Restrict content to the content authors

hellmaca · September 19, 2018, 7:57pm

I want my users to be able to view and edit only collection posts they have created. Is this something I would implement in the config file or programmatically? If so, any help would be much appreciated. Also, I will have a hidden boolean field created on each collection post only accessible by admions. Once that field is set to true only admins should be able to see/edit that post. This access to author’s own content will be more restrictive than just user groups.

raffaelj · September 19, 2018, 11:19pm

Add this code to the read permissions of your collection to restrict entries by owner:

<?php
if ($context->user) {
    $context->options['filter']['_by'] = $context->user['_id'];
}

Add this code to the read permissions of your collection to restrict entries by owner, except admins:

<?php
if ($context->user && $context->user['group'] != 'admin') {
    $context->options['filter']['_by'] = $context->user['_id'];
}

Filtering + Hiding fields for non-admins can be done this way:

<?php
if ($context->user && $context->user['group'] != 'admin') {
    // filter by admin-boolean
    $context->options['filter']['admin_boolean'] = false;
    // hide field for non-admin --> or use field acl instead
    $context->options['fields']['admin_boolean'] = false;
}

~~I tried to test the solution above, but I have some weird bugs with boolean fields right now. I have to check in the next days, if I broke my test cockpit or if it is a real bug…~~

edit: I tried it again with a fresh installation and it worked.

Instead of adding $context->options['fields']['admin_boolean'] = false; to the read permissions, you can add permissions in the context menu of your field to group “admin”. It has the same effect.

For some more permission options, you may have a look at

github.com/agentejo/cockpit

Example configuration / granular user permissions

opened 05:31PM - 20 Feb 18 UTC

ca057

Hello! Cockpit looks like a promising tool for a new project, but I'm having tr…ouble figuring out how to set it up correctly for my use case. Is there any example configuration (`config.yml`?) available or is there any place where I can look up all possibilities? I wasn't able to find something appropriate. To make it more clear: At the moment I'm mostly interested if it's possible to limit the viewing capabilities of users based on groups. What I basically need is: (* one admin able to see everything/configure the system) * a bunch of editors who should be able to create/edit new items, but should not be able to see the content of other editors * a manager which is able to create/edit/delete all items in the systems, so also all items of every editor. Is a configuration like that possible? Thanks already for your help!

and

hellmaca · September 20, 2018, 12:27pm

Thank you for your explanation. For some reason, I thought that code had to go into the update permissions as well which ended up disabling the desired functionality. With regards to the boolean field, I have already restricted the viewing and editing of it to admins. The boolean field name is published. Once published is set to true, I would like for all collection posts with a value of published: true to only be edited by admins. Is there a way to implement this functionality? Thank you so much for your help!

raffaelj · September 20, 2018, 2:50pm

Hmm…, I’m not sure, if this is possible with collections permissions.

You could add this code to config/bootstrap.php to interrupt the saving process. But it feels a bit wrong…

<?php

$app->on('collections.save.before.yourcollectionname', function($name, &$entry, $isUpdate) {
    if ($isUpdate && $entry['published'] == true && $this->module('cockpit')->getGroup() != 'admin') {
        die;
    }
});

hellmaca · September 20, 2018, 5:09pm

Thank you for your help. That code did the trick. I like the way you put it that “it feels a bit wrong.” Could the problem be in the way I am imagining how to handle published content? Is there a way to hide content with published:true from all users except admins? I could create a new collection only visible and editable by admins, but unless I am mistaken that would involve an admin manually porting content from one collection to another which doesn’t seem right. I am trying to use published:true as a way to designate which collection posts will generate website content. Once the content has been “approved” by admin to be published to the website, I do not want anyone but an admin to be able to edit it in any way. I am building a Vue app that uses axios to get content from Cockpit with the filter:{published:true}. This code does what I asked, and I really appreciate it. I may just replace the saving failed message with a custom one to alert users as to why they cannot update the specific post. Cheers!

raffaelj · September 20, 2018, 9:57pm

This was a hard one, but I’m sure, I’ll need it myself in the future.

And I also found another way while fiddling. You don’t need the extra bootstrap.php.

read permissions:

<php
if ($context->user && $context->user['group'] != 'admin') {
    
    // filter by content owner
    $context->options['filter']['_by'] = $context->user['_id'];
    
    // return error when trying to edit published entries
    if (isset($context->entry) && (!isset($context->entry['published']) || $context->entry['published']) == true) {
        return cockpit()->stop('{"error": "You can\'t edit published entries."}', 401);
    }
}

delete permissions:

if ($context->user && $context->user['group'] != 'admin') {
    
    $entries = cockpit()->module('collections')->find($collection['name'], $context->options);
    
    foreach ($entries as $entry) {
        if ($entry['published'] == true) {
            return cockpit()->stop('{"error": "You can\'t delete published entries."}', 401);
        }
    }
    
}

Wait with the delete permissions until this PR got merged. Right now, the delete permission has no effect.

Full example with annotations

github.com

raffaelj/cockpit-scripts/blob/master/permissions/restrict-content-to-owner-and-disallow-editing-published-entries.php

<?php

/*
  restrict visible entries to content creators and
  disallow editing entries, which are published by an admin

  Use Case:

    Users can create entries, but they can't set it to public.
    An admin has to publish it manually and afterwards, the user can't edit or
    delete it again.

  How to use:

    * create a boolean field "published" and set its access rule to "admin"
    * edit collection and open "Permissions" tab
    * set permissions for user group and allow anything but "Edit Collection"
    * enable "read" permission and place the code below
    * enable "delete" permission and place the code from the bottom

This file has been truncated. show original

artur · September 21, 2018, 7:43am

Just a hint:

Instead of

return cockpit()->stop('{"error": "You can\'t delete published entries."}', 401);

you can also do this:

return 401;

hellmaca · September 21, 2018, 1:15pm

These tips were awesome. Thank you so much for all the help!

reddo · February 14, 2020, 8:11am

Sorry to revive this old thread, but I would need the code to restrict update permissions. Is it the same as for delete?

OGFaisalN · November 19, 2023, 12:50am

@artur is there any equivalent of this for Cockpit v2?

OGFaisalN · November 22, 2023, 8:13pm

CC: @raffaelj, I saw that all your snippets are for v1 only and supposedly do not work with v2

ronaldaug · February 5, 2024, 4:53am

Just sharing what I used to do in Cockpit V2.

If the request is from admin, he/she can perform delete and update.
If the request is from user, allow to perform create but restrict delete and update (especially protect from overwriting other user’s content)

Note: this affects all models.


// Before remove 
$this->on('content.remove.before', function ($modelName, &$filter, $collection) {

    $user = $this->helper('auth')->getUser();
    if (!$user) {
        return $this->stop(404);
    }

    $account = $this->dataStorage->findOne('system/users', ['user' => $user['user']]);

    // Protect only when role is user
    if ($user['role'] === 'user') {

        if ($account['_id'] !== $item['_cby']) {
            return $this->stop('{"error": "You can\'t perform this action."}', 401);
        }
    }
});

// Before create or update
$this->on('content.item.save.before', function ($modelName, &$item, $isUpdate, $collection) {

    $user = $this->helper('auth')->getUser();
    if (!$user) {
        return $this->stop(404);
    }

    $account = $this->dataStorage->findOne('system/users', ['user' => $user['user']]);

    // Protect only when role is user and update
    if ($user['role'] === 'user' && $isUpdate === true) {

        if ($account['_id'] !== $item['_mby']) {
            return $this->stop('{"error": "You can\'t perform this action."}', 401);
        }
    }


    // Just make sure when creating a new item, it has _cby and _mby
    $item['_cby'] = $account['_id'];
    $item['_mby'] = $account['_id'];
});

Hope this helps someone.

Topic		Replies	Views
User Permission on foreign entries Support	2	578	April 30, 2021
ACL for specific entities Support	2	1732	October 12, 2018
Use the Read Permission / $_GET dont work Support	4	795	October 28, 2019
[SOLVED] Restrict out based on boolean Support	3	556	April 9, 2020
Prohibit user/role to access other people's records in a collection? Support	0	225	October 24, 2022

Restrict content to the content authors

Related Topics