Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Simon Dingley 1474 posts 3431 karma points c-trib
    Jan 20, 2023 @ 07:30
    Simon Dingley
    0

    Remove publish permissions for user group on parent node but allow on all descendants

    In all my years working with Umbraco I've had very little need to configure granular permissions on individual nodes but have a project that has been around for many years which is a multi-site installation with a diverse and growing team of editors.

    Take the following example:

    Content
      |- Container
        |- Home
          |- Node 1
          |- Node 2
          |- Node 3
    

    As a simplified example, there is a User Group called Publishers and those users can publish any node except for Container. The problem lies in the fact that removing the Publish permissions on Container then removes publish permissions on all descendants of that node too. So, I thought, Adding explicit Publish permissions on the Home node would break the inheritance and override the removal of publish rights on the Container but it does not!

    Any ideas on how this can be achieved in the UI? I know I can handle the publish event and cancel it if the user is not in the required user group but this takes control out of the hands of the admins and it should really be achievable in the UI.

    Am I missing something? Any other ideas on how to achieve this?

  • Luuk Peters 85 posts 330 karma points
    Jan 26, 2023 @ 15:32
    Luuk Peters
    2

    The permissions on Umbraco are really basic and in my opinion one of the few major flaws and downsides in Umbraco. If Umbraco wants to be serious and grow into the enterprise CMS they want to be, they should really improve in this.

    Because I'm thinking about creating a package for better permissions I recently checked how the current functionality works. As far as I can tell, it's this:

    • The start node obviously tells the user group what part of the tree is visible.

    • You set access rights on a user role. Those are the general rights, like: can you delete, can you publish. These access rights are saved at the role leven.

    • You can set individual access rights on a certain node. These access rights apply only to this node and completely override the 'general' access rights on the user role.

    So there is no inheritance, you only have the option to override the general rules on a node level. There is also no way to revoke or apply 'deny' rights once it's been given by using inheritance. It's also not possible to say something like: don't allow this node to be deleted, but it's ok for it's children.

    So to come back to your example: setting explicit rights on the home node will ONLY apply to the home node. All nodes that have nothing explicitly set will have the general access rights.

    It's odd though that removing the publishing rights from a specific node would cause the child node also not to be publishable, because that doesn't agree with what I just said ;) Not sure how to fix that to be honest.

  • Simon Dingley 1474 posts 3431 karma points c-trib
    Mar 07, 2023 @ 10:46
    Simon Dingley
    0

    It does indeed seem quite messy, counter-intuitive and inconsistent. Thanks for the detailed response and your observations.

Please Sign in or register to post replies

Write your reply to:

Draft