1

I want to create different pages for users and admins. It seems that:

$app->user->checkAccess('uri_my-whatever-access-rights')

does not work for admins, it always validates to true. I don't want the admin to have the same options as a regular user.

This goes for index.php (Slim) as well as the Twig templates (admins see all user menus, even though they are only meant for users).

Bug? Am I doing something wrong?

Thanks

amivag
  • 91
  • 4
  • When you say "admin", do you mean the root user, or do you mean a user that you've added to an "admin" group? – alexw Aug 01 '16 at 17:36
  • I meant the "root" user. I suppose regular admin accounts behave as expected? (Will check) – amivag Aug 08 '16 at 18:58

1 Answers1

1

i noticed the same behavior on my project. The root user always sees everything, a possible fix would be to simply exclude the 'user_master_id' if you not want to see everything as root.

Something like:

if($app->config('user_id_master') == $app->user->id)

should do the job.

Edit: I checked the User.checkAccess(..) Method. See also the API

The User with the MasterUserId will see everything (evaluates always true) any other Admin does not see the stuff which it should not see - like defined in the rule(s).

If you want to exclude the root from some pages/entries simply append a suitable routine like isRoot() to the user model, register it here and you can use it in twig and also in the routing routines.

regards

thex
  • 590
  • 2
  • 12
  • 1
    It's worth mentioning that the root user is not meant to be used as a day-to-day account. Rather, it is supposed to be a way for developers or the sysadmin to quickly diagnose and troubleshoot code and access control issues. The owner of a site should still have their own, non-root account that they use for regular activity. So, I generally would not exclude the root user from accessing anything. – alexw Aug 01 '16 at 17:38