Let say I have a P template that may have children based on template C1 and C2. C1 and C2 can only have P as parent. So these conditions are enough to get a link with the "Add new" button, and it works perfectly.
Now, let’s imagine I have two roles defined : chief-editor and contributor.
Chief-editor can create pages based on C1 and C2.
Contributor may only create pages based on C2.
Contributor may only create pages based on C2. They should only see "Add new C2" link. But they actually can see both links, and when they try to create a C1 page, they get an error saying "ProcessWire: ProcessPageAdd: Template page-post is not allowed here (/p-page-url/)". Which is absolutely right, as they are not allowed to create C1 pages. But it’s confusing for the user.
Expected behavior
Chief-editor must have the two "Add new" links : "Add new C1" and "Add new C2".
Contributor should only see "Add new C1" link.
Actual behavior
Contributor see the two links just as the Chief-editor, because they have permission to adde children for a P-template page.
No check on "create page" permission seems to be done at this stage.
When you try to create a C1 page, you get an error ProcessPageAdd: Template page-post is not allowed here
Optional: Suggestion for a possible fix
Before putting an "Add new..." link, check if the role has "add-children" permission AND "create-page" permission
Steps to reproduce the issue
Create template P, template C1 and template C2.
Set allowed children for P = C1 and C2, set allowed parent for C1 and C2 = P
Create a role called "editor". Give this role the permission to add children for P, and to create C2 but not C1.
Check the available "Add new..." links. You should see "Add new C1" and "Add new C2" for editor role
Click on "Add new C1" from the editor role → you will get the error
Setup/Environment
ProcessWire version: 3.0.229
(Optional) PHP version: 8.3.6
(Optional) MySQL version: 8.0.31
(Optional) Any 3rd party modules that are installed and could be related to the issue: –
Short description of the issue
Let say I have a P template that may have children based on template C1 and C2. C1 and C2 can only have P as parent. So these conditions are enough to get a link with the "Add new" button, and it works perfectly.
Now, let’s imagine I have two roles defined : chief-editor and contributor.
Chief-editor can create pages based on C1 and C2. Contributor may only create pages based on C2.
Contributor may only create pages based on C2. They should only see "Add new C2" link. But they actually can see both links, and when they try to create a C1 page, they get an error saying "ProcessWire: ProcessPageAdd: Template page-post is not allowed here (/p-page-url/)". Which is absolutely right, as they are not allowed to create C1 pages. But it’s confusing for the user.
Expected behavior
Chief-editor must have the two "Add new" links : "Add new C1" and "Add new C2". Contributor should only see "Add new C1" link.
Actual behavior
Contributor see the two links just as the Chief-editor, because they have permission to adde children for a P-template page.
No check on "create page" permission seems to be done at this stage.
When you try to create a C1 page, you get an error
ProcessPageAdd: Template page-post is not allowed hereOptional: Suggestion for a possible fix
Before putting an "Add new..." link, check if the role has "add-children" permission AND "create-page" permission
Steps to reproduce the issue
Setup/Environment