2020-09-25 Planned update to permission system with breaking change

Hello together,

a new feature will be deployed to the Squidex Cloud. The permission system has been improved to adapt the Squidex Management UI for your users.

This new feature is called

Role Properties

With role properties you can hide certain parts of the UI for your users. In contrast to permissions it is not a security feature. For example: You can hide the schemas section, but you cannot remove the permission to read schemas for your users, because this permission is needed in the Management UI and therefore added as an implicit permission to all roles. Therefore an advanced contributor can use his access token from the Browser developer tools and a tool like Postman to read all schemas.

Breaking changes

To make this feature more consistent two minor breaking changes have been introduced, but they will have very likely no or very little impact to your application.

Breaking change #1: Removing implicit permissions.

Before the coming change each role has an implicit permission called

common

This common permission was introduced to give your users access to all resources that are needed for the Management UI. Common was giving you the following permissions:

  • comments.*: Read, create and update comments.
  • contributors.read: Read contributors.
  • history: Read content histories and other histories.
  • languages.read: Read all configures languages.
  • ping: Ping the app (special endpoint for monitoring)
  • roles.read: Read all configured roles.
  • schemas.read: Read all schemas.
  • search: Make an app wide search.
  • translate: Use the translate endpoint for localized fields.
  • usage: Read usage information for the dashboard.

Clients and contributors use the same roles, which means that each client also has these permissions implicitly and you cannot remove them. This does not make that much sense obviously and therefore the implicit permissions are only given to contributors now.

TODO: If you have custom roles, please check whether they have all needed permissions.

Breaking change #2: Removing the api permission.

The api permission was a UI permission to decide whether your users can see the API section. In fact it was not a permission, it was more a role property. Therefore this permission will be removed from the permissions and replaced with a role property

TODO: If you have custom roles, please check if your user should see the API section and check the Hide API checkbox if necessary.

2 Likes