Add any comments or questions regarding the How to Limit Access to Administrator Modules in DotNetNuke 5  tutorial from Issue 50

If you give the Member Of Staff access to the Security Rolls module, how do you prevent that user to assign himself to the Administrator Role, thereby not limiting him to only the modules you put under the Staff page?

Obviously, you don't! 

Lee's tutorial was aimed at showing HOW to provide partial access to administrative tools.  You should not think of this as a reason that you SHOULD do it.  In the case that you identified, there is a "security issue."

I can see tremendous benefit to opening some of the admin tools to a "staff" member and have specific need for such a thing. This article was excellent in timing for me. I need to give File Manager capability to specific users. I also need to give a specified user the access to enroll new users and assign roles. But I can not allow this user to modify the site (pages, administrator). Is there a way to modify the standard security module to have a security module wherein the administrator role is not exposed for use? Or do you have any suggestion for handling this?

Is it possible to limit the "user accounts" module to only see/update certain users (not all from the domain).

I don't think so.

Okay, thanks. Its a very nice tutorial.

do you know any custom module in the market which will allow to limit the "user accounts" update for non-admin user and modify/show only certain users?

Hello, I have not come across one, thanks,

Lee

Thanks for the tutorial.  I too was hoping you were going to show how to allow staff to add and edit a user profile but not give them full access to change profile properties and all the other functionality  in this module.   

Maybe a good OWS tutorial.

Hello everyone,

I just did some further testing following the questions here. I logged in as a member of staff security role to access the user accounts module and this did actually limit me to not have access to the administrators role.

Because I am not an adminsitrator I can not assign the adminsitrator role to myself or any other user.

Looking closer into this, I also cannot actually edit the profile details for any other user.

All I have access to do is search for users and add a new user.

The only account I can view is my own staff user account and from there I do not have access to add the administrators role, I can just add the other security roles to my profile.

Hope this clears up the questions, thanks,

Hi,

I followed the tutorial and all seems well except that when I login with the user I gave access to the limited site menu, the user can access the newsletter but when accessing tabs from the SiteAdmin menu the following message comes up:

Access Denied Either you are not currently logged in, or you do not have access to this content.

I've checked permissions and all seems to be well. Why would the newsletter be accessible but not the tabs?

It could be worth re-watching the tutorial, certain modules need slightly different configurations.

The tabs module, you need to set permissions for the actual page that the tabs module is added to, you'll need to set edit permissions for the page, rather than the module.

Thanks,

Hey Lee
Bizaar thing..
When I create the Staff page and insert 'Users and Roles' module onto the page my registration page appears.
Clicking on the Staff page menu item returns the Registration page.

When I first did this yesterday I didn't realize the switching going on and thinking I was editing the Staff page and noticing only the USER ACCOUNT sub-module inserted (again thinking I was editing the Staff page which apparently doesn't really exist as it turns out) and thinking 'well that's not right' and therefore deleting the USER ACCOUNT module (which is actually my active Registration page) in which to start again.

After some 'head-scratching' and 'shoulder-shrugging' and reinstated the USER ACCOUNT module back into the Registration page and called it a night.

Tried again this morning, deleted Staff page, created new Staff page, insert USERS and ROLES module and again the Registration page appears and now the Staff menu item directs to the Registration page....????

Do I hear everyone running for the door??

Hello,

I'm not sure I fully understand what is happening here. First question is what version of DotNetNuke are you using? When I created the tutorial it was done with 5.1.4, you will want to be using at least 5.1.4 or the latest version which is now 5.2

Hi,

 

In the Page/Tabs module, it seems that when a ‘limited user/group’ creates a new page (Add New Page), that new pages cannot be created on the ‘top level’ hierarchy. Also, pages cannot be created below other ‘top level pages’ unless those ‘top level pages’ have Page Settings: Edit Page permissions enabled for the group or user.

After clicking Add New Page, the Basic Settings page appears, but the only pages that are listed in Parent Page are the ones that have Page Settings: Edit Page permissions enabled (ie. Events page, Admin page - see attached screenshot) even though the site comprises of seven ‘top level’ pages.

 

Is there any way around this without having to ‘open up’ all pages settings (Page Settings: Edit Page permissions enabled for group/user) I want to avoid opening up the Page permissions as this would also allow the Settings of the Modules on those pages to also be accessed by the user/group?

For more info on module settings, refer to: www.dnncreative.com/Forum/tabid/88/forumid/1/tpage/1/view/topic/postid/22400/Default.aspx

“Page Settings: Do not give anyone edit page permissions or deny permissions
Announcement module settings: give edit permissions just to Content Managers

This will give them access to add announcements and that's all.

If you give a user edit permissions to a page it opens up more settings for them”

 

Thank you

I'm not sure I fully follow what you are saying here, but if you are limiting users to just the admin / page/tabs module - try creating a new page in the root of the menu that is just for your limited admin users.

Then add the tabs module to that page and see if it now allows them to add pages where you require.

I have tested what you recommended but what I’m trying to achieve still doesn’t work.

 

I am trying to allow a ‘limited group’ (non Admin group) to add pages the website - add ‘top level pages’ and also ‘sub-level pages’, but also without having access to Module settings.

 

The limited group is labelled “Content Managers”.

Pages within the website do not have Page Settings: Edit Page permissions enabled for the Content Managers group. This is so that the Modules within pages can be limited for the Content Managers group – so Content Managers cannot Edit the Module settings – only add content to the modules.

 

Refer to screenshot in previous post: When a member of the limited group (Content Managers) creates a new page; after clicking Add New Page, the Basic Settings page appears, but pages are not listed in Parent Page dropdown list and therefore ‘top level pages’ and ‘sub-level pages’ pages cannot be added.

The only way for pages to be listed in the dropdown list is to have Page Settings: Edit Page permissions enabled for Content Managers (ie. Events page, Admin page have permissions enabled so they appear in the list – all other pages do not).

 

The limited group (Content Managers) cannot add pages to the site unless Page Settings: Edit Page permissions is enabled for pages – this would therefore open up access to the Module Settings on the pages which we are trying to avoid.

 

Is there any way around this, without allowing all pages to have Page Settings: Edit Page permissions enabled (for the Content Manages group). I want Content Mangers to be able to add new pages, without allowing them to Edit module settings?

 

 

More info:

Enabling pages with Page Settings: Edit Page permissions for the Content Mangers group opens up more settings for them and subsequently allows the Content Managers to Edit module settings; which we are trying to avoid. Giving Content Mangers ‘Edit Permissions’ within the Module itself (and not the Page) allows the Content Managers to only add content and not Edit Settings of the module.

“Page Settings: Do not give anyone edit page permissions or deny permissions
Announcement module settings: give edit permissions just to Content Managers

This will give them access to add announcements and that's all.

If you give a user edit permissions to a page it opens up more settings for them”

 

More info on Modules Settings topic: www.dnncreative.com/Forum/tabid/88/forumid/1/tpage/1/view/topic/postid/22400/Default.aspx

 

Hi,
Did you manage to solve the problem? I'm facing the same issue: users with access to add and manage pages cannot create or assing pages to the parent ‘top level’ hierarchy. They only see already existing pages whichj they have edit access. It seems like they don't have access to the "...‘top level’ hierarchy page".

The only way I've seen to solve this is to give them access to the Tabs module. With the page UP/DOWN arrows they can move the page to the root level.

Hello,

Yes that's the only method I can see to make it work.

Create a Tabs page - give edit permissions to  that page only
A user can now create pages (just in that hierarchy)
Once the page is created they can then move it where they require in the menu using the Tabs module

This also limits them from having any other edit page / edit module permissions anywhere else

Of course, one potential problem, is that when a user creates a page, they can assign their own security roles, so they could give themselves full edit permissions to any new page they create

Thanks,

Thanks for this tutorial but I have a problem as I have the latest DNN Community edition installed and the admin modules do not appear on the module drop down list when trying to add them following this tutorial. I am logged in as host.

Any ideas, please?

Hi Lee that was a really good tutorial helped me loads.
One question though, I've now given staff members ability to add users, and give them roles, all good stuff and in a days work for them managing user access to the website. However they can also now see the 'Manage profile properties' link which I don't really want them playing about with. Presumably to change this I need to dive into the DNN code and switch off the link if they are not administrators. Can you advise where to start on this? I'm experienced in asp .NET but not had a go at customising the DNN code.
Any pointers gratefully recd or maybe you've addressed something like this elsewhere  in another tutorial
Many thanks
Rob

Rob,

If you are lucky, you'll be able to modify the .ascx page to use some server-side processing to suppress that, or other, link or code.

I would recommend that you give your staff members a role like "staff_admin" and use that.

Follow this link over to Snapsis.com for some really good ideas.  Remember that what you can do in a skin you can also do in an ascx page.  I'd do some conditionals to make remove the links for people not hosts or admin.  That would include staff_admin.

--------
Remember that any changes like this are changes to the core code.  They won't survive upgrades, and you will have to do them after upgrading.  And, the ascx may change.  So, save code, save notes, etc.

User in Member of Staff role see in Pages(tabs) module also administrator’s pages (even user can delete admin pages), this is wrong.

Is here some solution to limit seen admin pages for this user?

Perhaps you want to give Staff privileges to only modify modules?

Hi,

Whe I follow your tutorial and Create a page and put a User Accounts Module on it and give the 'members of staff' "Modify' permissions on it, I can't modify or create users.
I log in with the user with the 'members of staff' role, and I can see the module, and it looks like I can add and modify users.
But if I do create a user, the add user screen remains as it is after I press 'Add user'. No error messages.
Same thing when I try to modify an existing user. The screen appears, I make changes and press 'Save', but when I open the user properties screen again, nothing is changed.

Everything works fine when I log in with the host user..

Can you point me in the right direction to solve this issue?

Thanks!

Regards,

Rik

I think (not entirely sure) that the users must be in the Administrator security role for that module to work correctly.

If I'm wrong, I'd probably need to look at your site to figure it out.

Does this work in DNN7?
1 created a custom role and added a user to this role.
2 created a new page and added user account and security roles to this page
3 gave the permission on the new page for the new user with the role.
4 then ensured manage users was set in both modules. I ensure that view only and manage permissions are for this custom role
5 login as user and all I get are read capability unable to manage users...
any ideas how to get around this or what is the problem...I need my users to be power users.