ProcessWire Roles & Permissions | OpsBlu Docs

ProcessWire Roles & Permissions

ProcessWire CMS role and permission system -- page-based access control, template permissions, and API-driven authorization.

ProcessWire uses a unique page-based permission system where roles, users, and permissions are all represented as pages in the admin tree. This makes the permission system extremely flexible.

Built-in Roles

Role Admin Access Edit Pages Add Pages Delete Pages Manage Users Superuser
superuser Yes Yes Yes Yes Yes Yes
guest No No No No No No

All other roles are custom-created.

Permission Architecture

Permissions in ProcessWire are pages stored under /processwire/access/permissions/:

// Built-in permissions (stored as pages)
// page-view       - View pages on the front-end
// page-edit       - Edit pages in the admin
// page-add        - Add new child pages
// page-delete     - Move pages to trash
// page-sort       - Sort/move pages
// page-template   - Change a page's template
// user-admin      - Administer users

// Custom permissions can be created as pages:
$permission = new Page();
$permission->template = 'permission';
$permission->parent = '/processwire/access/permissions/';
$permission->name = 'analytics-manage';
$permission->title = 'Manage Analytics';
$permission->save();

Template-Level Permissions

Permissions are assigned per role AND per template:

// Assign permissions via the admin:
// Setup > Templates > [template_name] > Access tab
//
// For each role, you can set:
//   - View pages using this template
//   - Edit pages using this template
//   - Add children to pages using this template
//   - Create pages using this template

Custom Roles

Create roles via Access > Roles > Add New:

// Create a role programmatically
$role = new Page();
$role->template = 'role';
$role->parent = '/processwire/access/roles/';
$role->name = 'analytics-manager';
$role->title = 'Analytics Manager';
$role->save();

// Add permissions to the role
$role->addPermission('page-view');
$role->addPermission('page-edit');
$role->save();

// Then in template access settings, grant this role
// edit access to the "analytics-settings" template

Analytics-Relevant Permissions

Analytics scripts are typically added in template files, which requires file system access or a custom admin field:

<?php // site/templates/_head.php (included in all templates) ?>
<head>
  <meta charset="utf-8">
  <title><?= $page->title ?></title>
  <?php // Analytics tracking - managed via admin field or template file ?>
  <script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
  <script>
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());
    gtag('config', 'G-XXXXXXXXXX');
  </script>
</head>

Best Practices

  1. Create purpose-specific roles (e.g., "Content Editor", "Analytics Manager")
  2. Use template-level access to restrict which content types each role can edit
  3. Create a custom permission for analytics management rather than granting broad page-edit
  4. ProcessWire's page-based permissions are very flexible -- leverage template access controls
  5. Use the $user->hasPermission() API for custom access control in template files
Back to top