This project is read-only.

Setting permissions per ContentPart, possible?

Topics: Customizing Orchard, General, Writing modules
Oct 2, 2012 at 4:17 PM


I have a requirement that different parts of a page containing 3 ContentParts be editable by different roles? Is this possible?

If it makes any difference, the parts were created using the Admin UI but I can change that.

I realise that this is probably an unusual request. Just looking for someone to point me in the right direction.


Oct 3, 2012 at 12:59 AM

Are those parts you created?

Oct 3, 2012 at 10:44 AM

Yes, they are. Thanks for the response.

Oct 6, 2012 at 3:14 AM

It's possible if you create your own drivers for each part and your own set of permissions. Essentially, you would only emit editor shapes from these drivers if the current user has the required permissions.

Oct 22, 2012 at 1:43 PM

I am seeing more and more requests for a "personalized" experience without having to maintain multiple versions of the same page, so I don't think this is that unusual.

Is adding permissions as simple as adding rows to the Orchard_Roles_PermissionRecord table?

Can a roles selection list be added to the content part (type) creation screens.  It is beyond my capabilities, but seems very useful.

Oct 22, 2012 at 5:37 PM

No, you shouldn't be touching tables directly. Look at any Permissions.cs file to see how to create permissions. You can then assign those permissions to roles, and check them in driver code.

If you want to do things more dynamically, with per-part configuration screens, you'll have to do it yourself.

It *is* a rather unusual request, I'm sorry to say.

Oct 25, 2012 at 12:37 PM

Not at all, its a very common requirement for anyone who wants to do LOB + website frontend with a CMS, but its not doable in most if not all CMS's out there, I think only 1 or maybe 2 have this. Its also common in ecommerce.

This is the scenario I was searching for as I found this post:

We want to create a new Role on the site called "Sales", then we need a new Content Type called "Product" which has a Content Part called "Price" attached to it.

Now the requirement is that the "Price" is not viewable on the frontend for Anonymous or Authenticated, but is viewable by the "Sales" role, and for simplicity and convenience it is only editable by the Editor or above role.

This way we can effectively maintain a company site frontend with a bit of extra info for the employees without the need to create 2 separate content types.

Can this be done with writing a custom content part????? 


I must say that Orchard in its un-modded form is already very powerfull CMS, you have to install at least 5 plugins for wordpress to get the same stuff.

Oct 25, 2012 at 8:50 PM

Create a Permissions.cs file and add the permission in there.

Next, this is that main part. In your PricePartDriver, within the Editor method, do a permissions check, return NULL if it fails. That way the part will not be rendered.


Oct 26, 2012 at 1:41 AM

What I meant is that since we started Orchard, it's the first time I see that request, so from my point of view it is very uncommon :) But yes, any part driver can do a permission check, or you could probably also do it in a shape table provider. That would enable you to add your own permission check on existing shapes.

Oct 26, 2012 at 9:46 AM

That is uncommon, but LOB applications usually have such requirements, so I'm not surprised. I had a scenario in which eg. the values displayed in some dropdown were dependent on certain permissions.

It's very easy to implement such things in Orchard, though. Doing a permission check is as easy as calling IAuthorizer.Authorize(permission) and if you need to have some custom permissions, just implement IPermissionProvider (which is usually put in Permission.cs file what Bertrand and Nick already mentioned). There is at least one implementation of it in almost every module, so you have a lot of samples to look at.

That being said - in the driver for your part you just need to do a permission check and, depending on the output, return the editor shape or null (or eg. some different editor shape if you need). Pretty powerful stuff.