Mini Shell
# This file defines role-based access control for your Bolt site.
# Before making any modifications to this file, make sure you've thoroughly
# read the documentation at https://docs.bolt.cm/configuration/permissions
# and understand the consequences of making uninformed changes to the roles and
# permissions.
# First, we need to define some roles. There are four built-in roles that you
# should never add manually:
# - 'root', the "superuser" role; Bolt will automatically grant all permissions
# to this role. Manually adding it to any permission is pointless, because it
# implicitly grants every permission anyway.
# - 'everyone', the "base" role; every logged-in user automatically has this
# role. Adding the 'everyone' role to any permission will grant it to all
# users (but not to unauthenticated users).
# - 'owner': this role is only valid in the context of an individual content
# item, and the user who "owns" the item (usually the person who created it)
# will be in the 'owner' role.
# - 'anonymous': this role is automatically assigned at all times, even when
# no user is logged in at all.
roles:
editor:
description: This user can edit some content.
label: Editor
chief-editor:
description: This user can edit any content in the system.
label: Chief Editor
admin:
description: User-level administrator.
label: Administrator
developer:
description: Developer access. Only required to change system-level settings.
label: Developer
guest:
description: This user can log on, but is not allowed to edit any content.
label: Guest Editor
# Role hierarchy settings
roles-hierarchy:
# This will restrict users from being able to add, edit, enable, disable
# and delete users with the same or higher role than their own.
# For example:
# Users with a role of developer can only be added, edited, enabled, disabled
# and deleted by [ root, admin ] roles.
manipulate:
admin: [ ]
developer: [ admin ]
chief-editor: [ admin, developer ]
editor: [ admin, developer, chief-editor ]
guest: [ admin, developer, chief-editor ]
# Now we'll define some permissions. Each permission comes with a list of roles
# that grant access.
# The first set of permissions are the 'global' permissions; these are not tied
# to any content types, but rather apply to global, non-content activity in
# Bolt's backend. Most of these permissions map directly to backend routes;
# keep in mind, however, that routes do not always correspond to URL paths 1:1.
# The default set defined here is appropriate for most sites, so most likely,
# you will not have to change it.
# Also note that the 'editcontent' and 'overview' routes are special-cased
# inside the code, so they don't appear here.
global:
about: [ everyone ] # view the 'About Bolt' page
checks: [ admin, developer ]
clearcache: [ admin, developer ]
contentaction: [ editor, admin, developer ]
dashboard: [ everyone ]
dbcheck: [ admin, developer ]
dbupdate: [ admin, developer ]
dbupdate_result: [ admin, developer ]
extensions: [ developer ]
extensions:config: [ developer ]
fileedit: [ admin, developer ]
files:config: [ developer ]
files:hidden: [ developer ]
files:theme: [ developer ]
files:uploads: [ admin, developer, chief-editor, editor ]
files: [ admin, developer, chief-editor, editor ]
prefill: [ developer ]
profile: [ everyone ] # edit own profile
settings: [ admin, developer, everyone ]
translation: [ developer ]
useraction: [ admin, developer ] # enable/disable/delete
useredit: [ admin, developer ] # user settings
users: [ admin, developer ] # view user overview
roles: [ admin, developer ] # view the roles overview
maintenance-mode: [ everyone ] # view the frontend when in maintenance mode
omnisearch: [ everyone ]
# Access to the various logs
changelog: [ admin, developer, chief-editor ]
systemlog: [ admin, developer ]
# The following permissions are particularly important: login and postLogin
# determine who may see and use the login form. If you set them to anything
# but 'anonymous', only users will be able to log in that are logged in
# already, which is probably never what you want.
login: [ anonymous ]
postLogin: [ anonymous ]
# Likewise, 'logout' needs to be granted to 'everyone', otherwise people
# cannot log out anymore.
logout: [ everyone ]
# For content type related actions, permissions can be set individually for
# each content type. For this, we define three groups of permission sets.
# The 'contenttype-all' permission sets *overrides*; any roles specified here
# will grant a permission for all content types, regardless of the rest of this
# section.
# The 'contenttype-default' contains rules that are used when the desired
# content type does not define a rule for this permission itself.
# The 'contenttypes' section specifies permissions for individual content
# types.
#
# To understand how this works, it may be best to follow the permission checker
# through its decision-making process.
#
# First, it checks whether the current user is in the "root" role; if so, it
# short-circuits and always grants anything unconditionally.
#
# Otherwise, it checks whether any of the current user's roles match any of the
# roles in contenttype-all/{permission}. If so, the search is over, and the
# permission can be granted.
#
# The next step is to find contenttypes/{contenttype}/{permission}. If it is
# found, then the permission can be granted if and only if any of the user's
# roles match any role in contenttypes/{contenttype}/{permission}.
#
# If either contenttypes/{contenttype} or
# contenttypes/{contenttype}/{permission} is absent, the permission checker
# uses contenttype-default/{permission} instead. If any role exists in both the
# user's roles and contenttype-default/{permission}, the permission can be
# granted.
#
# Note especially that an *empty* set of roles in the contenttype section means
# something else than the *absence* of the permission. If the permission is
# defined with an empty role list, it overrides the role list in
# contenttype-default; but if the permission is not mentioned, the
# corresponding entry in contenttype-default applies.
#
# The following permissions are available on a per-contenttype basis:
#
# - edit: allows updating existing records
# - create: allows creating new records
# - publish: allows changing the status of a record to "published", as well as
# scheduling a record for future publishing
# - depublish: allows changing the status of a record from "published"
# - delete: allows (hard) deletion of records
# - change-ownership: allows changing a record's owner. Note that ownership may
# grant additional permissions on a record, so this
# permission can indirectly enable users more permissions
# in ways that may not be immediately obvious.
# - view: allows viewing records in the backend
contenttype-all:
edit: [ developer, admin, chief-editor ]
create: [ developer, admin, chief-editor ]
publish: [ developer, admin, chief-editor ]
depublish: [ developer, admin, chief-editor ]
delete: [ developer, admin ]
change-ownership: [ developer, admin ]
contenttype-default:
edit: [ editor ]
create: [ editor ]
change-ownership: [ owner ]
view: [ anonymous ]
contenttypes:
# This is an example of how to define Contenttype specific permissions
#
# contenttypes:
# # Keys in this dictionary map to keys in the contenttypes.yml specification.
# showcases:
# # Rules defined here *override* rules defined in contenttype-default,
# # but *add* to rules in contenttype-all. This means that permissions
# # granted through contenttype-all cannot be revoked here, merely
# # amended.
#
# # Only the Admin and Chief Editor are allowed to edit records
# edit: [ admin, chief-editor ]
# create: [ admin, chief-editor ]
# publish: [ admin, chief-editor ]
# depublish: [ admin, chief-editor ]
# delete: [ admin, chief-editor ]
# # Roles that can see the area in the admin section
# view: [ developer, admin, chief-editor ]
# # Do not expose this content type on the front-end unless user is
# logged into the backend
Zerion Mini Shell 1.0