What are the extensibility points, available in a module, that enable sending a Content Item into oblivion, before it renders in TheAdmin?

Topics: Administration, Customizing Orchard
May 7, 2013 at 9:55 PM
Edited May 7, 2013 at 9:57 PM
Hi Bertrand,

The Problem: In the Content Items List, a user in the Dealer role is able to view a content item that he doesn't own.

Image

The Goal: In the Content Items List, ensure that a user in the Dealer role can view only content items that he owns. Also, ensure that this restriction only exists in TheAdmin area.

In psuedo-code, this is what I want.
public class MyImplementation : ISomeDependency
{
    // Get the list of content items
    // Remove unowned content items before they are rendered in TheAdmin
    public MyImplementation(Collection<ContentItem> contentItems)
    {
        foreach(contentItem in ContentItems)
        {
             if(contentItem.Owner != currentUser)
             {
                 contentItem.SendIntoOblivion();
             }
        }
    }
}
What is the appropriate dependency to implement? Then, what is the appropriate method (or is it the constructor) in which to filter and to send into oblivion content items that the current user doesn't own?

Cheers,
Shaun
Coordinator
May 7, 2013 at 11:19 PM
Go to the permissions for the role that you want to limit, and make sure the permissions for that content type are not effectively granting access. Each content type has specific permissions for one's own items and for other's items.
May 8, 2013 at 12:28 AM
Edited May 8, 2013 at 12:29 AM
Hi Bertrand,

Went went to the permission for the role that we want to limit, and then tried to make sure the permissions for that content type are not effectively granting access. That is where the problem occurs, though. We need a permission that allows View All Content on the site front-end, but allows only View Own Content in the Admin Panel. This doesn't seem possible with the existing permissions. Here is a screenshot of the two new permissions that we are trying to achieve.

Image

If this isn't an existing permission set, then we would like to create a module that achieves the same goal. That's my initial question.

Thank-you for the time and assistance.

Cheers.
Shaun
Coordinator
May 8, 2013 at 1:41 AM
If a content item is visible on the front-end, it will be visible on the dashboard. It doesn't make sense from a security standpoint to hide something in the dashboard if it can be viewed on the front-end. What has a distinct permission is edition.
May 8, 2013 at 1:51 AM
Edited May 8, 2013 at 1:53 AM
Hi Bertrand,

Fair enough. That makes sense from a security perspective. Now, if we want to hide something from a usability perspective, is there a particular extensibility point to leverage? We want to create a dashboard usability module, that shows users in particular roles only the content items that they own. What we are looking to add to the module something like this:
public class MyImplementation : ISomeDependency
{
    // Get the list of content items
    // Remove unowned content items before they are rendered in TheAdmin
    public MyImplementation(Collection<ContentItem> contentItems)
    {
        foreach(contentItem in ContentItems)
        {
             if(contentItem.Owner != currentUser)
             {
                 contentItem.SendIntoOblivion();
             }
        }
    }
}
We think that it would be easier for some users, in the dashboard, if they only view content that they own. Thank you again for your guidance.

Cheers,
Shaun
Coordinator
May 8, 2013 at 2:22 AM
The simpler seems to be to expose them to a special content list that you generate from your own controller.
May 8, 2013 at 2:40 AM
Edited May 8, 2013 at 2:48 AM
Thank you Bertrand. I might give that a try. Why does that seem simpler? It seems harder to me, probably because I don't know what you mean.
May 8, 2013 at 5:52 AM
Edited May 8, 2013 at 5:53 AM
Hi Bertrand,

We are still trying to figure out a way to create a place for Dealers to manage their own products.

We need a secure location in which Dealers can view, create, update, and delete only content items they own, while in the site front-end, they can view any content item that anyone owns.

It doesn't look like the existing Orchard dashboard is set up for this. It also looks like you're encouraging us to create a new, separate dashboard, by way of a module, that is specifically for Dealers, that lets them create, read, update, and delete only content items they own. Is this what you mean by "a special content list" in your earlier post?

It's a bummer not to be able to leverage the existing dashboard for this; but, if that is the way it is, then that's the way it is. Thanks again for reading this thread, and I look forward to hearing your advise.

Cheers,
Shaun
Coordinator
May 8, 2013 at 6:02 AM
You can re-use a lot of the stuff in the existing dashboard. You apparently don't need anything from the dashboard's menu. A simple controller based on the existing one that the Content menu entry points to should not be too hard to make. I'm not sure what you had in mind at first, but it looks like you were going to alter core code, which is frowned upon unless you are planning on contributing a change that would be useful to the community at large.
May 8, 2013 at 3:26 PM
Edited May 8, 2013 at 5:10 PM
Hi Bertrand,

Good point. We don't need anything from the dashboard's existing menu, and we can reuse the existing controller code. We based our new controller on this one:
Orchard.Core.Contents.Controllers.AdminController
We followed this tutorial to create the module that will contain the new functionality: http://docs.orchardproject.net/Documentation/Building-a-hello-world-module

At first we did have in mind to alter the core code, but since then we have learned that this is poor form, unless we want to contribute something useful to everyone.

Thank you again for your sage guidance,
Shaun
May 8, 2013 at 5:34 PM
Edited May 8, 2013 at 5:35 PM
Thank you again. Your advice is working wonderfully, oh benevolent dictator!!!
May 8, 2013 at 5:59 PM
How do I +1 that?
Coordinator
May 28, 2013 at 3:12 AM
You're welcome.