# This file defines role-based access control for your Bolt site. # Before making any modifications to this file, make sure you've thoroughly # read the documentation at https://docs.bolt.cm/configuration/permissions # and understand the consequences of making uninformed changes to the roles and # permissions. # First, we need to define some roles. There are four built-in roles that you # should never add manually: # - 'root', the "superuser" role; Bolt will automatically grant all permissions # to this role. Manually adding it to any permission is pointless, because it # implicitly grants every permission anyway. # - 'everyone', the "base" role; every logged-in user automatically has this # role. Adding the 'everyone' role to any permission will grant it to all # users (but not to unauthenticated users). # - 'owner': this role is only valid in the context of an individual content # item, and the user who "owns" the item (usually the person who created it) # will be in the 'owner' role. # - 'anonymous': this role is automatically assigned at all times, even when # no user is logged in at all. roles: editor: description: This user can edit some content. label: Editor chief-editor: description: This user can edit any content in the system. label: Chief Editor admin: description: User-level administrator. label: Administrator developer: description: Developer access. Only required to change system-level settings. label: Developer guest: description: This user can log on, but is not allowed to edit any content. label: Guest Editor # Role hierarchy settings roles-hierarchy: # This will restrict users from being able to add, edit, enable, disable # and delete users with the same or higher role than their own. # For example: # Users with a role of developer can only be added, edited, enabled, disabled # and deleted by [ root, admin ] roles. manipulate: admin: [ ] developer: [ admin ] chief-editor: [ admin, developer ] editor: [ admin, developer, chief-editor ] guest: [ admin, developer, chief-editor ] # Now we'll define some permissions. Each permission comes with a list of roles # that grant access. # The first set of permissions are the 'global' permissions; these are not tied # to any content types, but rather apply to global, non-content activity in # Bolt's backend. Most of these permissions map directly to backend routes; # keep in mind, however, that routes do not always correspond to URL paths 1:1. # The default set defined here is appropriate for most sites, so most likely, # you will not have to change it. # Also note that the 'editcontent' and 'overview' routes are special-cased # inside the code, so they don't appear here. global: about: [ everyone ] # view the 'About Bolt' page checks: [ admin, developer ] clearcache: [ admin, developer ] contentaction: [ editor, admin, developer ] dashboard: [ everyone ] dbcheck: [ admin, developer ] dbupdate: [ admin, developer ] dbupdate_result: [ admin, developer ] extensions: [ developer ] extensions:config: [ developer ] fileedit: [ admin, developer ] files:config: [ developer ] files:hidden: [ developer ] files:theme: [ developer ] files:uploads: [ admin, developer, chief-editor, editor ] files: [ admin, developer, chief-editor, editor ] prefill: [ developer ] profile: [ everyone ] # edit own profile settings: [ admin, developer, everyone ] translation: [ developer ] useraction: [ admin, developer ] # enable/disable/delete useredit: [ admin, developer ] # user settings users: [ admin, developer ] # view user overview roles: [ admin, developer ] # view the roles overview maintenance-mode: [ everyone ] # view the frontend when in maintenance mode omnisearch: [ everyone ] # Access to the various logs changelog: [ admin, developer, chief-editor ] systemlog: [ admin, developer ] # The following permissions are particularly important: login and postLogin # determine who may see and use the login form. If you set them to anything # but 'anonymous', only users will be able to log in that are logged in # already, which is probably never what you want. login: [ anonymous ] postLogin: [ anonymous ] # Likewise, 'logout' needs to be granted to 'everyone', otherwise people # cannot log out anymore. logout: [ everyone ] # For content type related actions, permissions can be set individually for # each content type. For this, we define three groups of permission sets. # The 'contenttype-all' permission sets *overrides*; any roles specified here # will grant a permission for all content types, regardless of the rest of this # section. # The 'contenttype-default' contains rules that are used when the desired # content type does not define a rule for this permission itself. # The 'contenttypes' section specifies permissions for individual content # types. # # To understand how this works, it may be best to follow the permission checker # through its decision-making process. # # First, it checks whether the current user is in the "root" role; if so, it # short-circuits and always grants anything unconditionally. # # Otherwise, it checks whether any of the current user's roles match any of the # roles in contenttype-all/{permission}. If so, the search is over, and the # permission can be granted. # # The next step is to find contenttypes/{contenttype}/{permission}. If it is # found, then the permission can be granted if and only if any of the user's # roles match any role in contenttypes/{contenttype}/{permission}. # # If either contenttypes/{contenttype} or # contenttypes/{contenttype}/{permission} is absent, the permission checker # uses contenttype-default/{permission} instead. If any role exists in both the # user's roles and contenttype-default/{permission}, the permission can be # granted. # # Note especially that an *empty* set of roles in the contenttype section means # something else than the *absence* of the permission. If the permission is # defined with an empty role list, it overrides the role list in # contenttype-default; but if the permission is not mentioned, the # corresponding entry in contenttype-default applies. # # The following permissions are available on a per-contenttype basis: # # - edit: allows updating existing records # - create: allows creating new records # - publish: allows changing the status of a record to "published", as well as # scheduling a record for future publishing # - depublish: allows changing the status of a record from "published" # - delete: allows (hard) deletion of records # - change-ownership: allows changing a record's owner. Note that ownership may # grant additional permissions on a record, so this # permission can indirectly enable users more permissions # in ways that may not be immediately obvious. # - view: allows viewing records in the backend contenttype-all: edit: [ developer, admin, chief-editor ] create: [ developer, admin, chief-editor ] publish: [ developer, admin, chief-editor ] depublish: [ developer, admin, chief-editor ] delete: [ developer, admin ] change-ownership: [ developer, admin ] contenttype-default: edit: [ editor ] create: [ editor ] change-ownership: [ owner ] view: [ anonymous ] contenttypes: # This is an example of how to define Contenttype specific permissions # # contenttypes: # # Keys in this dictionary map to keys in the contenttypes.yml specification. # showcases: # # Rules defined here *override* rules defined in contenttype-default, # # but *add* to rules in contenttype-all. This means that permissions # # granted through contenttype-all cannot be revoked here, merely # # amended. # # # Only the Admin and Chief Editor are allowed to edit records # edit: [ admin, chief-editor ] # create: [ admin, chief-editor ] # publish: [ admin, chief-editor ] # depublish: [ admin, chief-editor ] # delete: [ admin, chief-editor ] # # Roles that can see the area in the admin section # view: [ developer, admin, chief-editor ] # # Do not expose this content type on the front-end unless user is # logged into the backend