npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

apostrophe-selective-permissions

v2.0.0

Published

Create specialized permissions for users of your site, such as an "seo" permission that allows editing only certain fields of certain pieces and pages

Downloads

36

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

harounharounbodonkeybodonkeyetlaurentetlaurentalexgilbertalexgilbertstuartromanekstuartromanekboutellboutellvaljedvaljedromanekromanek

Keywords

apostrophecmsapostrophecmscontentmanagementsystem

Readme

Create specialized permissions for users of your site, such as an "seo" permission that allows updating only certain fields of certain pieces and pages.

Installation

npm install apostrophe-selective-permissions

Configuration

// in app.js
modules: {
  `apostrophe-selective-permissions`: {
    permissions: [
      {
        name: 'seo',
        label: 'SEO'
      }
    ]
  },
  'articles': {
    extend: 'apostrophe-pieces',
    selectivePermissions: {
      seo: {
          update: {
            fields: [ 'title', 'seoTitle' ],
            seeOtherFields: true
          },
          submit: true
      }
    }
  }
}

What does this configuration say?

Let's say we want to give a team of SEO consultants limited access to update relevant fields of our articles.

So in the permissions array of apostrophe-selective-permissions, we start by listing some permissions we'd like to be able to assign when we edit Apostrophe's user groups. We give each a name and a label. These are distinct from ordinary Apostrophe permissions.

Then, in the selectivePermissions option of articles (which extends apostrophe-pieces), we define what the seo permission lets us do with articles:

  • update: { ... }: we can edit existing articles via the "edit article" dialog box, but only the title and tags fields. This implies access to the "Manage" dialog box as well.
  • seeOtherFields: true: other fields can be seen in the editor, but are read-only. By default, they cannot be seen at all.
  • We can submit articles. This is relevant only if apostrophe-workflow is also enabled. Recommended when using workflow.

These are currently the only forms of limited access that can be given out via this module. Further expansion is anticipated.

Allowing the SEO team to edit all pieces

This is great if we only want to let our SEO consultants edit articles. But what if we want to let them edit all existing pieces? No problem! We just need to configure apostrophe-pieces in lib/modules/apostrophe-pieces/index.js.

Note that this must happen in lib/modules/apostrophe-pieces/index.js and NOT in app.js, so that Apostrophe does not try to actually add apostrophe-pieces itself as a module. We just want to influence the behavior of modules that extend it.

// in lib/modules/apostrophe-pieces/index.js
const _ = require('lodash');
module.exports = {
  beforeConstruct: function(self, options) {
    options.selectivePermissions = _.merge({
      seo: {
        update: {
          fields: [ 'title', 'tags' ],
          seeOtherFields: true
        },
        submit: true
      }
    }, options.selectivePermissions || {});
  }
}

We use beforeConstruct and _.merge to incorporate any further configuration of selectivePermissions for individual pieces modules.

These settings will be inherited by other pieces modules. We can adjust what is inherited by configuring those modules too.

No matter what we say here, the SEO consultants will never be able to edit an apostrophe-user or apostrophe-group, because these types are marked adminOnly in Apostrophe for security reasons.

Allowing the SEO team to edit page settings

  `apostrophe-selective-permissions`: { ... same as above ... },
  'apostrophe-custom-pages': {
    selectivePermissions: {
      seo: {
          edit: {
            fields: [ 'title', 'seoTitle' ],
            seeOtherFields: true
          },
          submit: true
      }
    },
    'apostrophe-pieces': { ... see earlier example, if you wish ... }
  }

Note that permissions for all types of pages are managed via configuration of the apostrophe-custom-pages module.

More than one permission

You can configure more than one selective permission in the array, and you can configure what each permission can do:

// in app.js
modules: {
  `apostrophe-selective-permissions`: {
    permissions: [
      {
        name: 'seo',
        label: 'SEO'
      },
      {
        // Do not use "publish", that verb is reserved
        name: 'publishIt',
        label: 'Publish'
      }
    ]
  },
  'articles': {
    extend: 'apostrophe-pieces',
    selectivePermissions: {
      seo: {
        edit: {
          fields: [ 'title', 'seoTitle' ],
          seeOtherFields: true
        },
        manage: true,
        // insert: false,
        // trash: false,
        submit: true
      },
      publishIt: {
        edit: {
          fields: [ 'published' ]
        }
      }
    }
  }
}

IMPORTANT: reserved permission names and permission naming restrictions

Do not use the following names for your selective permissions:

edit, publish, admin, guest

Choose new verbs of your own. Feel free to use a unique prefix to avoid future conflicts.

Do not use hyphens in your permission names. However, youMayUseCamelCase.

Who should NOT be given selective permissions?

selective permissions should only be given out to groups that cannot already edit the document types in question. They should not be checked off for administrators, or even for groups that can fully edit some or all pieces of a particular type. Due to technical limitations, if a user is given a selective permission like seo, Apostrophe assumes that is the only type of edit they can make to the relevant type of document.

You may give two different selective permissions to the same group, as long as they apply to different document types.

"What's all this about user groups?"

If you don't see "Groups" on your admin bar, you probably still have a groups option configured for the apostrophe-users module, either in app.js or in lib/modules/apostrophe-users/index.js. If you are using this module, you probably want to remove that groups option. Now you can create as many groups as you wish and assign them permissions dynamically via the admin bar. You can, however, certainly add selective permission names to the groups option if you wish.