We’ve been trying to use custom roles to limit access to specific pages and ran into a bit of trouble because:
- Page URL isn’t included in the list of properties that we can filter by when creating/editing roles.
- When using custom queries, if the role is not given “Admin” access, then they end up being restricted from all entries, even if they can see them in the content search screen.
We ended up adding a new property onto our Page model and using that to filter. We then used the Validation Hook on the model to enforce that pages with specific URLs must have this property set to true so that users are not able to remove the access control when editing the page.
However, we still have a vulnerability in which a user who shouldn’t have access to a page with a protected URL can create and publish new page with a protected URL or alter an existing Page to give it a protected URL (though they wouldn’t be able to access that page after they published it). We could get rid of that vulnerability if we had access to an object that contained the editing user’s role in the Validation Hook. That way we could return an error and prevent publishing if the user was not on of the roles that is allowed to access content with protected URLs.