concrete5 has a powerful permission system that can be used to control who can edit what. Files have their own file permission system. Site wide permissions can be used in one of two modes:
- Simple Permissions is how concrete5 is setup by default, and it limits the ability edit and view entire pages down to groups of users you can configure.
- Advanced Permissions can be turned on with a config file setting and it lets you control different roles at a page, block area, and even block level with a high level of granularity.
NOTE: Once you've flipped from Simple Permissions to Advanced on a site you should not flip back, and to avoid weird edge cases we recommend switching as soon as possible if you expect a site will require advanced permissions.
Go to any page in your concrete5 site and put it in Edit Mode.
You will see a "Permissions" tab with a lock icon on it. Clicking this icon will give you the permission settings for this page:
Every group created in your site will be listed here, and you can choose which groups can see the page at all, and which groups can edit the page.
Adding new groups to this list is easy. Simply goto Dashboard > Users and Groups > Groups:
To make a new group simply give it a name and short description for your reference. It will now be available in the permissions drop down from every page.
Pages inherit permissions down the tree, so if you make a group for your PR team and give them rights to edit a press room page, they will have the same edit permissions for any press releases they make under that page.
concrete5's permissions out of the box allow basic website access control, but if you need more options, you should try out our advanced permissions. Advanced permissions allow any combination of users and groups to be assigned to the following:
- Page-specific Access
- Adding, editing, reading versions and deleting pages
- Being able to add only specific page types to specific sections of sites
- Area-specific control
- Block-specific control
To enable advanced permissions, add the following line to "config/site.php":
NOTE: Once you do this, you should NOT go back to Simple Permissions.
Once you've enabled advanced permissions you will see the page level permission options change dramatically:
You now have several roles to choose from for every group.
- Read - who can see this page at all.
- Versions - who can see earlier versions of this page.
- Write - who can put this page in edit mode at all.
- Approve - who can approve a new version for this page.
- Delete - who can delete this page.
- Admin - everything else, including setting permissions and design. We intend to break these out into their own roles at some point in the future.
The Set drop down has three options:
- By Area of Site. This page inherits permissions from a page above, which is listed for reference here.
- By Page Type Defaults This page always takes the permissions configuration from the defaults for the page type setup in dashboard. This is particularly handy if you have a type of content you want a group to be able to add anywhere in your site and always have control over.
- Manually. Switch to this mode to configure permissions for this page, and any pages below that might be setup with "By Area of Site" permissions.
Note: You can't change these permissions or add new users/groups until you set this page to "Manually"
Sub-pages added beneath this page has two options:
- Inherit the permissions of this page. This mode is most frequently used and allows you to make changes to permissions at any point in the tree and assume all the children will follow.
- Inherit from page type permissions. When on, new pages made under this page will be configured to inherit permissions from their page type.
Currently Viewing actually switches the whole drop down content out with more options. You do not need to save before switching here. The other two views are:
- Sub-Page permissions. A grid of every groups/users and all the site page types is displayed allowing you to choose which groups can add what types of pages. Permissions are inclusive in concrete5, so as long as you're in ANY group that has rights available you will have access.
- Timed Release permissions. For every group that has access to view this page, define a start and end time/date they can see the page. This is particularly powerful for things like press releases that may be written and need to go live at a specific time when the site administrators would rather be cozy in bed.
Block Area Level
Once advanced permissions are turned on, you will see a new option from the menu when clicking on a block area, Set Permissions. Clicking this will give you a list of all the groups who have edit access to this page. You can then choose which block types they are allowed to See, Create (write), or Delete in this area.
Block Instance Level
Clicking a block you've actually created will now give you a Set Permissions option in the menu as well. This will bring up an interface allowing you to choose who can See, Edit (write), or Delete this block from the available group/users.