Users can't add pages on root

[Gwildor]

When an user isn't a superuser, you can't give him permissions to add pages on the root; the only thing you can do is give permissions to add pages in the subtree of a page you added permissions for that user on. This should be possible, however, because you want to have users which can do everything with pages but nothing with the rest of the admin without SimplePermissions getting in the way, or simply users which can add pages everywhere, but just can't do anything else.

Best possible way to achieve this is possible to allow the page setting when adding a page permission to be set to blank, and if it's blank, assume the whole root tree.

[bmihelac]

I guess that if user is not listed in PagePermission model, simple_permission should not apply. Then, it should depends on regular django.contrib.auth permissions. Right?

[Gwildor]

Would that mean that all users will usually be able to do anything, unless they have a PagePermission set on them? That would be a good compromise, although it could be subject to security issues (for instance, when you create a new user and forget to set any PagePermissions on them, then they would be allowed to do everything they are allowed to by Django's auth). However, I think that is probably the best solution.

[bmihelac]

yes, new user would be able to do everything if he has rights to add/delete/change page.Page objects and is not given fine grained permissions. Now I wonder, why this is not working this way already...

On Tue, Dec 18, 2012 at 3:03 PM, Gwildor Sok notifications@github.comwrote:

Would that mean that all users will usually be able to do anything, unless they have a PagePermission set on them? That would be a good compromise, although it could be subject to security issues (for instance, when you create a new user and forget to set any PagePermissions on them, then they would be allowed to do everything they are allowed to by Django's auth). However, I think that is probably the best solution.

— Reply to this email directly or view it on GitHubhttps://github.com/bmihelac/feincms-feincmsext/issues/5#issuecomment-11486997.

[Gwildor]

Alright, sounds like a good solution to me :) This also makes things less confusing for admins who don't know a lot about how Django works.

[bmihelac]

this should be fixed, feel to reopen if you have any problems.

[Gwildor]

Thanks for your work. I just tested it quickly, and found that most things work as expected. However, one major thing doens't work: when an user has no permissions set on him yet, he still can't add any pages (it gives a 403 when trying to save the new page).

The following things do work as expected:

• When no permissions on an user applied, he can edit all the pages.
• When a permission is set on an user, he is not allowed to edit any pages but the ones allowed to him (but he does see all the pages, which might not be favorable in certain cases).
• When a permission is set on an user, he can't add pages in the root (gives 403 when trying to save the new page).

So, basicly, all that doesn't work yet is the saving of a new page in the root when an user has no permissions set to him.

[bmihelac]

Thanks for feedback.

I just pushed update, it should work now, can you check?

[Gwildor]

Thank you very much, it seems to work fine :)