A permission is a named atomic action a user can be allowed to perform — read a page, create a page, upload an attachment, and so on. Permissions are the building blocks of Roles: every role is a bundle of permissions, and a user's effective rights are the union of all permissions across every role they hold.
GeoHazardWatch uses simple string keys for permissions (e.g. page-edit, asset-upload). They are deliberately flat — no Context/Resource/Action triple, no scoping by namespace. The per-page rules (Page Private, Author Lock, Page Audience) operate at a layer above permissions; they override what a role-granted permission would otherwise allow.
The table below is rendered from the live configuration at view time. It groups permissions by the resource they act on (page-*, asset-*, search-*, user-*, admin-*).
| Permission | Name | Icon | Description |
|---|---|---|---|
admin-system |
admin-system | System administration | |
admin-roles |
admin-roles | Role management |
| Permission | Name | Icon | Description |
|---|---|---|---|
asset-read |
asset-read | View assets (attachments) | |
asset-upload |
asset-upload | Upload assets | |
asset-delete |
asset-delete | Delete assets |
| Permission | Name | Icon | Description |
|---|---|---|---|
page-read |
page-read | View pages | |
page-edit |
page-edit | Edit pages | |
page-create |
page-create | Create new pages | |
page-delete |
page-delete | Delete pages | |
page-rename |
page-rename | Rename pages | |
page-export |
page-export | Export pages |
| Permission | Name | Icon | Description |
|---|---|---|---|
search-page |
search-page | Search pages | |
search-user |
search-user | Search users |
| Permission | Name | Icon | Description |
|---|---|---|---|
user-read |
user-read | View user list and profiles | |
user-edit |
user-edit | Edit user accounts | |
user-create |
user-create | Create user accounts | |
user-delete |
user-delete | Delete user accounts |
Total: 17 permissions in 5 groups
Which roles grant which permissions, rendered live:
| Permission | Administrator | User Administrator | Editor | Contributor | Reader | Member | Anonymous |
|---|---|---|---|---|---|---|---|
page-read
View pages |
|||||||
page-edit
Edit pages |
|||||||
page-create
Create new pages |
|||||||
page-delete
Delete pages |
|||||||
page-rename
Rename pages |
|||||||
page-export
Export pages |
|||||||
asset-read
View assets (attachments) |
|||||||
asset-upload
Upload assets |
|||||||
asset-delete
Delete assets |
|||||||
search-page
Search pages |
|||||||
search-user
Search users |
|||||||
user-read
View user list and profiles |
|||||||
user-edit
Edit user accounts |
|||||||
user-create
Create user accounts |
|||||||
user-delete
Delete user accounts |
|||||||
admin-system
System administration |
|||||||
admin-roles
Role management |
actions listspage, asset, search, user, admin) — the resource the permission operates onWhen a user attempts an action on a page, the access-control flow is:
audience or access) take precedence over role permissions for that page. See Page Audience.A user must hold at least one role whose permission set grants the requested action — unless a per-page override allows them explicitly.