Roles that share pages with another role results in edit access to all pages

[City Dev]

In my setup users have multiple roles. Everyone has a ‘Staff’ role that identifies them as employees and provides basic access to their profile and the dashboard. Then everyone has one or more ‘Department’ roles that provides the IDs of all the content they can potentially access. Finally, everyone has one or more ‘Functional’ roles that determine what functionality they actually have access to (pages, posts, forms, events, etc…). So, one can have a specific ‘Department’ role, but can’t edit the content with out the corresponding ‘Functional’ role.

This setup has worked nicely to provide flexible role control. However, I’ve discovered an issue and I’m not sure if it’s always been present or if a previous update is the culprit.

I have two ‘Department’ roles which share access to some pages. One of the ‘Department’ roles can access the parent page and all it’s children. The other role is only supposed to have access to a select number of the child pages. The role with access to the parent and children works as expected. The other role (which is supposed to be restricted to specific children), instead has access to edit every page on the site.

There are two roles that function in this manner and they are the only two roles that exhibit the issue of unrestricted access to all pages. All other roles that don’t share content with another role appear to function as expected.

[Vladimir]

Take into account this information about multiple roles assigned to a user. URE Pro looks for restriction model (Allow, Block) set for the primary role and if other value was selected for other roles, edit restrictions settings made for other role are ignored. Check if it’s your case. May be you need to grant to a user a role with edit restrictions as a primary one, or set the same restriction model for all roles granted to a user.

[City Dev]

With that info I was able to locate the problem.

All roles are set to ‘Allow’ with the exception of one functional role I created for media access. That role was set to ‘Deny’. Once set to ‘Allow’ the problem was fixed.

[csoftintl]

I am facing a similar issue.. I have also setup my roles with a somewhat hierarchical structure.

– Everyone is an employee (primary, automatic upon registration)
– Certain roles are cumulative (sales or upper-management, for example)

– everyone sees content aimed at employee
– fewer see content aimed at sales but see all content for employee
– even fewer see content aimed at management, but see all content for sales and employee.

I found that when I limit content visibility of post categories for sales, my sales user cannot see the content because they are also employee.

any possible workarounds?

[Vladimir]

When I will return to my computer after 2 days trip, I will make more tests on the subject and inform you about the results.

[Vladimir]

To @csoftintl:

View restrictions for role includes blocking model: “selected” or “not selected”. When user has more than 1 role, URE takes into account view criteria from those role only, which blocking model is the same as one set for the primary role.
Do you use the same blocking model for all roles assigned to the same user?

[Author]

Posts