Multiple roles granting access to different categories

  • Hi everyone,

    I'm trying to understand the multiple role system. As far as I understand from the documentation a user, who has multiple roles assigned, will only get access to the section both roles grant access to. In the Sentinel documentation it reads:

    "Role-based permissions that define the same permission with different access rights will be rejected in case of any rejections on any role."

    However, I would like the multiple roles to have an additive effect. For example:
    Let's say I have two roles "page admin" and "editor".
    "page admin" grants access to Create/Edit/Delete pages (but nothing else)
    "editor" grants access to write/edit/delete blog posts (but nothing else)

    At the moment, if I have a user who is "page admin" AND "editor", he will have no rights at all since all permissions are denied by one or the other role. But I would like him to have access to both sections.
    Right now a role can only allow or deny access in the admin page. To achieve what I want to achieve there should be a third option. Something like: "Don't affect". This way "page admin" wouldn't deny access to blog posts, but it also wouldn't grant those rights by itself.

    This is actually already possible to achieve by manually removing the specific permission all together from the roles database.

    So instead of the current permissions for "page admin" in the database:
    { "blog.insert":false, "blog.edit":false, "blog.delete": false, "page.insert": true, "page.edit": true, "page.delete": true }
    I change the permissions to this:
    { "page.insert": true, "page.edit": true, "page.delete": true }

    This way it only grants permissions to the section this role controls, but it doesn't deny permissions to other sections.

    I would love to have a way to do that visually through the roles admin page. Are there any plans for this or did someone already do this?


Log in to reply

Looks like your connection to AsgardCms was lost, please wait while we try to reconnect.