Setting dashboard access permissions - not inheriting?

Permalink
Concrete 5.8.1 ...

I have a usergroup 'System Admins' into which I'm putting people who have restricted control over C5, e.g. manage users but not access Extend or System areas.

So I've granted access to administrators and system admins to the Dashboard page and left subpages to inherit.

To restrict access to pages I've added System Adnins to the Exclude for those pages which hides them from the Dash side menu.

However when logged in as a System Admin I can access the Members page, for example, but then when clicking on a user I get access denied.

The Members subpages are set to inherit so they should be accessible to Administrators and System Admins but aren't.

Access is also denied even when I explicitly set manual permissions on e.g. File Manager under Files - access is denied.

Did I do something wrong or is this a bug?

Also I aliased some pages under Dashboard expecting them to appear in the menu but they didn't, is this not something you can do? Sitemap happily shows it in place.

Actually the 'Dashboard' page shows the aliased links, the sidebar doesn't which is annoying.

EDIT: Just tried this on a C5 site with Adv Permissions turned off. It doesn't work AT ALL. You can access the dash and the sidebar but nothing 'has access' when you click on it.

I'm about to look like a proper muppet for recommending C5 for this project at any second if this truly doesn't work properly. This is the last piece of work for about 30k worth of build.

Update: Modding User Permissions settings allows user search to load but when clicking a user it throws an Access Denied exception in the debug output template, the same as with advanced permissions

2 Attachments

surefyre
 
hutman replied on at Permalink Best Answer Reply
hutman
I think you can fix some of your Permission Denied items by going to System & Settings -> File Manager Permissions and User Permissions, you will have to grant permissions in those areas for the Users/File Manager.

I don't know anything about the Aliases, sorry.
frz replied on at Permalink Reply
frz
You have to BOTH set the task permissions (on their own page) as well as setting PAGE permissions on the hidden dashboard pages.

Are you sure you've done both?
surefyre replied on at Permalink Reply
surefyre
Bit of a concern there's no more feedback on this.

Findings so far:
1. Create a new empty C5.8.1 site, create a group 'sysadmins', create a user 'sysadmin', put them in the group.
2. In Permissions & Access area add sysadmins to User Permissions for Edit, Activate/Deactivate, Search
3. Log in as sysadmin - no link to dashboard to access these user management features.
4. Open sitemap as admin
5. Show system pages and add sysadmins group to users who can view dashboard
6. Log in as sysadmin, can now see dashboard link
7. Click members, click sysadmin user. Get access denied.

Something is obviously wrong here unless there's a really non-obvious step involved
frz replied on at Permalink Reply
frz
1) no, i would not count on aliases to do anything beyond cross link on occasion. Aliases were only ever thought of as a way to cross link auto-navs, and the assumptions people have made around what they feel like they "might" do are a constant source of excitement and adventure for us. If you just make a regular page in the dashboard sitemap, it should show up on both navs. Regardless - this should be its own thread/problem.

2) configuration on this stuff is super easy to get wrong or miss a step on. In fact i just made a video to show you how to do this, and I totally got to where you are with things seemingly configured correctly but a "you can't access sitemap" message when logged in as a user in that group. After embarrassingly scratching my head for a moment (~9:50 - includes a pretty good "hmmmm" and a timeless "thats an exciting development..." quote) you'll see me go back in and realize that I failed to actually save the permissions I had configured.

http://youtu.be/b3FZz1vEQug

I'm also a little wary of your use of "exclude" to manage the other permissions. I'm perhaps not fully following that, but I might double check im not building a catch 22 there.
surefyre replied on at Permalink Reply
surefyre
Will check your vid in a while Franz, thanks for that.

I think it'd be a really useful thing to be able to manage the dash pages with perms like other pages as then different users can be allowed different degrees of control e.g. in my case I want a 'sysadmin' user of a platform I've built on C5.8.1 to be able to manage users, add new 'Email' express objects and use the file manager but nothing else. Can't remember if there's a feature request thread but if there is I'll add that to it as is seems a nice comprehensive way to control how different people can admin the C5 installation without the need to spend time recreating existing dash pages just to put a permission on them.

I think I'll either have to completely copy the dash pages I want so I can put perms on them in the way I need or just give the user God access and tell them 'not to touch that bit ever ever ever'.

My use of 'exclude' is redundant, if the permission isn't there they'll not see a page anyway, was just paranoia permission setting.
surefyre replied on at Permalink Reply
surefyre
UPDATE - OK I fund a way to restrict user dash access to what I want the 'sysadmin' user to see. I couldn't recommend this as a proper security implementation to anyone but short of the last resort of complete access with a 'do not touch this part' list then this seems to work and is practical only for one user from a maintenance perspective:

Put your user to be restricted into Administrators (yes, really). Go through the dash pages in sitemap and add and EXCLUDE permission type to the username for areas you DONT want them to access.

Nasty, evil and possibly verging on unprofessional as a grownup security model but it does appear to work.