Hey everyone,
I’m wondering if it’s possible to implement user roles on Ghost CMS that would allow individuals to register as “Contributors,” “Authors,” or “Editors.” My goal is to create a platform similar to Medium, where users can sign up and create their own posts.
Has anyone successfully implemented user roles like this on Ghost CMS? If so, could you please share your experience and provide guidance on how to achieve this?
I’m particularly interested in learning about any available plugins, custom code snippets, or recommended approaches for implementing user roles and managing permissions within Ghost CMS.
Any help or suggestions would be greatly appreciated. Thank you in advance!
There are already staff user roles and permissions on Ghost, although they’re by invitation, not by sign-up. You can read about them here: https://ghost.org/docs/staff/ .
It would not be terribly hard to set up a cloud function that would take a form submission and create a staff user using the API (Ghost Admin API Documentation) .
However, if you decide to do this, you 100% need to have the site admin (/ghost) on a separate domain from the website, because Ghost treats staff users as trusted, and otherwise an admin might be tricked into visiting a page with malicious javascript. Having the admin functionality on a separate domain provides /some/ protection against a staff user engaging in malicious behavior. You should also be aware that Ghost doesn’t sanitize post content, so if your staff user puts something malicious into an HTML card on a post, there’s nothing to stop that. For example, a staff user could steal a website visitor’s cookie (not staff cookie, as long as you’re using separate domains) and use it to make comments as the website visitor. So you’d need to think pretty carefully about whether you could trust new staff users without some sort of vetting process.
1 Like
Thank you very much for the information, I will try to make a proof of concept, as Ghost fits quite well with what I’m looking for, and I didn’t find other CMS like this one. It will be complicated for me as I am a .NET backend programmer xD and I have no knowledge about node. Thank you very much
What a great reply! So easy for a single motive to suppress more general security policy when trying to make ‘stuff work’.
1 Like