pubpub / platform

Open-source technology for creating full-stack knowledge applications for communities of all types.
https://knowledgefutures.org/pubpub
GNU General Public License v2.0
22 stars 3 forks source link

Restrict page visibility based on membership #637

Open gabestein opened 2 months ago

gabestein commented 2 months ago

Motivation

So users can only navigate—and see links to—pages that they are capable by way of community membership.

Requirements

Modify pages so that non-community-level admins cannot access:

In addition, modify the pub page such that only community admins and members with explicit pub membership can see or access it.

When a user navigates to a page that they do not have access to, they should be redirected to a new Unauthorized page with generic error text. This page should have the side navigation visible so users can navigate away from the 403 page.

Acceptance Criteria

kalilsn commented 2 weeks ago

What should we show users when they navigate to a page that they're not authorized to see? IMO this is a good time to add a 403 error page

3mcd commented 2 weeks ago

@kalilsn I'll update the requirements to reflect a redirect to a new 403 page. I don't think the contents of the page matter that much right now. Sound right?

kalilsn commented 2 weeks ago

Yeah, I think we can just render the sidebar and some kind of error text in the main page so that users can keep navigating. And we should probably call out the issue where contributors (so anyone who has been invited to fill out a form) can access the workflows and integrations pages in communities they are not a member of.

gabestein commented 2 weeks ago

Yeah, that seems fine for now. I should also note that @tefkah is working on replacing the sidebar with ShadCN, which will make this easier, so it's fine to just do the errors for now.

kalilsn commented 2 weeks ago

Out of scope: fixing the issue where contributors can access the workflows and integrations pages for communitiesthey are not a member of.

I meant that should be in scope probably! But if there's another issue that covers it that's great too!

gabestein commented 19 hours ago

@kalilsn sorry I missed that one. @3mcd if this hasn't been done yet, let's add that back to the scope?