Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2021-04-08 15:02:56

SteveG
Member
Registered: 2020-08-04
Posts: 24

[Solved] Writer authorization based on section?

Dear team,
Sorry, I’m here to seek help again. There’ll be two writers join my website. Ideally, I would like to create a section for each of them. Is there any plugin to allow me to authorize them based on the section so they don’t step on each other’s works?
Also is there a way to filter and only show articles in one section in the administration?

Last edited by SteveG (2021-04-10 00:45:19)

Offline

#2 2021-04-08 16:31:41

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,286
Website GitHub

Re: [Solved] Writer authorization based on section?

Yes, totally possible with a small plugin. It’s not infallible but the concept can be easily realised with a combination of the plugin ideas presented here or it’s slightly more advanced brother.

You could get the plugin to filter the articles based on user name or role so only one particular section is visible to each. And in the Write panel you could alter the Section list so they don’t see one another’s sections. But you (Publisher) can see everything.

It wouldn’t necessarily be a slick plugin with options and prefs, but a quick, few-line script where you could edit something in the code to specify who saw what, then the plugin does the rest.

If you’re not in the market for creating your own plugin, I’m sure someone here can help you put something together quickly. Maybe even me if you give me a tiny bit more detail about what exactly you want their workflows to resemble.

Last edited by Bloke (2021-04-08 16:36:00)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#3 2021-04-08 17:38:58

SteveG
Member
Registered: 2020-08-04
Posts: 24

Re: [Solved] Writer authorization based on section?

Bloke wrote #329723:


If you’re not in the market for creating your own plugin, I’m sure someone here can help you put something together quickly. Maybe even me if you give me a tiny bit more detail about what exactly you want their workflows to resemble.

It’ll be my pleasure if you could help out. Long story short, the website is for an online in-game organization to post daily news, and some members are willing to share their creative content. And since the community is growing, on one hand, it’s nice to see more and more people are willing to add content to the website, on the other hand, I would like to rise the security level before a random person may join and ruin all others work.

Here are my ideal workflows:
- Publisher: Can manage all sections including some website information sections like “About Us” or “Contact”. And since we already have over a hundred articles, it’ll be nice to add an option in the Write panel to select and filter out the articles in one particular section.

- Writer type A (news reporters): will be authorized to post in the “News” section and the author only sees the article he posted in the Write panel.

- Writer type B (content creators): will be authorized to post in the “Community Hub” section and the author only sees the article he posted in the Write panel.

- Writer type C (A+B): will be authorized to post in both the “News” and “Community Hub” sections but not in sections like “About Us”, and the author only sees the article he posted in the Write panel.

Offline

#4 2021-04-08 21:39:00

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,286
Website GitHub

Re: [Solved] Writer authorization based on section?

SteveG wrote #329725:

it’s nice to see more and more people are willing to add content to the website, on the other hand, I would like to rise the security level before a random person may join and ruin all others work.

Right. In which case the plugin snippets I linked to earlier won’t be enough. They’re just ‘soft’ limits to remove a few bits of UI furniture but they still won’t stop someone determined from changing the values of (say) the hidden ‘section’ field in the web browser’s inspector to point to a different section. Then when they hit Publish the content will be posted to that section.

Txp has the concept of panel-level security (per role) and action-level security (per role) so you can stop people from publishing new content or editing old content, or visiting specific panels, or deleting their own posts and not others, etc. But there’s nothing granular enough at the moment to prevent a user from posting in specific sections. If you can see the Write panel and can Publish, you are still permitted to write to any section, regardless of which ones we hide/show in the UI.

A few off-the-shelf approaches you could take to limit this, to varying degrees:

  1. Use a plugin such as rah_privileges to clamp down the permissions for some of the roles – say Freelancer (Type A) and Staff Writer (type B), with maybe Content Editor being type C. Content editors are a bit more trusted by default, but you could use the plugin’s prefs to level the playing field a bit and shut off access to certain things so, essentially, the rights are roughly the same for all those three user roles. That doesn’t help with preventing posting to sections, but it does set up the user accounts nicely, so another little plugin can take over to handle restricting the UI furniture and preventing saving. Using rah_privileges in this manner means the other plugin has to do less work.
  2. Alternatively, use rah_privileges to force a more publisher-oriented workflow. So maybe Type A and B roles can only Save articles as Draft but not directly publish. It’s up to Type C (essentially a moderator) to go in, read them and push the Publish button once they’re happy. That puts more onus on Type C as content gatekeepers (as well as publishing their own stuff), and it’s compounded by there being no (native) way of notifying them that an article is ready for approval. But if we allow those people to see/filter articles by types A and B on the Articles panel (easy peasy in a tiny plugin: I’ve got one that does that already) then they can see what needs approving and read them – even approve them all en-masse using the Multi-Edit tool if they wish.
  3. Break out the big guns and use a plugin like smd_user_manager. That’s probably overkill here (and it doesn’t work on recent Txp’s so if you want to use it, shout and I’ll fix it up for you). It operates similar to rah_privileges in that you can assign any permissions to roles, but it offers two additional features: 1) The ability to create new roles so you could make a new role called News Reporter and assign them sole access to the Write and Articles panels, plus maybe Prefs, Languages, and Accounts panel so they can change their password. 2) The ability to create new permissions. That way (whether or not you create new users) you can augment the role permissions by defining new ones.

With the latter approach, what you could do is create a new permission called, say, `article.publish.sections` and assign it to the Staff Writer, Copy Editor, and Freelancer roles. Nothing would happen, but then we can use that permission in a tiny plugin very similar to the ones I posted earlier to restrict users with that permission to a set of sections. In the case of Type A and B, this ‘set’ would be just one section. For Type C, it would be two sections, plus maybe the ones for A and B. You might also allow Content Editors to ‘edit other’ articles so they can tweak the posts of Type A+B if necessary, but you might prevent Type A+B from editing their own posts once they’re live.

Any of the approaches would work, it depends how clever you need to be and how much you trust your users not to mess with the system. If the answer is “not much” then use rah_privileges or smd_user_manager to clamp down permissions.

There is a 4th option, which is to not bother with either of the above plugins. Instead, we create a new plugin that removes the UI furniture but is also a little more invasive. It could hook into the Article Save process and if it sees a post by anyone in a section that they haven’t been permitted to post in, it stops them publishing. That will prevent editors from hacking around with the Section dropdown in the web inspector to bypass the restrictions.

At a technical level, there’s a lovely little (underused, imo) callback on the Write panel called article_ui>validate_$step which is called every time someone saves/publishes an article. The little plugin could hook into that, check who is publishing, set the section constraints to the relevant section(s) they’re allowed to post in, and then bail out to leave Textpattern to try and save. If the section doesn’t match, the save fails.

It’s relatively simple. And if we’re clever about it, we can also use the same configuration to limit the actual UI furniture. In fact the more I think about it, the more I’m liking the idea.

So, if you don’t fancy option (2) above, would you like me to see if I can whip up a plugin that works like option (4)?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#5 2021-04-08 23:11:01

SteveG
Member
Registered: 2020-08-04
Posts: 24

Re: [Solved] Writer authorization based on section?

Bloke wrote #329727:

So, if you don’t fancy option (2) above, would you like me to see if I can whip up a plugin that works like option (4)?

Yes, I would like to see option (4)! Option (2) doesn’t fit my case since everyone is volunteered, I don’t want to make people feel they’re supervised on every piece of the content. If we find out some content is inappropriate, we can always deactivate that account. The goal is to let people post in the correct section and not change/delete others’ articles.
Only allow people to see what they posted in the Write panel would be a nice feature but not necessary as long as they can’t save the changes on others’ articles.

Last edited by SteveG (2021-04-08 23:11:49)

Offline

#6 2021-04-09 01:32:38

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,286
Website GitHub

Re: [Solved] Writer authorization based on section?

No probs. Give this a whirl and see how you get on:

# smd_section_roles v0.1.0
# Limit publishing Textpattern articles to specific sections by role
# Stef Dawson
# https://stefdawson.com/

# ......................................................................
# This is a plugin for Textpattern - http://textpattern.com/
# To install: textpattern > admin > plugins
# Paste the following text into the 'Install plugin' box:
# ......................................................................

H4sIAAAAAAAAE+1aWXPbOBJ+16/AKN6l5JIlHzmVciaHM1nvKsfGybx4UiyIhCSUKZJLgnJc
Kf/37W4AvCnLNbsPuxVW2ZJwNBqNr0+QT49Opj/S6cNpP+Rr0X+eTo+eTPvp2ndT4SkZhW4S
BSLFDmjfiCSFNvz1aNo/HB+ND/H742mfZ2oVJTT/aNq/UGLBzvh1qsceHdoBbpZIbDk+mfZX
SsXpdDJJYbBPY8detJ5YGr5IvUTGyqz3GBaZybVULM7mgUxXMlyyL+K7irlSIgkZT5T0gFWm
IpbGwpML6TGziZTNbxhuxHAeJb7QzE77j/AT9q9uYmGaHpphi4AvU9N2gp9PYRgt6V1R80OQ
yYOX0XUoEtaQWe/By4CHy4wvBRPhCP4OlnP6yLAvTsQi7TVmsdMX7EI3ME2mMcRNRKoS6Snh
4+jPxS8zzOxoJYKYDu4YZLc6Grew2Fsdj9nXFFjs9R6w8zBVPAiYWgkWB9lShmNo/V2mIPVX
/lqGLz4h09MKfzjkzSqKUlFIW624YoJ7K5alIJpAbETAPB6yOEoV02Qv+EbolZDmuNc7E7EI
fTxWII0ddptEMs5wIrDFPTEisilRhIHhtNfbZx/D4IalQHRiAFJBRBQKFi2IbBjBTnhJXLC4
nS5EMctw8cr+BpoAPh7CVoCR0l7FjZPANkQC6ESysBzuM6fK01QuSwDdSM7WWaDkgfBBsojX
MjG2QslwzxNpwVnIN3IJTLMQ8DcBkW3YXKhrIUp0K1xF7Hol4QCIPaA3x6FLucEJOekPkcI9
T4iPYuOZSqVv5SWTVokRcv4RAvaZTNMMsbTPXieCX9EumPsRjEWCZBZRsnZhZgBzowSXPYtE
GjqKDW6EGubHTNNKcjFrGfGtRQgsLhRqWjZfw5rQNzZI9yKfdPfZE9TIyf5+j+030W4wjQxV
LMeb9xdjmIBzXmozxUoGjJoD6YkQEP7uw1f27tNsc2xawyuGZgys2FKqVTYnC/Y6iK7EpKls
bH/S68kFG6jvsQxh6QVgmZ2enjKHo3Y5Q/ajx+DZa7EKcPDXzS0Nhs87Zhy8kFqbcchtr+cF
IMcWC6BXjJNICTIhe6CrIGngqTHWeV4fa/wBjiZn0BwRJ3KD3DtHzT5gzi36R8ejk9HD0aPR
YxhJQ+kc8dlnbwBzKsk0gHTbRJNDXffYIgs1WFzXs0MHQxqhN4gP93293sDRSHC16XHGe2ol
QWK09REzv2iokW99+i7z8omJWILpEInrwY7n4DsGPEn4zYDGj5hjDsoZwnfDWCAXwrsBbawt
UmLnLqoRuc60TLWd7TALghE7ugfpVEXxuU+UjdFw4CsqrXM/QvqsOEK/oOVmEslteCB9MDou
2nTnP03U+Ij70E2FMo4vbaFsNOU+BMnWvQWpfYyVJokuxtCjThdl6uYneQ9er2RcZRYNjAsB
FUyS3LFr4b8/RRdM2biEgVDI5WoeZck4X6qsCZMJexumGXhLg3mOlCZZvEw4eIoVB9/Br4Rx
8+jQPA5WN9cGcDXoNxYyEf44p2rgXLJ32HrbMCImvBG5CbEdL2Oe8DVDNwTRB1hAE+4ckBsk
NRl3jE1VzD6Rdh0UXIIE4+1myvJKa4H1A9kRKfxaN1vLIJrzAE0paG9VmJ/FOtqYCIqBZzEO
zgdfq8oSQqej6cMCpjf3NvZJ+UK4unNQ6cAHD1rbD2fU6KTcAU7pSpDX+MO6jT+03/jD/YvT
r0wqY0LDTmVJWMDwtrLL342XCbP1HNx/FkL05zOIMIGfFJ3VHGJDL8oCH6IcDA398mz09r5A
n4MHZqBGwdIig1VFCUdeliTa+UF4IdRAi/yy6Qld4/icb8PKPn5lO0ypzJgyZw4Qd6rnWgnE
dXicM4lnrA/81CJ/KZQ+m0FZsLBxCsEHpSmgYHt0WJA37IFdSesgQKRYcgMaqh3EkOIU/e1H
AwCpndHoIZaJTGvXwAgaWbkEZC44mD2QKkqy1oaiApOzAxlS2AoR0wIkKs50F2KYFlZo6QYg
9enz29/cT7Ov784/7ERppdZBhZJuwH1hUunKEHKcrh2aKZBXSHIz33ZZMfWiGvOmxXL/bvbx
9avZsEGq5BHwue1QzK8x+lJCqTFooJebirYWwM0xskU38hjKNIxYNVQ5HpGpPCzxt4PCFYpi
mrocxIXQSYjNb/0kin3McCCb4mCk/MyjHEhhamS8cocvqTgTVkk3aC9dw9FIV4ejM2EDThwN
u6bNg8i7Ym+M/frbl/czRk318eTNQWiQPMPzWXhRkm/IuHGwoUgSIw9rSGG+ttB2Pf3gMlu9
XCliIk+nndzIsDtCNurObs+ItTizNQQEGCBVbBuaKbD4oYY6TtAG6qhunfYgmQVaxrIXo8er
c1S3gWMYBFRdiZuiv4SwWyYCCEJa6eqstkHKkqEtXuYd30ZswYGWRnFbyHhbzhpI4mQVZnwu
gqpxzWePGnyNKy0DiKps3mLmjClUR7MAX2eQxA4KajowdAyL8Lf88h32pmcUrfQHMcGB3ukB
psJAscVGdzCq40oiI03ChhJzc6G0Dqcs1kHvRYtjaeFgIUWQVyacwph1xoH/e2pu1ZaSAuIf
OCuVSqzSwAbmWDcLfZHkytuum5Xko6Kdf9XL/Lc1MwvJU9Fal4634uFS2EP8dqf6tU/LfeoO
monQA9iJiva1A0bXnREy5ZKiJxLFyzW36xVkLqg9cMQTU7DD07aTdsHQvRB0N36aZvufmUhu
mM3O2DrysVBOeVi63ZiXUr8SXhowycWR4wSLtfnMamGEuOuzVx/Ocm08/8AG/bFcx0Hki4Ez
gmP6VxZByo6SHeTkh8Nxf9jvUvHixEyiz+eBqFRH1Qor1hBdyhCUHZMEHI2sOikVtndIEu1z
16FVtb45Z5vuVz22fu7ht6tE8tKISq0VsbNLXVthkI+revQEfV2Jxt3Wo4IKcpOvqPZ6fkbq
X8rKCqolV3rwArb/MTbTC632VpH0RKVYsgsF7eW2XbWQ91uLFC9LnE7f8inR9VMr1vOzop5O
BiQIoutSIZ0tkmhdObrJRorrPHn/Cb+aFaLS4zb7sx1oZVicn2GmH6oNDwbLGMIjgN6w7stg
VCOmBKattTrVZROKQcp+xlGFgOFn//zs9AeQuu3XSx+4xi8ydE2drSBd+KphW8odAwxBFga4
BUyBkODOsJbB4SNANdgy4YuuOaOWKKsYdNBNOPRdZGfQ1vddqu5kUv+v61Be7GdYODh9AeeT
CQOimEuAIgAnadx6NjTGuBeaWAVVfgdRhEN5LFPDk62+Yf3LKm3ZOt3t7vKhBTK1nNuLNTlB
rNXAj2ZGo8lcYqfObUus6dZLR0kVQKK/LbOwhLpM2W9C6ftDq+nV610OktWXZZWL3doZ1KIW
a+LZV7wXpkoU+OIgiq5YFuNNNN6zRsslwA0iK7o8BgUJ8Zoyi+NANjNSY1uKZ4bXtGVugZC9
CgW26ebYIQ/PZNq8tb0LKFW3xe1+TG1sC3hw4qgTR6mCEMxje/qq/NRcypQggw1102QGdxTm
9kh8p8yPLkCfVwOxjtVNwTJVhSxjWBnLO6r6mrNUMnR9yif7OgV0tUhHpgx8ypz+mNYe951+
e25L3Od76+K/2PxyS+3IGWsO2wxrZQ3n4v2Z+2o2axS+a4sRotwrcQPnWz6telGsLS+pkfIj
E7VaS75DXW1H7fx7to51HGvr//rVBIonsNFENowuqc27DPqmwgzdfkNhlm/Ywz2iB9L8lUKN
U1r7Af13l0mUxW71frF0KivBIS8dOLNI5xtT5rCxJtgZT53JNA5AwXn+OoBO7CjPGjFTHUbb
gsl7EJjuIn7qqkzR54wOB44aVA28zH1tf4tBz/ssH63WnrAJC7JftuGyTCNHErLZqlOFBymz
a72IDlZesD2fK95W9C8G6TsiXXVvUxUI1UDgmahjudtL4TfyVLh4yTc1mUCZ3K2rVi6XRNQs
sLtqlUsD5vCLep2l3YnIIjqxqicSEXrCaIxOKWV70cgw0BKS5Mgs3eVsQSNpWgWL+KpZxVLa
d8/wPrmST5UvkLYFIsU6BCI0+YSgZRK3Agja9dmRc3DDKBR/Aj85l22lfTAxuMi3fAeNRXQh
iL4izyWDBCbHwdQvNwAtF5rFPQvNxrVaBlkloSVyxFYH1r0SOVEQqUggAkcJ4zG1cNCxLb0u
aJFelAJ5OpD26yBz8UX8dV3e0jh6hdGpi6o5OM8R2slgAKBX6zyzDgZIDLQ+fmtZuC5V+7XF
c+bQsSp82zMvb+IbkW7Cr3++Ffnzrcj/87ciT6b9tU/vNp8cT/v+yeGTw2fHT+fi0fFj/sw/
PFp43nzhzx8eH3pPnz3sP7/9Nz5hLZ0LLgAA

Caveats/known issues are listed. I’d turn off the pref for allowing override forms for now until I can figure out why it breaks them. Something to do with trashing the JS data I expect.

There’s also a small issue whereby you can hack the multi-edit list to alter the section name and bypass the restriction. This is because (currently) in Textpattern there’s no dedicated pre-multi-edit callback or validator. That might change in the next day or so :)

Alternatively, I might be able to hook into the full save process and validate that way but it’s an ugly hack. For what you need it for, this should deliver what you want and keep most people away from doing harm.

I would recommend installing rah_privileges and monkeying with the privileges for the lower-tier users so they’re broadly similar. Otherwise you’ll notice odd things like Freelancers can’t Publish or Preview new posts they’re working on.

As long as you clamp down both Freelancer and Staff Writer to roughly the same restrictions, you should be good to go. You can then look into reducing maybe Copy Editor’s privs so they can’t do quite as much. And maybe use the plugin’s prefs to limit the sections they can publish to those ones you listed, plus the ones for user Types A and B, so they can make changes if they need to (as long as you retain their article.edit and article.edit.published privileges).

The project lives on GitHub so if you find any issues, feel free to report them there or just carry on the discussion here until I create an official plugin thread for it.

Enjoy.

Last edited by Bloke (2021-04-09 09:06:37)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#7 2021-04-09 01:41:35

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,286
Website GitHub

Re: [Solved] Writer authorization based on section?

P.S. if smd_user_manager is ever resurrected to work on current Txp versions, this plugin should play nicely with it and allow you to restrict privileges to any new roles that are created.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#8 2021-04-09 04:29:21

SteveG
Member
Registered: 2020-08-04
Posts: 24

Re: [Solved] Writer authorization based on section?

Bloke wrote #329730:

The project lives on GitHub so if you find any issues, feel free to report them there or just carry on the discussion here until I create an official plugin thread for it.

Enjoy.

WOW! That’s amazing you could make this in such a short time.
As far as I tested, your plugin works as intended. The original Staff Writer’s privs are pretty much what I need, and your plugin just makes it more complete. I’m really looking forward to your official release of the plugin.
Now I just need to find a way to duplicate the Staff Writer role, rename it and sign it to another section.

Offline

#9 2021-04-09 06:11:33

SteveG
Member
Registered: 2020-08-04
Posts: 24

Re: [Solved] Writer authorization based on section?

Bloke wrote #329730:

The project lives on GitHub so if you find any issues, feel free to report them there or just carry on the discussion here until I create an official plugin thread for it.

Two things I have found may be risky:
- You could go to other articles by click on the link in the “Recent articles” sections in the editor no matter if you have the authorization to that section.
- The link for an article’s edit mode looks like this: http://example.com/textpattern/index.php?event=article&step=edit&ID=75 You could view any article by changing the ID number at the last of the link.
Even though you can’t change and save anything if you are not authorized to that section, this will expose the PHP codes that may contain sensitive information in some articles.

Last edited by SteveG (2021-04-09 06:12:50)

Offline

#10 2021-04-09 07:06:00

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,286
Website GitHub

Re: [Solved] Writer authorization based on section?

Cool. Thanks for testing. Glad it works reasonably well.

I should be able to limit the loading of articles to only those in your assigned sections. That would also take care of the recent articles clicks. The only question mark is whether you want articles filtered out of the recent articles list so there are no links at all to articles not in the user’s allowed sections, or if it’s good enough to show them of their existence and simply have the articles fail to load if clicked.

The latter is easy. Former might be a bit harder. Will see.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#11 2021-04-09 09:09:39

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,286
Website GitHub

Re: [Solved] Writer authorization based on section?

I’ve updated the plugin in this post so please grab that and try it.

New feature:

  • Users can’t hack around with the ID value any more to see articles in other sections. They’ll get the ‘restricted area’ message. Same goes if they try to click a Recent article.

Haven’t looked into limiting the list of recent articles yet. It’s definitely possible to recreate the list based on only the section(s) in force. Depends if you need to go that far. Let me know what you think.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#12 2021-04-09 11:06:27

SteveG
Member
Registered: 2020-08-04
Posts: 24

Re: [Solved] Writer authorization based on section?

Bloke wrote #329737:

Haven’t looked into limiting the list of recent articles yet. It’s definitely possible to recreate the list based on only the section(s) in force. Depends if you need to go that far. Let me know what you think.

It’s working like a charm. Be able to block unauthorized content is good enough to me.

Offline

Board footer

Powered by FluxBB