About Permissions - xenocrat/chyrp-lite GitHub Wiki
Chyrp Lite has a very fine-grained permissions system that allows you to assign your blog's users to groups and give each group a different set of abilities.
Administration
Although a fresh install of Chyrp Lite comes with a group named "Admin", there's really nothing special about this group – the "Admin" group is created with some permissions that other groups don't have, but you can create many groups that have some or all of the permissions you might think of as belonging to an administrator.
Visitors
All visitors to your blog who have not logged in are assigned to the guest group. Chyrp Lite comes with the guest group set to a group named "Guest" that has permission to view the site but nothing more. If you want visitors to be able to do more than just view your site, you can add permissions to your guest group.
Posts
As well as the status options of draft, public, private, and scheduled, a post can be set to a status that makes it visible only to a specific group of users. When writing or editing a post, the status selector will list all your currently configured user groups as options for your target audience.
Uploads
Chyrp Lite does not track the ownership of uploaded files. A file uploaded by a user can be viewed in the administration console and added to blog posts and pages by all users with the View Uploads permission.
Uploaded files are not protected from unauthorized visitor access; this allows Chyrp Lite to cache these files very aggressively, thus reducing the amount of data that has to be transmitted for each visitor request. In a default installation of Chyrp Lite, the only protection that prevents unauthorized access of uploaded files is "security by obscurity", which means that a visitor would have to guess the name of a file to be able to access it.
If you do want to secure uploaded files, Chyrp Lite provides the following triggers to enable this:
| Trigger Name | Type | Description |
|---|---|---|
uploaded |
Filter | Allows the access URL for an uploaded file to be modified at runtime. |
serve_thumbnail |
Call | Called before an image file is served in thumbnail.php. |
serve_download |
Call | Called before a file download is served in download.php. |
What about modules?
Modules have no way to tell which groups of users you've created that you want to be treated as administrators, so when a module adds some new permissions you must grant those permissions manually to the groups that need them. A module that adds permissions will usually remind you to update the permission settings for each group when it is enabled.
If you enable a module and don't see the additional features you expected, the first troubleshooting step is to check if there are new permissions to be granted to your groups. For example, enabling the Comments module adds several new permissions, some of which you probably want many of your visitors to have (Add Comment, Edit Own Comments) and some you want only a trusted few to have (Edit Comments, Delete Comments).
Default permissions set
Here is the default set of permissions for user groups.
| Permission | Description |
|---|---|
| Change Settings | Can the user change settings in the administration console? |
| Toggle Extensions | Can the user enable and disable modules, feathers, and themes? |
| View Site | Can the user view the blog? |
| View Private Posts | Can the user view private posts created by any user? |
| View Scheduled Posts | Can the user view scheduled posts created by any user? |
| View Drafts | Can the user view draft posts created by any user? |
| View Own Drafts | Can the user view their own draft blog posts? |
| Add Posts | Can the user create posts and publish them? |
| Add Drafts | Can the user create posts and save them as drafts? |
| Edit Posts | Can the user edit posts created by any user? |
| Edit Drafts | Can the user edit drafts created by any user? |
| Edit Own Posts | Can the user edit their own posts? |
| Edit Own Drafts | Can the user edit the own drafts? |
| Delete Posts | Can the user delete posts created by any user? |
| Delete Drafts | Can the user delete drafts created by any user? |
| Delete Own Posts | Can the user delete their own posts? |
| Delete Own Drafts | Can the user delete their own drafts? |
| View Pages | Can the user view pages? |
| Add Pages | Can the user add pages? |
| Edit Pages | Can the user edit pages created by any user? |
| Delete Pages | Can the user delete pages created by any user? |
| Add Users | Can the user add new users? |
| Edit Users | Can the user edit user details? |
| Delete Users | Can the user delete users? |
| Add Groups | Can the user add groups? |
| Edit Groups | Can the user edit group details and permissions? |
| Delete Groups | Can the user delete groups? |
| Import Content | Can the user import posts, pages, users, groups, and upload files in bulk? |
| Export Content | Can the user export posts, pages, users, groups, and a manifest of uploaded files? |
| View Uploads | Can the user view files uploaded by any user? This permission is not needed to access uploaded files when viewing posts or pages. |
| Add Uploads | Can the user upload files? This permission is not needed to use the basic HTML file inputs provided by Feathers. |
| Edit Uploads | Can the user replace uploaded files? |
| Delete Uploads | Can the user delete uploaded files? |