Permissions: Restricting Access to Specific Objects

Problems and solutions
1

We are building an app (Preside v10.24.16+0012463 with preside-ext-alt-admin-theme) where different roles should have access to data manager only and, more specific, to some objects in data manager only.

What I did so far:
In Config.cfc I created a role and admin permissions for one object:

settings.adminPermissions.presideobject[ 'myObject' ] = [ "read", "add", "edit", "delete", "viewversions" ];
settings.adminRoles.supplier = [ "cms.access", "datamanager.*", "!presideobject.myObject.*" ];`

Then I created a new user group with permissions “contenteditor” (is needed for this to work) and “supplier”, created a new admin user and assigned him to the new group.

That worked so far, the new user could access the DM and all objects, only “myObject” was forbidden as expected (Preside error 401).

Problem 1)
Later I removed the limitations on the object (removed the setting for adminPermissions.presideobject[ 'myObject' ] entirely) and changed the supplier role to
settings.adminRoles.supplier = [ "cms.access", "datamanager.*" ];

However, members of that group still couldn’t access “myObject”.

For testing purposes I then created a new role and granted it access to the object:

settings.adminPermissions.presideobject[ 'myObject' ] = [ "read", "add", "edit", "delete", "viewversions" ];
settings.adminRoles.demo = [ "cms.access", "datamanager.*", "presideobject.myObject.*" ];`

But, members of the “demo” group still couldn’t access “myObject”. In fact, only members of the system administrator role can do that.

As far as I can tell, customizationService.objectHasCustomization( "myObject", "checkPermission" ) still returns “true” and the subsequent premission check fails

Problem 2)

Because of the role “contenteditor”, members of the new user group have access to launcher, site tree, and access manager as well. Even putting !sitetree.* in the role settings didn’t change that.

So how can I achieve
a) that some roles have access to data manager only (without launcher, site tree, and access manager) ?
b) that these roles have access to some objects only (preferrably without having to specify all permissions on all objects for all groups) ?

Thank you!

2

Two approaches.

  1. In “regular datamanager”, i.e. not using any datamanager customisation features, etc. you can do all this through the user interface by either denying or allowing user group(s) access to various specific features. These are the context permissions (the context is the object and its permissions setup here).

image
image1778×290 31.8 KB

image
image952×471 50.7 KB

  1. Setting up a specific role in the admin with customised permission keys
// config.cfc
settings.adminPermissions.myCustomObject = [ "navigate", "read", "add", "edit", "batchedit", "delete", "batchdelete" ];
settings.adminRoles.myCustomObjectManager = [ "myCustomObject.*" ];
settings.adminRoles.myCustomObjectUser = [ "myCustomObject.*", "!myCustomObject.delete", "!myCustomObject.batchedit", "!myCustomObject.batchdelete" ];

Then, if using the alt admin view screen:

// /handlers/admin/datamanger/mycustomobject.cfc
component extends="preside.system.base.EnhancedDataManagerBase" {
    variables.permissionBase = "mycustomobject"; // will suffice for all the standard permissions set in the config.cfc above
}

An alternative to the EnhancedDataManagerBase approach with variables.permissionBase is to implement the checkPermission customisation in your datamanager handler for total control over permissioning.

Further reading: Preside Documentation :: CMS permissioning

3

So apparently the way to achieve this has changed from permissions like !persideobject.mycustomobject to just !mycustomobject in combination with setting the permission base in the corresponding handler.
To be honest, I did not understand that the docs you mentioned (which I of course read before posting my question) would apply to single DM objects as well, and, of course they don’t mention setting the permissionBase

Another, and I hope final, question in this context: is it possible to hide either entire data manager groups or entries for objects within a group from a specific role? I remember with the old system you could specify !persideobject.myDmGroupName but that does not seem to apply any more.

Thank you!

4

The permissionBase is something specific to data manager handlers that extend preside.system.base.EnhancedDataManagerBase. We released this last minute on demand from some in the community. Was an internal extension with limited docs but known internally.

Could defo do with a new documentation section dedicated to it.

The roles system has not changed in any way. If your permission base is myobject, you can add this to your role: "!myobject.*".

5

I’m fine with blaming me for this :wink: