For example, I would like to be able to allow designating a user group for users that only have access to Manage > Users or Manage > Categories.
In my first thoughts about it, I am thinking about creating a new middleware.renderHeader and just creating new routes that have new access restrictions, but serve the same content as the existing admin pages.
Does that seem like the best approach? Any advice?
Thanks!
That is exactly the strategy I use. It works well. It's definitely the approach I would recommend.
@yariplus Thanks! What is the best way to reuse the existing code? Do you start by creating your own version of src/middleware/admin.js that does its own access checks?
Basically yeah. You don't even need to do everything the original does. The middleware for normal routes already verifies the UID, so in my new route controller I just check if that UID is part of a certain Group. Then you can mostly copy what is in the original routes controller and template.
Also, for the front end, you can copy most of the code to your new page, but you need to watch out for the socket calls. Most of them will start with 'admin.' and that won't work because it verifies the user is a real admin. You'll need to change them and make new socket routes starting with 'plugins.' and verify the UID is part of the access group, same as your route above.
@yariplus Thanks! That's very helpful.
