Background
The idea of having a CMS - Publishing backend UI(Squidex GUI) is allowing authors (squidex custom role with content creation for specific schemas) who are unrelated to each other sitting globally in different time zones as Freelance writers) to write new content in the defined schema.
@sebastian
Based on the permissions unfortunately I am unable to separate logical content concerns for each author when giving them custom role permissions. The custom role requirement is to author new content without seeing the content of other authors and keep all content under draft status submitted for review to the Editor. Currently if I give read permissions for a certain content schema that I have defined, the author gets access to all the content of other authors which means RBAC(Role based Access Control) is there but no UBAC (User based access control)
Please suggest a workaround to achieve the above based on some scripting + workflow configuration if this is not offered out of the box in Squidex. This is strange because access control means not just CRUD but also logical separation of concerns at a user level to not see each others data
@Sebastian Currently using scripting mechanism to limit a user to only publish is ok but how will I handle this with 8 editors in 4 countries for a multi-locale play when I have to restrict publishing rights and authoring rights(draft) for certain authors and editors
The below solution looks like a temporary fix but as a CMS do we have RBAC & UBAC laid out as native functionality
if (ctx.operation === ‘Published’ && ctx.user.email !== ‘editor@master.com’) {
// Reject the call if the publisher has another email address.
reject(‘You are not allowed to publish the content’);
}
In you workflow you can assign roles to transitions (e.g. Draft => Published) …
But for read permissions there is no logic right now.
@Sebastian The Author role a.k.a Creator role in the docs has been followed to the T in configuring them but some issues in scripting not working as the Author role (i.e Creator) is able to publish without the script working or stopping it.
I tested with Owner and Developer roles they get restricted to not publish but the Author role is like a free ride in creating and publishing articles inspite of the the workflow
This seems to be a Bug. My guess is Author role is custom created by the Owner of vannatest cloud App on Squidex and hence the scripts fail to work on custom created roles. E.g. in Vannatest App check roles
I can publish as an Author in following email IDs configured as authors
- rebeccayu4w@gmail.com
- sagungargs@gmail.com
This is not allowing us to create authors/creators (external contributors on our CMS)
Sorry, I don’t understand what you mean. I need concrete examples (and short sentences 
)
@Sebastian If you create a new role say creator as per Workflow docs it can publish content(after I implement workflows) but the Roles: Owner.Developer can’t (as expected). The Bug is custom roles in Squidex in vannatest are currently failing and hence bypassing scripting to publish content when ideally they shouldn’t
I don’t see how custom roles can bypass scripting. There is no code that checks the roles. Can you post your script?
CREATE
if (ctx.operation === 'Published' && ctx.user.email !== 'rebecca@vanna.com') {
// Reject the call if the publisher has another email address.
reject('You are not allowed to publish the content. Only Rebecca and Esther Can');
}
if (ctx.operation === 'Published' && ctx.user.email !== 'esther@vanna.com') {
// Reject the call if the publisher has another email address.
reject('You are not allowed to publish the content. Only Rebecca and Esther Can');
}
// Our code for the 'Author' Role
if (ctx.user.claims.role.indexOf('Author')) {
// Check the status field is set to draft.
if (ctx.data.status.iv !== 'Draft') {
// If not reject this operation with a custom validation message.
reject('The status of a new article must be set to Draft');
}
}
UPDATE
// Our code for the 'Editor Role'
if (ctx.operation === 'Published' && (ctx.user.email !== 'rebecca@vanna.com' || ctx.user.email !== 'sagun@vanna.com' )) {
// Reject the call if the publisher has another email address.
reject('You are not allowed to publish the content');
}
if (ctx.operation === 'Published' && ctx.user.email !== 'esther@vanna.com') {
// Reject the call if the publisher has another email address.
reject('You are not allowed to publish the content. Only Rebecca and Esther Can');
}
// Our code for the 'Author Role'
if (ctx.user.claims.role.indexOf('Author')) {
// Check the old status of our content.
if (ctx.oldData.status.iv !== 'Draft' && ctx.oldData.status.iv !== 'Rejected') {
disallow('You are not allowed to edit content that has been published already.');
}
if (ctx.data.status.iv !== 'Draft' && ctx.data.status.iv !== 'Ready') {
reject('You only set the status to Draft or Ready');
}
}
I am a little bit skeptical about this:
if (ctx.user.claims.role.indexOf('Author'))
When index == 0, then 0 == false then your code inside the if is not executed.
I would use
if (ctx.user.claims.role.indexOf('Author') >= 0)
1 Like
Hi @Sebastian
This has done the trick 
Thankyou so much (I had almost spent countless hours in last two weeks fixing this). Is there a place where I can look up this scripting syntax and usage examples somewhere in the doc beyond the basic use.
PFA screenshot
The scripting is just javascript.
1 Like
