permissions:
  access:
    panel: true
    site: true
    settings: false
    users: false
  user:
    changeRole: false
    delete: false
    update: false

I’m not too sure where to put this next section

fields:
  canaccess:
    label: 'The user will only be able to access:'
    type: pages
    multiple: false
    options: query
    query: page.find('project-a').children

the config.php file :

return [
    'debug'  => true,
    'url' => 'https://k3.domain.tld',
    'panel' => [ 'install' => true ],
    'locale' => 'fr_FR.UTF-8',
    'date.handler' => 'strftime',
    # as soon as I add this part, panel does not work for the teacher-a role
    'sylvainjule.bouncer.list' => [
        'teacher-a' => 'canaccess'
    ],
];

Obviously something is missing, probably my lack of Kirby fluency. Could someone with experience of that plugin or with a method to limit a user’s capabilities help me figure this out ?

Thanks,

j.

2

The canAccess field need to go into the teacher-a.yml role file. In that field, a user has to select the parent page that the role can edit:

In your case, the query has to look different, though:

fields:
  canaccess:
    label: 'The user will only be able to access:'
    type: pages
    multiple: false
    options: query
    query: site.find('projects') # this will find the subpages of the `projects` page, for `teacher-a` you would then select `project-a`
3

Thanks, but I soon as I do that, ‘teacher-a’ cannot log into the panel (and if he already logged in, all goes blank for him, only possibility is to log-out).

New /site/blueprints/users/teacher-a.yml role :

title: teacher-a
permissions:
  access:
    panel: true
    site: true
    settings: false
    users: false
  user:
    changeRole: false
    delete: false
    update: false 
fields:
  canaccess:
    label: 'The user will only be able to access:'
    type: pages
    multiple: false
    options: query
    #query: page.find('project-a').children
    query: page.find('projects')

Teacher-a should ‘see’ projects, but be limited to editing ‘project-a’ only.

And I don’t know how to dump the error so that I can assess it. The user cannot get passed the panel/login at this point.

j.

4

The user then needs access to the projects page as well, I guess. Not sure how to approach this with the plugin and if it would work with selecting both projects and the project-a page in the canaccess field :thinking:

5

Well it is solved, and works perfectly now, thanks ! A big thanks to @sylvainjule for his wonderful help and plugin. Using the latest version (1.0.2) of Bouncer, and the following files :

/site/blueprints/users/editor.yml

title: editor

permissions:
  access:
    panel: true
    site: true
    settings: false
    users: false
  # ...
  user:
    changeRole: false
    delete: false
    update: false # else a user will be able to edit the page they have access to on their profile

fields:
  canaccess:
    label: 'This user will only be able to access :'
    type: pages
    multiple: false
    options: query
    query: kirby.page('projets').children

and the config.php file :

// bouncer
'sylvainjule.bouncer.list' => [
    'editor' => [
        'fieldname' => 'canaccess'
    ]
],

Thank you very much !

j.