Easy access control
ProcessWire uses a role-based access control system that supports any access control scenario you can think of.
Access control in ProcessWire is powerful and easy-to-use. A role is simply a named group of one or more permissions. And each permission is a named action that can be assigned to a role. For example, a role might be named "news-editor" and a permission named "page-edit" might be assigned to that role.
Roles are assigned to users, and a single user may have multiple roles, like "member" and "editor". ProcessWire comes with 2 roles by default: guest and superuser. But you can create and assign as many roles as you need to any user, each with a custom set of permissions. More about roles
Permissions
Examples of permissions might include page-view to assign access to view a page, or page-edit to assign access to edit a page. But ProcessWire comes with more than 30 predefined permissions that can be assigned to roles. And you can also add as many of your own custom permissions as you'd like. See: Access Control Permissions
Contextual permissions
Permissions can also have context. A role might provide a user with view, edit and delete permission one one type of page and not another. While roles and permissions are assigned to users, they can also be assigned to page templates (aka page types). This is what enables roles and their permissions to be contextual for one type of page or another. More
Inherited access
While roles can define what a user can do with a particular page type, that access (or lack of access) can also be inherited through the page tree, making setup and management of access even easier. Simply put, if a page template (page type) does not define its own access settings, then that means it inherits the access settings from the closest parent page that does define access. More
Roles and permissions API
ProcessWire takes care of all the site and admin access according to your role and permission settings. For instance, if a user accesses a page where they don't have page-view permission, then they will get a 404. But there may be times when you want to do your own access checks, such as in a custom application or member portal. ProcessWire makes this easy with the $user->hasRole() or $user->hasPermission() methods:
// decide what to show from role and login status
if($user->hasRole('member')) {
// user with member role
echo "<h2>Welcome member!</h2>";
} else if($user->isLoggedIn()) {
// user logged in but has no member role
echo "<p>Sorry, you do not have access</p>";
} else {
// user not logged in, send them to login page
$session->location('/login/');
}
// send PDF to user if they have download-pdf permission
if($user->hasPermission('download-pdf')) {
$files->send('/path/to/file.pdf');
}
// if current user can edit $page give them a link
if($user->hasPermission('page-edit', $page)) {
echo "<a href='$page->editUrl'>Edit page</a>";
}
// preferred and simpler way of doing the above
if($page->editable()) {
echo "<a href='$page->editUrl'>Edit page</a>";
}