Granular User Permission

I’m thinking about using Squidex for a project where I want external partners to login and update their information. The current permissions system allows me to manage who can read/write/update/delete all the data under one content type, but it would be awesome if I could set user access on one specific node, or a group of nodes.

This way I can let an external partner log in and update their information without updating other partners information.

Is there such a feature in place today, or is it in the roadmap somewhere?

The only option would be scripting: https://docs.squidex.io/guides/06-scripting

1 Like

Interesting idea to use scripting like that, I wouldn’t have thought of it. I’ll consider it!

But if you have a system with partners / tenants I would just consider to create multiple apps and to automate the process of app management with the API or CLI

Maybe I’m not following, or have a bad understanding of how it would work.

Say I have a website where offers from partner 1, partner 2 and partner 3 are shown.

If i were to create different apps for each partner, I couldn’t get the offers from the api without querying each partners app separately, right? I suppose i could index all apps publications to one shared Elasticsearch instance and “work around” the issue that way though :slight_smile:

True, why not creating multiple schemas then? I think you can query all contents with a single GraphQL Query then.

It sounds like it could work, but also feels wrong to not maintain all customers offers in one schema. But I see the limitations and it is a reasonable workaround. However, i never intended to use the graphql-api for this, I’m a REST guy still! :smiley:

Then scripting is your friend.

I would…

  1. Create a field partner for each content item.
  2. Create one role for each partner.
  3. Check that the partner field matchs to the role.
  4. Prevent updates to the partner field in the script.
1 Like

Hi Sebastian, regarding this issue. Is there more documentation on what fields/values are available on ctx for scripting? I’d like to see an example of the entire ctx.user, or an idea on how to print the current ctx in the log. Where could I intercept it, and log it?

Thanks

The scripting system is a sandbox, every method needs to be made accessible, there is no automation. Thefefore there is no logging right now. You could try to serialize the full context and put it into a field to see all values.

I can improve the documentation about that, I thought I have already done it.

Have you seen the integrated help?

Hi,

Yes I have seen the documentation, but I cannot find anything about for example what role a user has. I managed to print the ctx.user object using the reject(ctx.user) and seeing what it output, but it didn’t feel like the correct way to do it. Also i cannot see what keys/values are in the ctx.user.claims this way as the output isn’t serialized like that.

Specifically I’m looking for a way to implement the ideas you mentioned earlier in this thread, regarding the role for each partner and verifying the content item belonging to the correct partner id, role or name or something like that.

ctx.user.claims.role should be an array of role names. I will check it as well.

I did find that value by chance, but is there a place where i can see other claims?

Not yet, sorry, they are very dynamic.