Using Strapi to build an API. Love most of it, but it seems access to the admin interface is all or nothing; you can't hide the more advanced aspects of admin for users who should only be able to add/edit content...? Am I missing something? How is this done?
This is the current top-voted feature request at Strapi. You can vote for it at: https://strapi.io/vote.
Admin - Permissions
Restrict admin panel sections access depending on users roles.
Actually you can change some things, since there is an /admin folder inside of /node_modules that you can overwrite, as the documentation says here, you can overwrite some logic for specific users and specific cases, that's not the best way to do it, but it's what we have for now.
Example: In my project I don't want any user to access the Content-Types Builder on production, at the end, I decided to hide the entire Plugins section on production environment.
So firstly I copied the entire /admin folder inside of my project, that way it'd be simple to find/edit any component.
Secondly I searched were the sections where rendered, and I found this file:
/my-project/admin/src/components/LeftMenuLinkSection/index.js
And I added this inside of the component:
const LeftMenuLinksSection = ({ section,
....
// before the return
if ( section === 'plugins' && process.env.NODE_ENV !== 'development') return null;;
And it worked, on production I don't have the plugins section on admin left menu (image 1):
It depends what you want to do, that could be possible, so it's not "all or nothing", it's more like all or almost nothing.
Related
I'm using Laravel Spark (not classic, v11) to scaffold out my newest SaaS application. Everything is going well, but the only thing I'm not able to customize is the "Return to [Application Link]" once users are actually in the billing portal.
Right now, it defaults to www.example.com, which returns users to my home page. Instead, I'd like it to return users to www.example.com/dashboard.
I've read every page of the documentation thoroughly, but don't see any sort of default customization built in for this.
I'm using Spark-Stripe (as opposed to Spark-Paddle) if it makes a difference, though I don't think it would.
Thanks in advance.
That URL should default to /dashboard, but you can customize it by adding this line to your spark.php config file:
'dashboard_url' => '/dashboard',
For more details on how Spark is using this config value, see these files:
../vendor/laravel/spark-stripe/src/FrontendState.php
../vendor/laravel/spark-stripe/resources/js/Pages/BillingPortal.vue
I already did the admin only register but I would like to remove this tab if anyone can help me
Thanks
In admin menu, under People -> Permissions (/admin/people/permissions) you can set permissions for every user role. Under the "User" permissions group there is permission "Administer users". I believe that's the one you should disallow and this button won't appear for specific role.
You can also use CSS to hide that link, but it wouldn't be very clean way...but it's an option B.
First of all this link is an Action Link which is a menu item. There are a lot of methods to hide it. Here are some suggestions.
1) On a custom module alter the menu that displays the link (with hook_menu_alter. The code to do this should be something like this:
function MYMODULE_menu_alter(&$items) {
// Check current user is not User 1 (admin)
global $user;
if ($user->uid !== "1") {
// Disable the link of admin/people/create
$items ['admin/people/create']['access callback'] = FALSE;
}
}
More specific alters can be done with hook_menu_local_tasks_alter function. Also some modules may do this from a UI such as Tab Tamer but haven't tried it.
2) Use the Administration Views module that overrides this view and remove the link from the views UI.
3) Use common Views module to do the same as above. Notice that you have to create that page with the same url (admin/people)
4) There are some more complex solutions with permissions by role such as the module Administer Users by Role but it may be too much for your simple case.
I'm building a component for the backend. I don't want the users who will access it to access ANYTHING else in the backend except for this component.
I tried following these two instructions:
http://www.aclmanager.net/blog/general/31-how-to-add-basic-acl-support-to-your-extension
http://docs.joomla.org/Developing_a_Model-View-Controller_%28MVC%29_Component_for_Joomla!1.6_-_Part_14#Describing_the_ACL
I made a new User Group with a parent of public and allow admin login (which would lock them out of everything) and then tried adding the ACL code from those links above with permissions to create and edit but I just get a blank screen (not even a logout link). The "Debug Permissions Report" showed the correct permissions but nothing's showing up.
Any ideas? My next step is to manually go through every component and not allow access to that new User Group but it seems like there's an easier way.
Thanks!
In Joomla! 2.5 we regularly create "Content" only backend users that have access only to the 'com_content' component.
Going back through our steps the only thing you haven't specified is adding the new user group to a View Access Level. If you're using the standard sample content installed when setting up a Joomla! website you can add your new user group to the "Special" view access (although any will do).
If a new group has 'admin login' privileges it can login but without a View Access level it can't see anything.. it's a subtle difference but it's the way Joomla! works.
I'm building up a custom component, which should only be accessible to logged in users. I'm thinking about checking JFactory::getUser()->guest and if is set, redirect them to a custom page.
Now i prefer this page to contain both register and login options, but joomla itself does not seem to have this feature. Do i have to make this functionality to my custom component, or there is an another solution?
You should really use the built in ACL to control user access instead of trying to code it in yourself. That's kind of the whole point of having the ACL to begin with. Here's the tutorial for how the ACL works in the admin and front end of a site -
http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6
Here is the tutorial for adding ACL to a component -
http://docs.joomla.org/Developing_a_Model-View-Controller_(MVC)_Component_for_Joomla!1.7_-_Part_14
I think you will be much better served using the ACL system as it allows you a lot more flexibility - like adding additional user groups and permissions later without having to touch the code.
Once you have this set up, making a custom register or login page is as easy as a template override of the default com_user login view. You would need to combine these files -
For the login part of the page:
JOOMLA/components/com_users/views/login/tmpl/default.php
For the registration part of the page:
JOOMLA/components/com_users/views/registration/tmpl.default.php
Then put the new and improved file here:
JOOMLA/templates/YOUR TEMPLATE/html/com_users/login/default.php
That would give you ACL controlled access to your component as well as a custom login/registration page without having to muck around with any unnecessary extensions.
Joomla!'s default login module/page only provide a link to a registration page.
A quick search of the JED shows about 200 login extensions, it's possible one of them does what you want.
However, if you want it integrated with the access to your component you will have to code it yourself. The normal process is that if a user tries to access an asset view the view.html.php (or similar) will check their permissions and depending on the component post an JError message and possibly redirect them to the system login.
eg. com_content
// Check the view access to the article (the model has already computed the values).
if ($item->params->get('access-view') != true && (($item->params->get('show_noauth') != true && $user->get('guest') ))) {
JError::raiseWarning(403, JText::_('JERROR_ALERTNOAUTHOR'));
return;
}
For some reason, when I log into my joomla 1.6 backend, it is now empty, displaying only a logout button. Any Ideas?
I just went through the same problem but on J!1.7.3. There may be many, many reasons but please check using just URL if you can see for example:
[YourDomainHere]/administrator/index.php?option=com_content or
[YourDomainHere]/administrator/index.php?option=com_modules
If content is listing and you're missing just Admin-menu and sub-navigation in back-end --> this means you messed-up with access levels and viewing access.
If you can't see content listing - ignore the rest of this post :-)
...with access levels and viewing access. To check that, try entering [YourDomainHere]/administrator/index.php?option=com_users&view=levels and enter each position in the list. Joomla backend navigation module usually has Access set to Special, so focus on this one. When enter Special - manager, author and super administrator should be ticked. If everything empty in any from the list - this is your issue :)
You need to add manager, author and super administrator to your Special access level. Obviously you can't see Save button, so you need to use database. [wrrr :) sounds scary?] Not a big deal, just go there using for example phpMyAdmin and find _viewlevels table. In there just edit Special and add [6,2,8] values to set up manager, author, super.....
Update database. Try to log-in one more time (close browser and clean cache before).
I hope if this wasn't helpful for you, will be for somebody else.
p.s. There may be a way of 'saving' changes in you joomla access levels with URL. Then you don't need to go to DB .. but I don't know if this is feasible at all :)
Check the rewrite of htaccess and the $mosConfig_absolute_path variable in config.php
Apparently, the Bluestork Template (admin template) has some security issues. In my case there were some missing files in the template folder /administrator/templates/bluestork/ that caused the administrator screen to appear blank. I've copied a clean version of the template in the bluestork folder and after that I was able to see the backend admin area.
I've removed the bluestork templates entirely for now, which seems to be the best option. Joomla installs 2.5.8, 2.5.6, 2.5.2, 1.7.0, 1.6.3 are affected. The Blustork Template is a target for hacks with old Joomla.
this happening becoz of admin user lost his permissions. see below article to fix this issue
http://www.codentalk.com/joomla-admin-showing-blank-page/