-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limiting Explorer to the current user's "explorable pages" #2401
Comments
Thanks, @coredumperror. I thought the 'someone' who suggested "Choose" was you! I still like it. @timheap, see the reference to #1645. |
I think "Choose" works for the choosers, but this permission affects the Explorer and the admin search as well, so it doesn't seem appropriate. |
I ran into a spot of trouble while upgrading my development system from Yosemite + MacPorts to El Capitan + Homebrew, and thus have not had a chance to actually start on this project until just now. I'll be working on this over the next week or so, and will then integrate this new permission into #1645 as well. I was thinking about naming this "Visible in Admin", which feels like a more descriptive name. But then it sounds unlike a permission granted to the user, and more like an attribute on the Page/Collection. So I'm not really sure it'd work. |
I just ran into a conundrum that I'm not certain how best to solve: Based on reading the code in |
Had another thought: If View is Admin isn't granted, should that imply that all the other permissions are revoked as well? If you're not allowed to even see the page in the admin, presumably you shouldn't be allowed to edit it, publish it, delete it, or add subpages to it. Right? |
By design, all permissions are additive as you go down the tree - so it's not possible to have a subpage with less permissions than the parent. Unless you have a specific scenario in mind that requires this, I'd suggest that this new permission type behaves the same way as the existing ones.
I'd actually see it the other way round: if you don't have add/edit/publish permission on a page (or any of its children), there's actually no reason for you to see it in the explorer, and the fact that you currently do see it is arguably a usability bug in Wagtail. With that in mind, I would re-propose what I proposed back in #359 (comment) - we use the existing permissions to determine what gets shown in the explorer (and left menu), so there's no need to create a new 'view in admin' permission for this case. To formalise what I mean a bit more: if you have a site structure like
and a user only has edit permission over the 'Economics' section, then that's the point at which their page tree will begin - they won't see 'Fooville University' or 'Departments' at all. On the other hand, if they have edit permission over 'Economics' and 'Philosophy' then their page tree would have to start from 'Departments', as that's the deepest level that encloses all their editable pages. They would therefore see 'Departments' as a read-only page, and Economics and Philosophy as editable pages under it. (They would not see History, since again there's no reason for them to be able explore that subsection.) Separately to the above change, we then introduce a 'choose' permission that takes effect specifically on the 'page chooser' popups. In this case it does make sense to have this as a distinct permission level, to distinguish between this kind of multi-user site (where users should be able to create links to History in the Economics section) and true multi-homed setups where users have no knowledge of other sites. This also addresses the main reservation I have with "View in admin" as a permission type, namely that it doesn't really represent an 'action'. Ideally, permissions should indicate what actions a user is allowed to perform, and the admin UI should configure itself in whatever way is most appropriate to achieve that - rather than the permissions being directly tied to the admin behaviour. It's a subtle distinction, but it means that the site owner only has to think in terms of access restrictions, and not 'how will the admin behave for this other user' - and also means that if we ever implement alternative ways of editing that don't go through the admin (like, say, a mobile Wagtail client app...) the permission rules will still be meaningful. |
I like this idea! It solves the awkwardness of the new permission's name and gets around the issue of differentiation between multi-tenant and multi-user sites that I was worried about in the back of my mind, but couldn't quite grasp well enough to articulate. However, this does it make it more complex to implement the Explorer and sidemenu. I'm not really sure how to do this:
Have you got any advice on how to implement such a filter? Does treebeard have an API for "given a set of nodes, find the closest common ancestor"? I'll get to work on what I can right away. This week is going to be nearly full-time wagtail work for me. |
I suspect there's no official API for it, but the internal |
Ah, I thought that big numeric string in the DB rows was probably related to the tree format. Now I know! Thanks for the hint on |
OK, I have a working solution in place for limiting the Explorer to only those pages for which a user has at least one administrative permission. This is a function I added to the Page model, and the
After getting the base query from I'm wary of this approach, though, because it issues 2 queries against the DB. I'd like to reduce that down to 1, but I only have an intermediate understanding of SQL, so I'm not even sure if it would be possible. My best guess is that using a subquery which consults |
Ah dang, I just realized that this isn't actually sufficient regardless of performance. If a user is limited to only pages that start below depth = 2, going to I'll work on tweaking this algorithm to include all pages up to the closest common ancestor, and then change |
I've pushed my changes for this feature up in PR #2463. I'm pretty sure I got all the necessary functionality working for Pages, though it's going to definitely need some iteration to refine it. I'm going to start implementing the missing cache clear functionality (#2 in my list of work to still be done) right now. |
Have you guys got any feedback on my implementation? Am I going about this in a reasonable way? Have I missed any essential features that should be getting limited by the "explorable pages" functionality? I haven't started on the chooser or collection limiting code, yet. Besides the testing (which I'm working on now), it feels like the Explorer itself is done. |
Sorry, we've been focussing on the modeladmin integration (which is now done). @m1kola do you have time to look at this? |
I will be able to start review tomorrow. Is it ok? |
Sounds good, thanks! I should be done writing the tests by then, as well. |
I've got an iMac (27-inch, Late 2013) as my dev box, but I'm getting much lower performance than I would expect when I run |
I don't think so. I tried to run tests on master and on your branch and I agree that it's annoying. Now I can only suggest you to run only those tests that you need at the moment. For example:
|
Yeah, that's what I've been doing. That doesn't speed up the database setup process, though. :( Oh well. |
Is the The easiest solution would be to change the tag so it accepts a required argument of the current user. That would be backward incompatible, though, and I'm not sure what the policy is for that. |
I just ran into a real pickle of an issue. When determining how to respond when a non-superuser requests a certain page, there seem to be two ways to go about it:
The first one allows a User who has permission to see Pages only on Site A to access them from Site B, which seems wrong. But the second prevents a User who has permission on Pages from Site A and Site B from seeing Pages that aren't on the current Site, forcing him to log in to another domain to explore the other Site's pages, even though they're on the same server. Neither of these seem desirable, and I don't know what to do about it. I suppose #2 is slightly more desirable for true multi-tenanting purposes, but an admin who doesn't want to keep his Sites' pages quite so separated might find that irritating. |
Hi @coredumperror, I'd very much like to stick to a model where the admin behaves the same regardless of the domain they happen to be logged in on. In other words, there's a single entry point through which the user can edit everything across the installation that they have permission for - there's no concept of "the admin backend for site A". In the past, we've had odd bits of logic in the admin that triggered based on the domain the user was logged in on, and that's always turned out to be a bad idea (see #1461 for example). Indeed, we'd like to allow for the possibility of logging in to the admin through a domain like As far as I can see, the only scenario where this wouldn't be desirable would be if you had users administering multiple sites, and didn't want those users to know that they were all running from the same Wagtail installation. That seems like a pretty esoteric requirement, and if you really needed that, you could always give users multiple login accounts, one per site. |
Yeah, that makes sense. I'll go change my algorithm back to the old method. |
With the major work on this PR winding down to completion, I'm now suffering a conundrum of ignorance. The second part of the work I've been doing to restrict unprivileged users is going to depend upon a not-yet-complete PR (#1645): I need to update the choosers to restrict users to their permitted Pages and Collections. What I don't know is how to start the PR, since it will be dependent upon my own #2463 and upon #1645. What does one do in such a situation? I have no idea which git commands to run to create the starting point for adding new commits, since they'll depend on changes from both PRs. |
So... have you guys got anything to say about this feature, now that it's finished? I'd really like to get started on updating the choosers to have the same permission limits, but I can't really do so unless I'm sure this implementation is what you're going to go with. |
Partially addresses wagtail#2401; adapted from wagtail#2463. Updates the explorer-nav logic to take the user's permissions into account. The menu now begins at the closest common ancestor node of all pages they have add/edit/publish/lock permission for - as a result, users with permission over a specific deep section of the tree don't have to redundantly drill down to it, and we're a step closer to true 'multi-homed' installations where the user is not made aware of tree structure that exists outside of their own remit.
Partially addresses #2401; adapted from #2463. Updates the explorer-nav logic to take the user's permissions into account. The menu now begins at the closest common ancestor node of all pages they have add/edit/publish/lock permission for - as a result, users with permission over a specific deep section of the tree don't have to redundantly drill down to it, and we're a step closer to true 'multi-homed' installations where the user is not made aware of tree structure that exists outside of their own remit.
Folks, I saw that this "error" was successfully implemented in explorer tab. Is there any open issue or plan to fix it in root pages view and in all documents, images? thanks. |
Closing this to reduce duplication of tickets - I'm now treating #2463 as the "master" issue for tracking multi-tenancy support (even if much of the work is happening on other PRs). |
Last week, @tomdyson gave me a suggestion for how Wagtail might be enhanced to support completely separated tenants in a multi-tenant Wagtail instance: implement a "View in Admin" Permission. Possibly with a better name... I believe someone suggested "Choose" in one of the issues relating to this concept, but that's not really broad enough.
Applied to Pages, this permission would prevent unprivileged users from:
/admin/pages/29/
into the address bar would issue a 403)Applied to Collections, this permission would prevent unprivileged users from:
Users already can't see or upload media in unprivileged Collections on the
/admin/images/
and/admin/documents/
pages, so I'll hopefully be able to use the code from those pages as inspiration for implementing the View permission.The purpose of this permission would be to completely isolate users belonging to one Site, so they can't tell that content belonging to any other Site exists (and also can't get to said content even if they guess the URL, since that would be a privacy violation). This is counter to the way that Collections and Pages currently work, though, so I suppose this functionality would have to be made optional, somehow? I'm not really sure how that would be done, though, so suggestions are welcome!
I intend to implement this myself over the coming days, and will be providing a PR for my changes as soon as they're in a presentable state. I opened this issue now, though, to get input from you guys on how best to go about this, and whether any of my current assumptions may be in need of an update to properly understand all the subtleties involved.
Since this will involve changing the choosers, it relates to #1645, which I also plan to enhance by making the new unified Choosers be Permission-aware.
The text was updated successfully, but these errors were encountered: