Open travisulrich opened 6 years ago
codyspring
commented
6 years ago I just came here to request this myself, it would be super helpful. Though, the redirect on fail should be specified differently for this and logged in; maybe we can set both?
travisulrich
commented
6 years ago I would think the login_url: /login should apply if the user is not logged in. If they are logged in but lack the group or role, it would return a 403 forbidden (the same as the ip_address scheme)
jasonvarga
commented
6 years ago I like this.
Although I don't think it really warrants a new scheme. We could probably just let you specify a role or group on the logged_in scheme.
Something like
protect:
type: logged_in
login_url: /login
append_redirect: true
roles: [vip, overlord] # or groupsThat'd work great I think.
It would be helpful to be able to restrict a user's access to a page based on their role/permissions or membership in a specific user group. This would allow more granulated permissions for a page than is currently available out of the box.
An example of where this might be useful: On a site where user identity needs to be manually validated before they have access to "internal information", the user would be able to register as usual. Then an administrator could validate his identity and add him to a group "member" which would then provide access to the restricted information.
This could function similarly to the other protect schemes but with different terms:
or for group