From 4ceabbae2e33d92eaf1fc22783db3f0b43405245 Mon Sep 17 00:00:00 2001 From: trendschau Date: Wed, 27 Mar 2024 21:20:22 +0100 Subject: [PATCH] v.2.4.0 added role manager and fixed permissions --- .../Controllers/ControllerApiAuthorMeta.php | 2 +- .../Controllers/ControllerApiSystemUsers.php | 2 +- .../Controllers/ControllerWebAuth.php | 4 +- .../typemill/Middleware/WebAuthorization.php | 2 + system/typemill/Models/User.php | 2 +- system/typemill/routes/api.php | 66 +++++++++---------- system/typemill/routes/web.php | 20 +++--- system/typemill/settings/mainnavi.yaml | 10 +-- system/typemill/settings/permissions.yaml | 16 +++-- system/typemill/settings/systemnavi.yaml | 14 ++-- 10 files changed, 74 insertions(+), 64 deletions(-) diff --git a/system/typemill/Controllers/ControllerApiAuthorMeta.php b/system/typemill/Controllers/ControllerApiAuthorMeta.php index 4a7d6d8..b128754 100644 --- a/system/typemill/Controllers/ControllerApiAuthorMeta.php +++ b/system/typemill/Controllers/ControllerApiAuthorMeta.php @@ -45,7 +45,7 @@ class ControllerApiAuthorMeta extends Controller } # if user is not allowed to perform this action (e.g. not admin) - if(!$this->userroleIsAllowed($request->getAttribute('c_userrole'), 'content', 'view')) + if(!$this->userroleIsAllowed($request->getAttribute('c_userrole'), 'content', 'read')) { # then check if user is the owner of this content if(!$this->userIsAllowed($request->getAttribute('c_username'), $metadata)) diff --git a/system/typemill/Controllers/ControllerApiSystemUsers.php b/system/typemill/Controllers/ControllerApiSystemUsers.php index 9bc189a..e9d74b0 100644 --- a/system/typemill/Controllers/ControllerApiSystemUsers.php +++ b/system/typemill/Controllers/ControllerApiSystemUsers.php @@ -110,7 +110,7 @@ class ControllerApiSystemUsers extends Controller $params = $request->getParsedBody(); $userdata = $params['userdata'] ?? false; $username = $params['userdata']['username'] ?? false; - $isAdmin = $this->c->get('acl')->isAllowed($request->getAttribute('c_userrole'), 'user', 'write'); + $isAdmin = $this->c->get('acl')->isAllowed($request->getAttribute('c_userrole'), 'user', 'update'); if(!$userdata OR !$username) { diff --git a/system/typemill/Controllers/ControllerWebAuth.php b/system/typemill/Controllers/ControllerWebAuth.php index 2815b46..e26f6b3 100644 --- a/system/typemill/Controllers/ControllerWebAuth.php +++ b/system/typemill/Controllers/ControllerWebAuth.php @@ -160,7 +160,7 @@ class ControllerWebAuth extends Controller # if user is allowed to view content-area $acl = $this->c->get('acl'); - if($acl->hasRole($userdata['userrole']) && $acl->isAllowed($userdata['userrole'], 'content', 'view')) + if($acl->hasRole($userdata['userrole']) && $acl->isAllowed($userdata['userrole'], 'content', 'read')) { $editor = (isset($this->settings['editor']) && $this->settings['editor'] == 'visual') ? 'visual' : 'raw'; @@ -261,7 +261,7 @@ class ControllerWebAuth extends Controller # if user is allowed to view content-area $acl = $this->c->get('acl'); - if($acl->hasRole($userdata['userrole']) && $acl->isAllowed($userdata['userrole'], 'content', 'view')) + if($acl->hasRole($userdata['userrole']) && $acl->isAllowed($userdata['userrole'], 'content', 'read')) { $editor = (isset($this->settings['editor']) && $this->settings['editor'] == 'visual') ? 'visual' : 'raw'; diff --git a/system/typemill/Middleware/WebAuthorization.php b/system/typemill/Middleware/WebAuthorization.php index a065c1f..c7ccf15 100644 --- a/system/typemill/Middleware/WebAuthorization.php +++ b/system/typemill/Middleware/WebAuthorization.php @@ -29,6 +29,8 @@ class WebAuthorization implements MiddlewareInterface public function process(Request $request, RequestHandler $handler) :Response { + $test = $this->acl->isAllowed($request->getAttribute('c_userrole'), $this->resource, $this->action); + if(!$this->acl->isAllowed($request->getAttribute('c_userrole'), $this->resource, $this->action)) { $response = new Response(); diff --git a/system/typemill/Models/User.php b/system/typemill/Models/User.php index f011fba..4a47570 100644 --- a/system/typemill/Models/User.php +++ b/system/typemill/Models/User.php @@ -202,7 +202,7 @@ class User } # Only admin ... - if($acl->isAllowed($inspectorrole, 'user', 'write')) + if($acl->isAllowed($inspectorrole, 'user', 'update')) { # can change userroles $definedroles = $acl->getRoles(); diff --git a/system/typemill/routes/api.php b/system/typemill/routes/api.php index 21734ec..d575712 100644 --- a/system/typemill/routes/api.php +++ b/system/typemill/routes/api.php @@ -24,20 +24,20 @@ use Typemill\Controllers\ControllerApiTestmail; $app->group('/api/v1', function (RouteCollectorProxy $group) use ($acl) { # GLOBALS - $group->get('/systemnavi', ControllerApiGlobals::class . ':getSystemnavi')->setName('api.systemnavi.get')->add(new ApiAuthorization($acl, 'account', 'view')); # member - $group->get('/mainnavi', ControllerApiGlobals::class . ':getMainnavi')->setName('api.mainnavi.get')->add(new ApiAuthorization($acl, 'account', 'view')); # member + $group->get('/systemnavi', ControllerApiGlobals::class . ':getSystemnavi')->setName('api.systemnavi.get')->add(new ApiAuthorization($acl, 'account', 'read')); # member + $group->get('/mainnavi', ControllerApiGlobals::class . ':getMainnavi')->setName('api.mainnavi.get')->add(new ApiAuthorization($acl, 'account', 'read')); # member # SYSTEM - $group->get('/settings', ControllerApiSystemSettings::class . ':getSettings')->setName('api.settings.get')->add(new ApiAuthorization($acl, 'system', 'view')); # admin - $group->post('/settings', ControllerApiSystemSettings::class . ':updateSettings')->setName('api.settings.set')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/license', ControllerApiSystemLicense::class . ':createLicense')->setName('api.license.create')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/licensetestcall', ControllerApiSystemLicense::class . ':testLicenseServerCall')->setName('api.license.testcall')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/themecss', ControllerApiSystemThemes::class . ':updateThemeCss')->setName('api.themecss.set')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/theme', ControllerApiSystemThemes::class . ':updateTheme')->setName('api.theme.set')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/plugin', ControllerApiSystemPlugins::class . ':updatePlugin')->setName('api.plugin.set')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/extensions', ControllerApiSystemExtensions::class . ':activateExtension')->setName('api.extension.activate')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/versioncheck', ControllerApiSystemVersions::class . ':checkVersions')->setName('api.versioncheck')->add(new ApiAuthorization($acl, 'system', 'update')); # admin - $group->post('/testmail', ControllerApiTestmail::class . ':send')->setName('api.testmail')->add(new ApiAuthorization($acl, 'system', 'update')); # admin + $group->get('/settings', ControllerApiSystemSettings::class . ':getSettings')->setName('api.settings.get')->add(new ApiAuthorization($acl, 'system', 'read')); # manager + $group->post('/settings', ControllerApiSystemSettings::class . ':updateSettings')->setName('api.settings.set')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->post('/license', ControllerApiSystemLicense::class . ':createLicense')->setName('api.license.create')->add(new ApiAuthorization($acl, 'user', 'update')); # admin + $group->post('/licensetestcall', ControllerApiSystemLicense::class . ':testLicenseServerCall')->setName('api.license.testcall')->add(new ApiAuthorization($acl, 'user', 'update')); # admin + $group->post('/themecss', ControllerApiSystemThemes::class . ':updateThemeCss')->setName('api.themecss.set')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->post('/theme', ControllerApiSystemThemes::class . ':updateTheme')->setName('api.theme.set')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->post('/plugin', ControllerApiSystemPlugins::class . ':updatePlugin')->setName('api.plugin.set')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->post('/extensions', ControllerApiSystemExtensions::class . ':activateExtension')->setName('api.extension.activate')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->post('/versioncheck', ControllerApiSystemVersions::class . ':checkVersions')->setName('api.versioncheck')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->post('/testmail', ControllerApiTestmail::class . ':send')->setName('api.testmail')->add(new ApiAuthorization($acl, 'user', 'update')); # admin $group->get('/users/getbynames', ControllerApiSystemUsers::class . ':getUsersByNames')->setName('api.usersbynames')->add(new ApiAuthorization($acl, 'user', 'update')); # admin $group->get('/users/getbyemail', ControllerApiSystemUsers::class . ':getUsersByEmail')->setName('api.usersbyemail')->add(new ApiAuthorization($acl, 'user', 'update')); # admin $group->get('/users/getbyrole', ControllerApiSystemUsers::class . ':getUsersByRole')->setName('api.usersbyrole')->add(new ApiAuthorization($acl, 'user', 'update')); # admin @@ -47,21 +47,21 @@ $app->group('/api/v1', function (RouteCollectorProxy $group) use ($acl) { $group->delete('/user', ControllerApiSystemUsers::class . ':deleteUser')->setName('api.user.delete')->add(new ApiAuthorization($acl, 'account', 'delete')); # member # IMAGES - $group->get('/pagemedia', ControllerApiImage::class . ':getPagemedia')->setName('api.image.pagemedia')->add(new ApiAuthorization($acl, 'mycontent', 'read')); - $group->get('/images', ControllerApiImage::class . ':getImages')->setName('api.image.images')->add(new ApiAuthorization($acl, 'mycontent', 'read')); - $group->post('/image', ControllerApiImage::class . ':saveImage')->setName('api.image.create')->add(new ApiAuthorization($acl, 'mycontent', 'create')); - $group->put('/image', ControllerApiImage::class . ':publishImage')->setName('api.image.publish')->add(new ApiAuthorization($acl, 'mycontent', 'create')); - $group->get('/image', ControllerApiImage::class . ':getImage')->setName('api.image.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); - $group->delete('/image', ControllerApiImage::class . ':deleteImage')->setName('api.image.delete')->add(new ApiAuthorization($acl, 'mycontent', 'delete')); + $group->get('/pagemedia', ControllerApiImage::class . ':getPagemedia')->setName('api.image.pagemedia')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # author + $group->get('/images', ControllerApiImage::class . ':getImages')->setName('api.image.images')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # author + $group->post('/image', ControllerApiImage::class . ':saveImage')->setName('api.image.create')->add(new ApiAuthorization($acl, 'mycontent', 'create')); # author + $group->put('/image', ControllerApiImage::class . ':publishImage')->setName('api.image.publish')->add(new ApiAuthorization($acl, 'mycontent', 'create')); # author + $group->get('/image', ControllerApiImage::class . ':getImage')->setName('api.image.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # author + $group->delete('/image', ControllerApiImage::class . ':deleteImage')->setName('api.image.delete')->add(new ApiAuthorization($acl, 'mycontent', 'delete')); # editor # FILES - $group->get('/filerestrictions', ControllerApiFile::class . ':getFileRestrictions')->setName('api.file.getrestrictions')->add(new ApiAuthorization($acl, 'mycontent', 'create')); - $group->post('/filerestrictions', ControllerApiFile::class . ':updateFileRestrictions')->setName('api.file.updaterestrictions')->add(new ApiAuthorization($acl, 'mycontent', 'create')); - $group->post('/file', ControllerApiFile::class . ':uploadFile')->setName('api.file.upload')->add(new ApiAuthorization($acl, 'mycontent', 'create')); - $group->put('/file', ControllerApiFile::class . ':publishFile')->setName('api.file.publish')->add(new ApiAuthorization($acl, 'mycontent', 'update')); - $group->get('/files', ControllerApiFile::class . ':getFiles')->setName('api.files.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); - $group->get('/file', ControllerApiFile::class . ':getFile')->setName('api.file.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); - $group->delete('/file', ControllerApiFile::class . ':deleteFile')->setName('api.file.delete')->add(new ApiAuthorization($acl, 'mycontent', 'read')); + $group->get('/filerestrictions', ControllerApiFile::class . ':getFileRestrictions')->setName('api.file.getrestrictions')->add(new ApiAuthorization($acl, 'mycontent', 'create')); # author + $group->post('/filerestrictions', ControllerApiFile::class . ':updateFileRestrictions')->setName('api.file.updaterestrictions')->add(new ApiAuthorization($acl, 'mycontent', 'create')); # author + $group->post('/file', ControllerApiFile::class . ':uploadFile')->setName('api.file.upload')->add(new ApiAuthorization($acl, 'mycontent', 'create')); # author + $group->put('/file', ControllerApiFile::class . ':publishFile')->setName('api.file.publish')->add(new ApiAuthorization($acl, 'mycontent', 'update')); # author + $group->get('/files', ControllerApiFile::class . ':getFiles')->setName('api.files.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # author + $group->get('/file', ControllerApiFile::class . ':getFile')->setName('api.file.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # author + $group->delete('/file', ControllerApiFile::class . ':deleteFile')->setName('api.file.delete')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # author # ARTICLE $group->post('/article/sort', ControllerApiAuthorArticle::class . ':sortArticle')->setName('api.article.sort')->add(new ApiAuthorization($acl, 'content', 'create')); # author @@ -77,23 +77,23 @@ $app->group('/api/v1', function (RouteCollectorProxy $group) use ($acl) { # BLOCKS $group->post('/block', ControllerApiAuthorBlock::class . ':addBlock')->setName('api.block.add')->add(new ApiAuthorization($acl, 'mycontent', 'update')); - $group->put('/block/move', ControllerApiAuthorBlock::class . ':moveBlock')->setName('api.block.move')->add(new ApiAuthorization($acl, 'mycontent', 'view')); + $group->put('/block/move', ControllerApiAuthorBlock::class . ':moveBlock')->setName('api.block.move')->add(new ApiAuthorization($acl, 'mycontent', 'read')); $group->put('/block', ControllerApiAuthorBlock::class . ':updateBlock')->setName('api.block.update')->add(new ApiAuthorization($acl, 'mycontent', 'update')); $group->delete('/block', ControllerApiAuthorBlock::class . ':deleteBlock')->setName('api.block.delete')->add(new ApiAuthorization($acl, 'mycontent', 'update')); - $group->post('/video', ControllerApiImage::class . ':saveVideoImage')->setName('api.video.save')->add(new ApiAuthorization($acl, 'mycontent', 'view')); + $group->post('/video', ControllerApiImage::class . ':saveVideoImage')->setName('api.video.save')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # SHORTCODE - $group->get('/shortcodedata', ControllerApiAuthorShortcode::class . ':getShortcodeData')->setName('api.shortcodedata.get')->add(new ApiAuthorization($acl, 'mycontent', 'view')); + $group->get('/shortcodedata', ControllerApiAuthorShortcode::class . ':getShortcodeData')->setName('api.shortcodedata.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); # META - $group->get('/meta', ControllerApiAuthorMeta::class . ':getMeta')->setName('api.meta.get')->add(new ApiAuthorization($acl, 'mycontent', 'view')); + $group->get('/meta', ControllerApiAuthorMeta::class . ':getMeta')->setName('api.meta.get')->add(new ApiAuthorization($acl, 'mycontent', 'read')); $group->post('/meta', ControllerApiAuthorMeta::class . ':updateMeta')->setName('api.metadata.update')->add(new ApiAuthorization($acl, 'mycontent', 'update')); # KIXOTE - $group->delete('/clearnavigation', ControllerApiGlobals::class . ':clearNavigation')->setName('api.navigation.clear')->add(new ApiAuthorization($acl, 'system', 'update')); - $group->get('/securitylog', ControllerApiGlobals::class . ':showSecurityLog')->setName('api.securitylog.show')->add(new ApiAuthorization($acl, 'system', 'update')); - $group->delete('/securitylog', ControllerApiGlobals::class . ':deleteSecurityLog')->setName('api.securitylog.delete')->add(new ApiAuthorization($acl, 'system', 'update')); - $group->delete('/cache', ControllerApiGlobals::class . ':deleteCache')->setName('api.cache.delete')->add(new ApiAuthorization($acl, 'system', 'update')); + $group->delete('/clearnavigation', ControllerApiGlobals::class . ':clearNavigation')->setName('api.navigation.clear')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->get('/securitylog', ControllerApiGlobals::class . ':showSecurityLog')->setName('api.securitylog.show')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->delete('/securitylog', ControllerApiGlobals::class . ':deleteSecurityLog')->setName('api.securitylog.delete')->add(new ApiAuthorization($acl, 'system', 'update')); # manager + $group->delete('/cache', ControllerApiGlobals::class . ':deleteCache')->setName('api.cache.delete')->add(new ApiAuthorization($acl, 'system', 'update')); # manager })->add(new CorsHeadersMiddleware($settings, $urlinfo))->add(new ApiAuthentication()); diff --git a/system/typemill/routes/web.php b/system/typemill/routes/web.php index 037269d..ecf18a4 100644 --- a/system/typemill/routes/web.php +++ b/system/typemill/routes/web.php @@ -39,18 +39,18 @@ $app->group('/tm', function (RouteCollectorProxy $group) use ($routeParser,$acl) # Admin Area $group->get('/logout', ControllerWebAuth::class . ':logout')->setName('auth.logout'); - $group->get('/system', ControllerWebSystem::class . ':showSettings')->setName('settings.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'show')); # admin; - $group->get('/license', ControllerWebSystem::class . ':showLicense')->setName('license.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'show')); # admin; - $group->get('/themes', ControllerWebSystem::class . ':showThemes')->setName('themes.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'show')); # admin; - $group->get('/plugins', ControllerWebSystem::class . ':showPlugins')->setName('plugins.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'show')); # admin; - $group->get('/account', ControllerWebSystem::class . ':showAccount')->setName('user.account')->add(new WebAuthorization($routeParser, $acl, 'account', 'view')); # member; - $group->get('/users', ControllerWebSystem::class . ':showUsers')->setName('users.show')->add(new WebAuthorization($routeParser, $acl, 'user', 'show')); # admin; + $group->get('/system', ControllerWebSystem::class . ':showSettings')->setName('settings.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'read')); # manager; + $group->get('/license', ControllerWebSystem::class . ':showLicense')->setName('license.show')->add(new WebAuthorization($routeParser, $acl, 'user', 'read')); # admin; + $group->get('/themes', ControllerWebSystem::class . ':showThemes')->setName('themes.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'read')); # manager; + $group->get('/plugins', ControllerWebSystem::class . ':showPlugins')->setName('plugins.show')->add(new WebAuthorization($routeParser, $acl, 'system', 'read')); # manager; + $group->get('/account', ControllerWebSystem::class . ':showAccount')->setName('user.account')->add(new WebAuthorization($routeParser, $acl, 'account', 'read')); # member; + $group->get('/users', ControllerWebSystem::class . ':showUsers')->setName('users.show')->add(new WebAuthorization($routeParser, $acl, 'user', 'read')); # admin; $group->get('/user/new', ControllerWebSystem::class . ':newUser')->setName('user.new')->add(new WebAuthorization($routeParser, $acl, 'user', 'create')); # admin; - $group->get('/user/{username}', ControllerWebSystem::class . ':showUser')->setName('user.show')->add(new WebAuthorization($routeParser, $acl, 'user', 'show')); # admin; + $group->get('/user/{username}', ControllerWebSystem::class . ':showUser')->setName('user.show')->add(new WebAuthorization($routeParser, $acl, 'user', 'read')); # admin; # Author Area - $group->get('/content/visual[/{route:.*}]', ControllerWebAuthor::class . ':showBlox')->setName('content.visual')->add(new WebAuthorization($routeParser, $acl, 'mycontent', 'view')); - $group->get('/content/raw[/{route:.*}]', ControllerWebAuthor::class . ':showRaw')->setName('content.raw')->add(new WebAuthorization($routeParser, $acl, 'mycontent', 'view')); + $group->get('/content/visual[/{route:.*}]', ControllerWebAuthor::class . ':showBlox')->setName('content.visual')->add(new WebAuthorization($routeParser, $acl, 'mycontent', 'read')); + $group->get('/content/raw[/{route:.*}]', ControllerWebAuthor::class . ':showRaw')->setName('content.raw')->add(new WebAuthorization($routeParser, $acl, 'mycontent', 'read')); })->add(new CspHeadersMiddleware($settings, $cspFromPlugins, $cspFromTheme))->add(new WebRedirectIfUnauthenticated($routeParser)); @@ -87,7 +87,7 @@ if(isset($routes['web']) && !empty($routes['web'])) if(isset($settings['access']) && $settings['access'] != '') { # if access for website is restricted - $app->get('/[{route:.*}]', ControllerWebFrontend::class . ':index')->setName('home')->add(new CspHeadersMiddleware($settings, $cspFromPlugins, $cspFromTheme))->add(new WebAuthorization($routeParser, $acl, 'account', 'view')); + $app->get('/[{route:.*}]', ControllerWebFrontend::class . ':index')->setName('home')->add(new CspHeadersMiddleware($settings, $cspFromPlugins, $cspFromTheme))->add(new WebAuthorization($routeParser, $acl, 'account', 'read')); } else { diff --git a/system/typemill/settings/mainnavi.yaml b/system/typemill/settings/mainnavi.yaml index e533b17..999d693 100644 --- a/system/typemill/settings/mainnavi.yaml +++ b/system/typemill/settings/mainnavi.yaml @@ -2,24 +2,24 @@ 'title': 'Content' 'routename': 'content.visual' 'aclresource': 'content' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'system': 'title': 'System' 'routename': 'settings.show' 'aclresource': 'system' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'account': 'title': 'Account' 'routename': 'user.account' 'aclresource': 'account' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'frontend': 'title': 'Frontend' 'routename': 'home' 'aclresource': 'account' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'logout': 'title': 'Logout' 'routename': 'auth.logout' 'aclresource': 'account' - 'aclprivilege': 'view' \ No newline at end of file + 'aclprivilege': 'read' \ No newline at end of file diff --git a/system/typemill/settings/permissions.yaml b/system/typemill/settings/permissions.yaml index 027ff38..eee294d 100644 --- a/system/typemill/settings/permissions.yaml +++ b/system/typemill/settings/permissions.yaml @@ -3,7 +3,7 @@ member: inherits: NULL permissions: account: - - 'view' + - 'read' - 'update' - 'delete' contributor: @@ -11,7 +11,7 @@ contributor: inherits: member permissions: mycontent: - - 'view' + - 'read' - 'create' - 'update' - 'delete' @@ -20,8 +20,8 @@ author: inherits: contributor permissions: content: + - 'read' - 'create' - - 'view' editor: name: editor inherits: author @@ -33,4 +33,12 @@ editor: - 'update' - 'delete' - 'publish' - - 'unpublish' \ No newline at end of file + - 'unpublish' +manager: + name: manager + inherits: editor + permissions: + system: + - 'read' + - 'update' + - 'delete' \ No newline at end of file diff --git a/system/typemill/settings/systemnavi.yaml b/system/typemill/settings/systemnavi.yaml index 47e627e..1a1a6da 100644 --- a/system/typemill/settings/systemnavi.yaml +++ b/system/typemill/settings/systemnavi.yaml @@ -3,34 +3,34 @@ 'routename': 'settings.show' 'icon': 'icon-wrench' 'aclresource': 'system' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'license': 'title': 'License' 'routename': 'license.show' 'icon': 'icon-wrench' - 'aclresource': 'system' - 'aclprivilege': 'view' + 'aclresource': 'user' + 'aclprivilege': 'read' 'themes': 'title': 'Themes' 'routename': 'themes.show' 'icon': 'icon-paint-brush' 'aclresource': 'system' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'plugins': 'title': 'Plugins' 'routename': 'plugins.show' 'icon': 'icon-plug' 'aclresource': 'system' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'account': 'title': 'Account' 'routename': 'user.account' 'icon': 'icon-user' 'aclresource': 'account' - 'aclprivilege': 'view' + 'aclprivilege': 'read' 'users': 'title': 'Users' 'routename': 'users.show' 'icon': 'icon-group' 'aclresource': 'user' - 'aclprivilege': 'view' \ No newline at end of file + 'aclprivilege': 'read' \ No newline at end of file