Permissions / Privileges

These FAQs briefly summarise key points on how Composr's permissions and privileges systems work.

For more information, check out these tutorials:
Question What is the difference between access permissions and privileges in Composr?
Answer Access permissions control whether members of a certain usergroup can view specific areas of your site, such as zones, pages, and categories. A member only needs one of their usergroups to have access permission to view the content. But permissions work on a deny-first policy; if one of the permissions applicable to viewing something is denied for a usergroup, then the whole thing is denied for that usergroup (e.g. even if a download itself grants access, access will be denied if its category denies access).

Privileges, on the other hand, dictate what actions a usergroup is allowed to perform across the website, like using advanced Comcode or bypassing the word filter.
Question How can I control who can view specific pages or categories?
Answer You can manage access control for zones, pages, and categories primarily through the Permissions Tree Editor (Admin Zone > Security > Permissions Tree Editor). This tool provides a central location to set view permissions for different usergroups. You can also edit individual zone and category permissions through their respective editing interfaces, but the Permissions Tree Editor offers a more streamlined and efficient approach.
Question What are match-key permissions and why would I use them?
Answer Match-key permissions provide a more granular level of access control beyond the standard zone, page, and category permissions. They allow you to restrict access based on specific "match-keys", which are unique identifiers for different actions or content within Composr. For instance, you could use match-key permissions to prevent guests from submitting banners or to restrict access to the member directory for all but specific usergroups. You can also specify custom access denied errors for each match-key.

A "match-key" is typically a page-link, such as cms:cms_banners:add.
Question Can I display different content to different usergroups?
Answer Yes, you can achieve this by leveraging Tempcode within your templates. By using conditional statements like {$IS_IN_GROUP} and {$HAS_PRIVILEGE}, you can show or hide specific content sections based on the user's group membership or privileges. This technique allows you to "tease" premium content to non-paying users or tailor the user experience based on their access level.
Question How can I test if my permission settings are working correctly?
Answer Composr's "SU" feature allows administrators to temporarily assume the identity of another user, enabling you to experience the site as they would. Simply enter the desired username in the "SU" box in the footer. You can also use "Guest" to browse as an unauthenticated visitor. Remember that using "SU" doesn't accurately reflect online status and retains administrator access to sensitive areas.
Question What are some useful tools for debugging permission issues?
Answer Composr provides a couple of tools to help pinpoint permission problems:
  • FirePHP: This browser add-on allows you to view detailed logs of permission checks performed by Composr. By analyzing these logs, you can identify which checks are failing and adjust your settings accordingly.
  • Permission Check Logging: Enable logging of failed permission checks to a file (data_custom/permission_checks.log). This provides a persistent record of permission issues that you can review and troubleshoot.
Question What are some security considerations regarding super-moderators and super-administrators?
Answer While super-moderators have extensive access to manage your site, certain sensitive privileges are reserved for super-administrators. This includes the ability to impersonate other users, execute arbitrary code, and view private content. These restrictions help prevent potential privilege escalation and ensure the overall security of your website. Exercise caution when granting super-moderator status and trust only reliable individuals.
Question What happens when I add a new usergroup to a third-party forum integrated with Composr?
Answer If you are not using Conversr as your forum, Composr won't automatically assign any permissions to the new usergroup. To rectify this, you can use the "Absorb usergroup-permissions" feature in the Admin Zone. This tool allows you to copy the permissions from an existing usergroup to the newly created one, ensuring consistent access and functionality.
Question What are the different ways to control access in Composr?
Answer Composr offers a robust permission system with various methods for controlling access:
  • Zones, Pages, and Categories: Control which usergroups can view specific zones, pages, and categories (permissions).
    • Admin Zone > Security > Permissions Tree Editor, or on the UI for the Zone / Page / Category.
  • Global Privileges: Define permissions for actions like using advanced Comcode or bypassing the word filter, applicable across the entire site.
    • Admin Zone > Security > Global privileges
  • Module/Page Overrides: Tailor privileges for particular content types by overriding them on the controlling module or page.
    • Admin Zone > Security > Permissions Tree Editor [> Content permissions]
  • Category Overrides: Modify privileges for specific categories, allowing fine-grained control over actions within those categories.
    • Admin Zone > Security > Permissions Tree Editor
  • Match-key Permissions: Implement ad-hoc access control based on specific match-keys, offering flexibility beyond traditional permission structures.
    • Admin Zone > Security > Match-key page restrictions