Decouple user roles and sections

[jan-dh]

Building a large website with a lot of different user groups & I'm bumping into something that on a concept level doesn't feel right.
I normally use 1 very large structure for the main website and lots of different channels/structures for things like blogposts etc. However, in the scenario I'm facing now I have about 8 to 10 different teams that would each need access to certain pages or section of the website. The way Craft is currently set up this is very difficult to achieve. I ended up going the route with making a lot of different sections and a lot of copy/pasting of entry types. This feels bad for a number of reasons:

1. I don't like having to duplicate the same entry types across multiple structures. I know in Craft 5 you'll be able to move around entry types (if I understood correctly from the dotAll talk from last year at least) but it's a lot of manual work right now and updating a thing to an entry type requires me to update this on about 8 sections - a lot of room for mistakes.
2. I'm currently modelling my actual content to enable me to do what I want for my editor groups instead of how the website should be structured, which feels wrong.
3. There's no easy way to "restructure" the website along the way - move pages from one section to the other is impossible since they are all boxed-in within their own structure.

What would my ideal scenario be?

1. I would want all my editors to be able to create new pages within one big structure.
2. Editors would only be able to edit or manage pages made by people of the same group, you can be a part of multiple groups as a person
3. Admins have global edit rights.
4. Being able to implement some editor logic that's more complex than what's currently available in the editor groups; tweakable per site; some examples:

• Limit editor groups to be able to create/edit only certain page types
• Allow editor groups to only add or create "child" pages within a structure based on parent ID or page type.
• ...
  Basically, the option to implement custom logic such as the new conditional options.
  While I know this would introduce an extra layer of complexity in the setup, I'm convinced that the current user roles and the way you can set them up are a bit too limited.

Would be very happy to brainstorm some more or make this a very lively discussion.

[brandonkelly]

Agree there should be some built-in support for defining permissions within structures.

In the meantime, you can sortof hack something together using the authorization events. For example, if you had a user group with the following permissions on a Structure section:

You could then grant users permission to create/edit entries nested under a particular entry, like so:

(Note that this will require a change coming in Craft 4.5: 6efe3b8.)

use Craft;
use craft\base\Event;
use craft\elements\actions\NewChild;
use craft\elements\Entry;
use craft\events\AuthorizationCheckEvent;
use craft\events\RegisterElementActionsEvent;
use craft\events\RegisterElementHtmlAttributesEvent;
use craft\services\Elements;
use craft\web\Application as WebApplication;
use function modules\foo\;

// ...

if (!Craft::$app instanceof WebApplication) {
    return;
}

$section = Craft::$app->sections->getSectionByHandle('services');

if (!Craft::$app->user->can("createEntries:$section->uid")) {
    $site = Craft::$app->sites->getCurrentSite();
    $designEntry = Entry::find()->section($section)->id(129)->one();

    if (!$designEntry) {
        return;
    }

    $isAuthorized = fn(Entry $entry) => (
        $entry->getParentId() === $designEntry->id ||
        $entry->getParent()?->isDescendantOf($designEntry)
    );

    // Allow saving entries nested under "Design"
    Event::on(
        Elements::class,
        Elements::EVENT_AUTHORIZE_SAVE,
        function(AuthorizationCheckEvent $event) use ($section, $isAuthorized) {
            if ($event->element instanceof Entry && $event->element->sectionId === $section->id) {
                $event->authorized = $isAuthorized($event->element);
            }
        },
    );

    // Add the "Create a new child entry" action manually
    Event::on(
        Entry::class,
        Entry::EVENT_REGISTER_ACTIONS,
        function(RegisterElementActionsEvent $event) use ($section, $site) {
            if ($event->source === "section:$section->uid") {
                $event->actions[] = [
                    'type' => NewChild::class,
                    'newChildUrl' => "entries/$section->handle/new?site=$site->handle",
                ];
            }
        },
    );

    // Prevent "Create a new child entry" from activating entries above "Design"
    Event::on(
        Entry::class,
        Entry::EVENT_REGISTER_HTML_ATTRIBUTES,
        function(RegisterElementHtmlAttributesEvent $event) use ($isAuthorized) {
            if (!$isAuthorized($event->sender)) {
                $event->htmlAttributes['data']['disallow-new-children'] = true;
            }
        },
    );
}

[brandonkelly]

4.5.0 is out now.

[jan-dh]

Thanks for the input. Giving the scope of the project I'm kind of reluctant of going the hacky route. Was wondering if the permissions in sections is something that's on the radar and if so, if it's for Craft 5.0?

[brandonkelly]

It’s something we’re thinking about. Can’t promise anything yet, though.

[jan-dh]

If you need any input no this at all, I've experience a lot of different setups and would be happy to provide you with some examples.