YetaWF provides detailed authorization for users based on roles and resources. Authorization can be defined for pages, modules and some resources (typically actions). If a user has sufficient authorization to access a page, the page is displayed, but the user may not have sufficient authorization to view some of the modules on the page, in which case these modules are simply not shown. With this in mind, it is possible to design pages that display different content (modules) based on the user's permissions.
YetaWF includes several predefined Roles which are used to assign permissions.
Role | Description |
---|---|
Superuser | Superuser without any limitations. |
Administrator | Site administrator - limited to the current site, allowed to view/edit/remove. |
Editor | Site Editor - limited to the current site, allowed to view/edit. |
User | Any logged on user - limited to the current site, allowed to view. Any logged on user is assigned this role (which by definition also includes Superuser, Administrator, Editor) |
Anonymous | Any not logged on site visitor - limited to the current site, allowed to view. |
The Superuser, User and Anonymous Roles are built-in and cannot be removed or renamed. You can add additional roles using Admin > Identity > Roles tab (standard YetaWF site). All roles, including custom roles, can be used to define permissions to pages, modules and resources.
New roles can be added at any time and are immediately available to define permissions to pages, modules and resources.
Once a user account has been created, it is automatically assigned the built-in User role.
If you want to assign additional roles to a user, you can use Admin > Panel > Identity Settings > Users tab (standard YetaWF site), locate the user and click on the Edit Icon .
This will show the user's currently assigned roles and you can select additional roles (Roles property).
Permission to access a page can be defined using Page Settings, Authorization tab.
In the above example, the role User is allowed to view the page (this means any logged on user is allowed to view the page). The role Anonymous is also allowed to view the page (this means anyone visiting the site who is not logged on is allowed to view the page). The role Administrator can view/edit/remove the page and Editor role can view/edit, but not remove the page. The Superuser is of course allowed to view/edit/remove the page as there are no limitations for the Superuser.
It is also possible to assign permissions for individual users (Permitted Users). It is not recommended to do so as Roles are the preferred way to assign permissions to groups of users.
Permission to access a module can be defined using the modules Module Settings, Authorization tab. To access Module Settings, switch to Site Edit Mode, which makes the Module Settings action available.
Each module defines its own permissions (page permissions are no longer inheritable as of YetaWF 1.0.5 - removed due to possible security issues if misused). This means that you can add modules to pages with different permissions, some will only be viewable by users with sufficient permission.
It is possible that a module is displayed without a containing page. For example, when displaying all modules using Admin > Modules (standard YetaWF site) and selecting one
of the modules for display using the Display Icon .
Any existing module can also be display using the following Url by replacing the ModuleGuid:
/!Mod/moduleguid
If the module is not shown within a containing page, the module's permissions are used to determine whether the module is accessible. The Superuser is of course allowed to view/edit/remove the module as there are no limitations for the Superuser.
It is also possible to assign permissions for individual users (Permitted Users). It is not recommended to do so as Roles are the preferred way to assign permissions to groups of users.
Page authorization for all pages can be quickly verified (and changed) using Admin > Pages (standard YetaWF site), which displays a list of all pages. The Anonymous and Users columns are particularly helpful as they show at a glance whether anonymous users and logged on users can view the page. It is recommended to occasionally check your site's pages as security issues with incorrect page permissions can easily be found this way.
Module authorization for all modules can be quickly verified (and changed) using Admin > Modules (standard YetaWF site), which displays a list of all modules. The Anonymous and Users columns are particularly helpful as they show at a glance whether anonymous users and logged on users can view the module. It is recommended to occasionally check your site's pages as security issues with incorrect module permissions can easily be found this way.
Keep in mind that any module can be displayed without a containing designed page by using the following Url by replacing the ModuleGuid:
/!Mod/moduleguid
This makes it especially important to check the permissions of each module. It is recommended to occasionally check your site's modules as security issues with incorrect module permissions can easily be found this way.
Using User > Settings (standard YetaWF) a Superuser can turn on the Show Page Ownership and Show Module Ownership settings. Once enabled, all pages and modules are rendered with a distinct background color if they can't be seen by an anonymous user or a logged on user. Keep in mind a Superuser can see all pages and modules so this is an easy way to visually verify pages for any incorrectly defined module permissions.
Last Updated 11/13/2019 - (email)
© 2023 - Softel vdm, Inc. - YetaWF.com