cms
cms copied to clipboard
statamic
Multi-site Permissions
There's quite a bit of wiring up to track the permission through all the various policies.
- [x] Settings GUI
- [x] Collections
- [ ] Entries
- [ ] Taxonomies
- [ ] Navigations
- [ ] Assets
- [x] Globals
- [ ] Users
- [ ] User Groups
- [ ] User Roles
- [ ] Utilities
- [ ] Blueprints
- [ ] Fieldsets
- [x] Site Switcher
- [ ] CP Nav
Closes https://github.com/statamic/cms/issues/5661. Closes https://github.com/statamic/cms/issues/2667.
Question @jackmcdade, if a user has configure collections AND access site_2 (only) permissions, they should be able to create collections but ONLY in site_2 right?
if a user has configure collections AND access site_2 (only) permissions, they should be able to create collections but ONLY in site_2 right?
Yes that's how I would expect it to work 👍
if a user has configure collections AND access site_2 (only) permissions, they should be able to create collections but ONLY in site_2 right?
I would think the opposite. Those kind of configuration permissions can't really be per-site. When you have a collection, you can configure which sites it's available in.
If you have permission to configure a site... but you only have permission for a specific site... what happens to the "sites" field when editing that collection? Do you only get access to the sites you're allowed? When you hit save, does it wipe out the sites you don't have access to?
That's why I think the site permissions should only really apply to content editing. The configuration ones are probably app-wide.
Like the site permissions only apply to stuff you'd give clients. You'll let clients create entries, but you wouldn't want them creating collections.
Ah yeah @jasonvarga I agree with that. Makes everything so much simpler.
Hey @jasonvarga here's my use case:
- 3 sites, 2 that are languages, and one that is very different, with a different set of admin users.
- we'd like site 3 users to be able to configure their collections but NOT see the other collections anywhere.
So like when they go to configure their collection they should NOT be able to put it in a different site. Nor should the other sites show up in either of the 2 (Jack was going to explore why we need both) site drop downs.
They should also not be able to localize an entry into another site, nor a global. Nor configure the global to be available in another site.
This is why I've made so many changes, to handle all these scenarios.
Happy to discuss further.
It might be out of scope but it would be great if the multi-site permissions worked with Statamic Revisions too, so maybe the users could create revisions without being able to publish them (for a language they have access to), and wait for an admin to review and publish the revision or working copy when ready.
- That way we can prevent translators from editing content they shouldn't (without the published version on the live website changing).
- And we can review all their formatting, etc to make sure it meets our guidelines before actually publishing their revision.
I crossed out a few items in the to-do list that are not per site / localizable AFAIK.
I also decided to implement the "simple" approach for now.
So as @jasonvarga suggested configure xyz permissions are cross-site. For example configure collections will mean "Grants access to all collection related permissions on all sites".
This is to avoid complexity and any consequences that we haven't thought through yet and may not be solvable.
When needed though, more granular permissions could be added to support specific use cases.
How do we feel about User A having the Permission to create User B with access to a Site through a Role that User A doesn't have? 🤔
If User A has permission to edit permissions, they can just give themselves access to that site anyway.
Pretty sure we've said if you have permission to edit permissions, all bets are off.
