User blueprints and panel permissions

panel

#1

Hi,

I’ve been looking into the new panel options and in particular the permissions. While doing so, I stumbeled across a few questions that I couldn’t solve. I might be completley misunderstanding the permissions sections of the blueprints, so I’d appreciate any pointers to information :slight_smile:

  1. What are the different options in the user blueprint used for? E.g. from https://getkirby.com/docs/reference/panel/blueprints/user it’s not clear to me which parts of the website the settings permissions->access->site and permissions->site in a user blueprint relate to. permissions->access->site seems to disallow panel login altogether, but permissions->site doesn’t do anything at all.
  2. When using the following user blueprint with a fresh starterkit, users with the Editor role cannot login to the panel (file: /site/blueprints/users/editor.yml):
  title: Editor
  permissions:
    page:
      *: false #removing this line enables panel login.
      changeSlug: true
      changeStatus: true
      changeTemplate: true
      changeTitle: true
      create: true
      delete: true
      preview: true
      update: true
  1. Can I somehow assign different site blueprints for different user roles (i.e. displaying different dashboard content for different roles / users)? Or is it possible to redirect a user to a custom panel page based on their role?
  2. Can I hide the Kirby license key (KIRBY_DOMAIN.com/panel/settings) from non-admins?
  3. Is it possible to add new menu items or hide existing items to the panel menu? This would be useful to provide each role with just the options needed.

Maybe I’m asking too much of the panel and certain things should be custom built for the frontend, but I’m hoping that I’m just missing an obvious solution. I’d appreciate any help :slight_smile:
Frederik

-updated 8. Feb to correct identation in (2)


#2

Maybe check out the guide for an intro: https://getkirby.com/docs/guide/users/permissions

Your indentation above is not correct, permissions should be on the same level as the title.

So

permissions:
  access:
    panel: false

creates users with no Panel access.

sort of, you can assign different blueprint folders per user role like this:

index.php

<?php

require __DIR__ . '/kirby/bootstrap.php';

$kirby = new Kirby();
$user  = $kirby->user();

if ($user && $user->role() == 'candidate') {
   $kirby = new Kirby([
       'roots' => [
           'blueprints' => __DIR__ . '/site/blueprints/candidate',
       ],
   ]);

} elseif ($user && $user->role() == 'sponsor') {
   $kirby = new Kirby([
       'roots' => [
           'blueprints' => __DIR__ . '/site/blueprints/sponsor',
       ],
   ]);
}

echo $kirby->render();

Note that this procedure produces some overhead as it loads everything twice. Hopefully, we will have a better way to achieve this in the future, but for the moment, that’s probably the only option.

You can prohibit access to the settings page completely:

permissions:
  access:
    settings: false

But then the user won’t be able to define language, either.

You can add new Panel views, yes: https://getkirby.com/docs/reference/plugins/extensions/panel-views


User permisions for specific page and it's subpages
#4

Thank you for your reply @texnixe and for your suggestions for 3 and 5! I will try those. It would be great to see the ability to load different blueprints per role in the future :slight_smile:

I have followed the guide and also checked the docs. Unfortunately even after that I still had the above questions.

Regarding (1):

According to the guide, setting permissions->access->site to false should “prevent the editor […] from updating the site settings”. However, it seems to completley disallow the Editor’s to login. Edit: This seems to be a problem when using XAMPP on Windows, but works fine on a linux server.
Setting permissions->site to false on the other hand doesn’t seem to do anything. Edit: This also doesn’t do anything on linux.

Regarding (2):

Appologies, I actually had them indented correctly in my code, but wrong format in my initial post. I’ve updated my initial post now.

The *: false seems to cause a problem here so that no user can login to the panel when it’s set. Removing it in the above blueprint allows to login. With *:false set, on the login page, the POST request to /api/auth/login returns the following error:

{
  "status":"error",
  "exception":"Kirby\\Exception\\InvalidArgumentException",
  "message":"Invalid email or password",
  "key":"0",
  "file":"PATH_TO_KIRBY\\kirby\\config\\api\\routes\\auth.php",
  "line":50,
  "details":[],
  "code":400
}

Using the same username/password combination without the *: false works.

Regarding (4):

This seems to disallow login as well, with the same error message as above. It’s also not documented in the docs.

Basically, what I want Editors to have access to the panel, but only to certain pages as well as to change their own profile information. Maybe I’m thinking too complicated to achieve this?!
Cheers,
Frederik


#5

Let’s look at two examples:

Example 1:

title: Testuser
permissions:
  access:
    panel: true
    site: true
    users: true
  site: false
  users: false
  user:
    changeRole: false

This Testuser has access to the Panel, the site and to the User page (access/users/true). The user can read all users, but not add or delete or edit other users (users: false). The user can edit their own profile but not change their role.

Example 2:

title: Testuser
permissions:
  access:
    panel: true
    site: true
    users: false

This same user also has access to the Panel, but no access to the Users page (including their own profile). The user can access and edit the site.

It’s important to note that what the setting does depends if it is on the same level as access or below access.

I have to admit that some options are missing and the wording in that guide section is at least misleading.


#6

Sorry, I made a mistake myself, should read:

permissions:
  access:
    settings: false

(also corrected above).

And yes, this option isn’t documented, I just found out that it even exists by trying it out.


#7

Your user setup then would have to look like this

title: Testuser
permissions:
  access:
    panel: true
    users: true
    settings: false # only if you want to prevent access to the Settings page
  users: false # user cannot access, edit, add or delete other users
  user:
    changeRole: false # user can do anything in their profile but not change their own role

#8

I also updated the permission docs, hope this is a bit clearer now.


#9

I just played around a bit, and registering blueprints conditionally in a plugin based on user role also works:

<?php
if(($user = kirby()->user()) && $user->role() == 'client') {
    $dir = __DIR__. '/blueprints/client/site.yml';
} else {
    $dir = __DIR__ . '/blueprints/site.yml';
}
Kirby::plugin('my/plugin', [
    'blueprints' => [
        'site' => $dir
    ]
]);

But note that blueprints with the same name in the regular blueprints folder do override these settings.


User permisions for specific page and it's subpages
#10

Bit late, but still wanted to say Thank You @texnixe! Very much appreciate your help!

Conditionally registering through a plugin is a slightly better option than loading everything twice. But ultimately it would be great to see a full support for different panel blueprints based on user role.