How to safely restrict access to sensitive parts of the dashboard.
Not every staff member should have the physical ability to execute sensitive server commands, view other staff members, or access Role Management. This is why the CMS utilizes a strict, backend-enforced Roles and Permissions system.
What is a Role?
When you create a Staff Member, you assign them a Role. Think of a Role simply as a job title for that employee (for example, “Game Moderator” or “Ticket Agent”).
What is a Permission?
You assign specific Permissions to a Role. These are the literal access keys (e.g., manage-news, manage-settings) that unlock pages and actions.
For example, you can edit the “Game Moderator” Role, and check the box next to manage-news. But you leave the box strictly unchecked next to manage-settings.
When that Game Moderator logs in, the CMS will completely hide the “Settings” button from their visual sidebar menu.
Strict Enforcement: Even if the staff member tries to forcefully visit the restricted settings URL directly in their browser, the CMS backend will securely block the request natively and display a rigid “Unauthorized Action” error page.
This robust architectural boundary means you can safely hire junior staff members or volunteers to help manage languages, news, and events, while mathematically guaranteeing they can never access your server console or financial settings.
