I want to create a website with many authors, a few editors (for proofreading), and one admin (me). I don’t want the authors to be able to edit other author’s articles. I don’t want the editors to be able to access a subsection they don’t belong to.
So far I’ve been able to restrict the listed articles, for authors, and the listed subsections, for editors. I used the suggestions in this forum: I serve different blueprints for different roles, and the restricted roles have specific lists limited to what they can see (which is determined through a new property in the article model).
The only problem is, once an article is published, an author or editor can get the slug of that article from its published URL, replace the / with +, and directly access the article panel page through its URL.
I would like for the Panel pages URLS to be obfuscated.
Ideally: an option for the panel lets me disable the use of page slugs for accessing pages, and allows me to use UUIDs.
For the page with the path https://example.com/one-section/one-article and the UUID Uu1dSaRe4w3s0mE
Would returns an error:
https://example.com/panel/pages/one-section+one-article
Would return the edit page:
https://example.com/panel/pages/Uu1dSaRe4w3s0mE
The model for article has a is_visible_to_user() property that determines if the user has the rights to see the page:
if the user is an admin
if the user is an editor and the article is in a section that’s listed in the editor’s allowed_sections
if the user is an author and the article is in their allowed_pages list
Permission options in the blueprints
Admins can access/edit everything.
Authors can edit article-type pages. Account and sections are read-only. The rest is forbidden.
Their site blueprint only displays a list with site.index(true).filterBy('is_visible_to_user', true). Sections only list the allowed articles contained in the section.
Editors can edit article pages and access section pages. Accounts are read-only.
Their site blueprint displays a list of the sections they’re allowed to see in allowed_sections. Allowed sections list all articles.
The problem arises when authors or editors enter an URL manually. For example:
AuthorUser is only allowed to see the article-one page in first-section.
EditorUser is only allowed to see first-section.
If any one of them visits the URL for example.com/second-section/article-two and take its path, second-section/article-two and enter it in example.com/panel/pages/second-section+article-two neither will be forbidden to access or edit the page. The blueprint permissions for the article page won’t keep them from editing it.
Making it harder to guess the panel path for different pages would be a good way to keep people from accessing pages with the same blueprint.
