Users and permissions
API route permissions for users without Panel access
Users with Panel access disabled (via permissions.access.panel: false in the user blueprint) generally don’t have access to routes under /api/, except for a few endpoints related to /api/auth to allow them to log in and out.
Kirby doesn’t seem to support per-route permissions (this suggestion may be related). To allow specific API endpoints for non-Panel users, we need to roll our own check:
'api' => [
'routes' => [
'pattern' => 'my-route',
'method' => 'GET',
'auth' => false,
'action' => function() {
// Note: You can be fancy and return HTTP 401 / 403 instead.
if (!kirby()->user() || !csrf(kirby()->request()->csrf())) {
return null;
}
return $your_thing;
}
]
]Panel shortcuts for the front-end
To add a log out link to the front-end:
<a href='/panel/logout'>Log out</a>To check that the current user can edit a certain page, use:
<?php if ($page->permissions()->can('update')): ?>
...
<?php endif ?>To add Panel shortcuts:
<footer>
<?php if($user->role()->permissions()->for('access', 'panel')): ?>
Admin:
<a href='<?= $page->panel()->url() ?>?language=<?= $kirby->language() ?>'>
<?= t('Edit page') ?>
</a>
<a href='<?= $site->panel()->url() ?>?language=<?= $kirby->language() ?>'>
<?= t('Admin panel') ?>
</a>
<?php endif; ?>
</footer>There’s also a plugin with more functionality: pechente/kirby-admin-bar. Interesting point:
Please note that this plugin might disable Kirby staticache since it renders different content for logged-in users and guests.