Restricting choice in specific field based on user role

Hi all,

I’m discovering Kirby and so far I’m loving it. As a first project I must build some kind of a multi-user blog, where each user can post articles (and edit them etc.) but only in a specific category.

There are as of yet 5 categories. The admin role can choose which category applies to each article, but a user should be restricted to only one category, based on its user role I assume.

I’ve read that post, which could be a solution, but is this the only option I have ?

Thanks,

j.

A solution with one role you can find at My way to restrict a role, but please use the newest Kirby version.

Another way can be to use a different blog-articles blueprint for each editor. There you can give specific permissions.

You could create a user role for each category… Provided the categories have different blueprints, you could set permissions there.

Hello HeinerEF, and thank you for your answers. Being the newbie that I am, I’m not sure I know what you mean, how can I do that ? Isn’t it the same as the index.php hack ?

Thanks,

j.

It is.

If only single blueprints are affected, it is also possible to do this on a per blueprint basis in a plugin.

Also: https://getkirby.com/plugins/sylvainjule/bouncer

Page models that override the isReadable() method are another option:

class NotePage extends Page
{
  
    public function isReadable(): bool
    {
        static $readable = [];

        $template = $this->intendedTemplate()->name();

        if (isset($readable[$template]) === true) {
            return $readable[$template];
        }
        if ($this->author()->toUser() === kirby()->user() || kirby()->user()->role()->name() === 'admin') {
            return true;
        }
        return false;

    }
}

Hi pixelijn, I would not know how/dare to write a plugin at this point, but both your suggestions and this bouncer plugin look promising indeed. Many thanks !

j.

Check out if the plugin serves your needs. If not, we are here to help if you want to explore the other options.

So the plugin did not answer exactly my need, so I went to the edition of the index.php file, and duplicated 5 times the blueprints directory… :expressionless: Then edited each pages/article.yml to restrict the value.

From :

...
fields:
  category:
	type: select
	max: 1
	options: query
	query: page.parent.categories.split

To :

...
fields:
  category:
	type: hidden
	default: The forced category for that role

And it seems to be working ! It might not be very efficient, but for now it will do nicely :slight_smile:

Thanks to all,

j.

Well I spoke too soon, user from role1 can modify the post of a user with a different role ! :frowning: Clearly something I still don’t understand.

j.

Make it with five different roles, if you need that.

Test my example in a new website as a wrote there but with the newest Kirby version and log in as the editor. Then you see what happens.
Good luck!

I think the approach with 5 different blueprint folders is not very suited for this use case.

I think using a page model and restricting access based on the category and the assigned user would be more appropriate.

But then in the other page blueprints (write) access has to be stopped too

@jbeauviala Could you please outline the page structure you need and to what pages you need to restrict access based on what? Maybe using category parent pages and assigning a role to these pages and their subpages would be the best option.

1 Like

Sure,

it’s basically a blog, with 5 types of articles.

Each post (article) has a field ‘category’, that can be either ‘cat1’, ‘cat2’, ‘cat3’, ‘cat4’, ‘cat5’.

The user1 in role1 can only edit posts that have a ‘cat1’ category. He cannot create or edit a ‘cat3’ post. Only the ‘admin’ user can create whatever type of post.

And ideally only the ‘admin’ user can publish, the users can only create drafts or unlisted posts.

does that makes it clearer ?

Thanks !

j.

I see, thanks. But that would mean that either your category posts need different blueprints or you have to create parents for each category and then assign user role to each category:

blog
  - category 1 (only user role 1)
    -- posts for category 1
  - category 2 (only role 2)
    -- posts for category 2
  etc.

Then within the model for the category page, you can restrict read access to each category based on user role using the isReadable() method.

Because restricting access based on field in a page that doesn’t even exist yet, wouldn’t make much sense.

No, but each page has a category, you cannot create one post without a category. As of now, filtering functions based on that. Either the admin chooses a category, or the role creates it without knowing (my post #9 above). See this example, the blog was started based on this theme : http://themes.kueker.net/dana/en/category:Spicky%20Bud/

So in theory, no need to separate categories / create blueprints per category, which makes senses as they all have the same fields.

But I could be wrong, I’m just starting with Kirby.

j.

When a user creates a new post, then the category is assigned automatically, based on the user’s role? Yes, that would actually work via a hook or a page model.