Your opinion to this page?
Deutsch Deutsch English English

Introduction

Usually a website grows as time goes by. In a first step public pages are created. Later pages will be added which are only visible for groups of users. The admin creates a user group and adds the people who are allowed to view the pages whose visibility has been set to "Registered". It works as expected. For pages which are visible for another group of users, the next group will be created, and so on. Since Website Baker 2.7 it is possible for an user to be the member of multiple groups.

As the number of pages grows, a decision will be made: In the future, certain pages will be managed not alone by the site admin, but also by a group of users. The admin creates another group, for instance called Editors_Marketing, and allows the members of this group to manage the Marketing pages. But his trust in those group is not too large, so he removes the right to create pages of types Code or Import Section for this group. Some members of the group Editors_Marketing are members of other groups, too, but those groups are not allowed to administer any pages in the backend at all.

Pitfall 1

What do you think, will this work as expected? Only members of Editors_Marketing are allowed to administer the pages of the department Marketing, and this group is not allowed to create Code pages. Can you be sure no one will create a page of type Code now?

I am sorry, but the answer is NO.

Website Baker does not only look at the permissions of the group which is allowed to administer a page, but it looks at the permissions of all pages who the logged on user belongs to. The other groups are not allowed to manage any pages, that is why you probably did not make any efforts to remove any permissions (for instance for creating pages of type Code) from those groups. When an user is a member of such a group, too, he is able to create pages of type Code beneath the Marketing pages.

Pitfall 2

Assumed you have a dozen of different user groups, and to jump over pitfall1, you did remove permissions for certain modules from all 12 groups. What do you think, are you save now and for all times?

I am sorry, but the answer is NO.

As soon as you install another module, which is very keen, but for security reasons should be used only by the administrator, you have a lot of work to do: Again you need to walk through all 12 groups and remove the permissions for the new module from each group. The reason is that Website Baker does allow access to all what is not explicitly denied. With other words we are using a Blacklist, even though the backend makes it look like we are using a Whitelist.