Stack permissions not working
Permalink 1 user found helpful
I have Advanced Permissions enabled on my site and I'm running into issues with stack permissions.
I am trying to set up a group that will be able to add/edit content blocks to the main area of each page, but will be prevented from changing (adding, editing, deleting) any of the global areas of the site. For example, the "Header Site Title" block shouldn't be something that most users can modify or change.
With this "Editors" group, I granted permissions to Add Block so they can drag content blocks in, but as soon as I do that they have full access to all the global content areas.
I have tried going into the sitemap and enabling the System Pages option and then removing all groups except Administrators from the permissions on the "Stacks" page, but it had no effect. As soon as my "Editors" group has permissions to "Add Block" they have access to manipulate anything, even in global areas. Even if I set the permissions to a specific global area block to manual, and specifically exclude the "Editor" group, it has no effect.
I tried this on a fresh install and even on v9 and it still seems to be a problem.
Anyone else come across this issue? I don't think what I'm trying to do is that uncommon.
I am trying to set up a group that will be able to add/edit content blocks to the main area of each page, but will be prevented from changing (adding, editing, deleting) any of the global areas of the site. For example, the "Header Site Title" block shouldn't be something that most users can modify or change.
With this "Editors" group, I granted permissions to Add Block so they can drag content blocks in, but as soon as I do that they have full access to all the global content areas.
I have tried going into the sitemap and enabling the System Pages option and then removing all groups except Administrators from the permissions on the "Stacks" page, but it had no effect. As soon as my "Editors" group has permissions to "Add Block" they have access to manipulate anything, even in global areas. Even if I set the permissions to a specific global area block to manual, and specifically exclude the "Editor" group, it has no effect.
I tried this on a fresh install and even on v9 and it still seems to be a problem.
Anyone else come across this issue? I don't think what I'm trying to do is that uncommon.
I'm attempting to reproduce what you describe, using my development playground for Enlil Stack Link, which was just released from PRB to the marketplace (FREE)!!!
I've set up a user who has access to edit stacks.
I excluded this user from having any permissions for a particular global area, from the permissions within the global area page of the dashboard. I would *expect* this user to have no permissions, but when logged in as this user on a page in edit mode, if they hover the global area, YES, they can still "Add Block". Nothing else...
I've set up a user who has access to edit stacks.
I excluded this user from having any permissions for a particular global area, from the permissions within the global area page of the dashboard. I would *expect* this user to have no permissions, but when logged in as this user on a page in edit mode, if they hover the global area, YES, they can still "Add Block". Nothing else...
*Removed*
The comment directly above was my mistake. That was due to permissions I had set.
The problem seems to be at: /dashboard/blocks/permissions
@jessicadunbar - We can give users permission to add blocks. All or nothing. Just pick which blocks you want them to be able to add. Although, there's no stopping where they can add them. Unless I'm missing something, there's nowhere we can restrict permissions beyond that, as to who can add blocks to specific areas.
If you put a regular page in edit mode, you can click on an Area > Permissions. There are permissions for add block and add stack. Simply put, these don't seem to exist in the stack permissions...
Edit: @jessica, I've got this set up in a vanilla install of 8.5.4 I use for PRB testing. PM me if you'd like direct access to see this...
Edit Edit: Surely what the issue is. Just checked a 5.6.4.0 install I go lingering and those permission options are there for stacks. As of 8.5.4, that I can confirm, they are NOT there!
The problem seems to be at: /dashboard/blocks/permissions
@jessicadunbar - We can give users permission to add blocks. All or nothing. Just pick which blocks you want them to be able to add. Although, there's no stopping where they can add them. Unless I'm missing something, there's nowhere we can restrict permissions beyond that, as to who can add blocks to specific areas.
If you put a regular page in edit mode, you can click on an Area > Permissions. There are permissions for add block and add stack. Simply put, these don't seem to exist in the stack permissions...
Edit: @jessica, I've got this set up in a vanilla install of 8.5.4 I use for PRB testing. PM me if you'd like direct access to see this...
Edit Edit: Surely what the issue is. Just checked a 5.6.4.0 install I go lingering and those permission options are there for stacks. As of 8.5.4, that I can confirm, they are NOT there!
Hi Jessica and Enlil,
Thank you for your replies. When I go into the Stacks & Global Areas section on the dashboard and I view the permissions for a particular stack (such as Header Navigation), the "Editor" group I created is not listed under any of the permissions for that stack. I would assume this means that users within that group shouldn't have access to manipulate that stack in any way, however my testing user who is in the Editor group has full access to that stack. They can edit the content, insert new content, add blocks, etc. all within that global area (or any other global area for that matter). If I remove the "Editor" group from the "Add Block" permission, suddenly they can no longer manipulate any of the global areas.
It seems like the "Add Block" permission is somehow granting additional permissions beyond what it is supposed to be granting.
Steps to reproduce:
1. Install fresh copy of Concrete 8.5.5 with Elemental full
2. Log in as the admin
3. Create a new user group called "Editors"
4. Create a new user called "editor" and add them to the "Editors" group
5. Enable Advanced Permissions
6. Grant the "Editors" group "Edit Contents" permissions on the "Home" page
7. In a new incognito window, log in as the "editor" user and confirm you can edit the contents of the site, such as the "Easy to Edit" block on the home page as well as the global areas, such as the "Header Site Title"
8. As the admin, edit the permissions of the "Stacks" page (by checking the "Include System Pages in Sitemap option) and remove "Editors" from the "Edit Contents" permission
9. As the "editor" user, verify that the global areas, such as the "Header Site Title" are now uneditable
10. As the admin, add the "Editors" group to the "Add Block" permission under Stacks & Blocks -> Block & Stack Permissions
11. As the "editor" user, check to see if you have access to the global areas that were previously uneditable, such as the "Header Site Title"
Step 11 is what I am concerned about. Why does granting a group the ability to add blocks (a common requirement for certain groups) also give them full access to modify global areas? Am I granting this permission incorrectly?
Thank you for your replies. When I go into the Stacks & Global Areas section on the dashboard and I view the permissions for a particular stack (such as Header Navigation), the "Editor" group I created is not listed under any of the permissions for that stack. I would assume this means that users within that group shouldn't have access to manipulate that stack in any way, however my testing user who is in the Editor group has full access to that stack. They can edit the content, insert new content, add blocks, etc. all within that global area (or any other global area for that matter). If I remove the "Editor" group from the "Add Block" permission, suddenly they can no longer manipulate any of the global areas.
It seems like the "Add Block" permission is somehow granting additional permissions beyond what it is supposed to be granting.
Steps to reproduce:
1. Install fresh copy of Concrete 8.5.5 with Elemental full
2. Log in as the admin
3. Create a new user group called "Editors"
4. Create a new user called "editor" and add them to the "Editors" group
5. Enable Advanced Permissions
6. Grant the "Editors" group "Edit Contents" permissions on the "Home" page
7. In a new incognito window, log in as the "editor" user and confirm you can edit the contents of the site, such as the "Easy to Edit" block on the home page as well as the global areas, such as the "Header Site Title"
8. As the admin, edit the permissions of the "Stacks" page (by checking the "Include System Pages in Sitemap option) and remove "Editors" from the "Edit Contents" permission
9. As the "editor" user, verify that the global areas, such as the "Header Site Title" are now uneditable
10. As the admin, add the "Editors" group to the "Add Block" permission under Stacks & Blocks -> Block & Stack Permissions
11. As the "editor" user, check to see if you have access to the global areas that were previously uneditable, such as the "Header Site Title"
Step 11 is what I am concerned about. Why does granting a group the ability to add blocks (a common requirement for certain groups) also give them full access to modify global areas? Am I granting this permission incorrectly?
@derek, what I believe it boils down to is the lack of Add Block & Add Stack permissions for Global Areas. Like I outlined above, if you go in edit mode on a page and click on an area and click permissions, you will see two options for Ad Block & Add Stack to the area. If we navigate to a Global Area and click on permissions, the Add Block & Add Stack permissions don't exist!! So inherently, if you grant access to a stack, the user will ALWAYS be able to "Add Block" until this is fixed!!
EDIT: Make sure you are granting proper permissions at Dashboard > Stacks and Blocks > Block & Stack Permissions. This is where you will restrict the users further, but find that there's no way to restrict "add block"...
We're just about in the same boat here, with needed functionality!! :)
EDIT: Make sure you are granting proper permissions at Dashboard > Stacks and Blocks > Block & Stack Permissions. This is where you will restrict the users further, but find that there's no way to restrict "add block"...
We're just about in the same boat here, with needed functionality!! :)
I ran across a similar permissions issues in development of my latest Marketplace addon (Enlil Stack Link), with the "copy to clipboard" functionality.
See: https://github.com/concrete5/concrete5/issues/4649...
I was able to work around this in my package, but am stumped at the point you are at as well. The idea of my package is to provide links to stack editors from the front of the site, rather than them having to dig to the dashboard, or go into edit mode, to edit them. May be something you want to check out. (It's FREE!!) It's useful in itself as a huge visual clue when setting up editing permissions, as to when they are working correctly!
See: https://github.com/concrete5/concrete5/issues/4649...
I was able to work around this in my package, but am stumped at the point you are at as well. The idea of my package is to provide links to stack editors from the front of the site, rather than them having to dig to the dashboard, or go into edit mode, to edit them. May be something you want to check out. (It's FREE!!) It's useful in itself as a huge visual clue when setting up editing permissions, as to when they are working correctly!
With Advanced Permissions enabled, there should be permissions available for each block in the stack.
Try going to the Dashboard > Stacks & Blocks > Stacks & Global Areas > click Global Areas > select a specific global area. /dashboard/blocks/stacks/view_global_areas
You can disable editing, adding, delete, and other specifics details in the stack permissions.
Cheers!
Jess