We have three states in workflow Draft, Editorial and Final.
Content authors on save of an item goes to Draft State and once they submit it goes to Editorial state and publisher can approve or reject it.
We have Content Authors who should not be able to delete pages (for this I removed delete access for home and all pages under it) in the site but should be able to delete the pages in draft state. Can this be achieved?
I feel that since I removed delete access for home and all pages under it, author is not able to delete his page in draft state as well.
An options to make a workflow state Delete, with a action to do the delete (I think you need the security disable or user switcher to do that.
But what about, if the author edit an already existing item, maybe you need a delete version instead of item.
using Sitecore.Data.Items;
using Sitecore.Workflows.Simple;
namespace Mirabeau.Sitecore.Workflow.Action
{
public class DeleteItemAction
{
public DeleteItemAction()
{
}
public void Process(WorkflowPipelineArgs args)
{
Item item = args.DataItem;
//example it is not realy save to have this code, every one can delete now. replace or make up with own check
using (new Sitecore.SecurityModel.SecurityDisabler())
{
item.Recycle();
}
}
}
}
Use /sitecore/templates/System/Workflow/Action below the Delete Workflow/Command
in the Data section,
"Type string" set the Mirabeau.Sitecore.Workflow.Action, YourDLL
See the "Auto Publish" action in the sample workflow.
An other option is to make a custom or change the Delete Command. Somethings like this Create a Command with dialoge but than with a Delete where you do your specific rights checks.
Related
I've got a situation where I want end-users to be able to create new Sitecore items... and then immediately be able to navigate to the Item's URL. Obviously the item will have to be published... but this happens in something of a black box. Is there a way to guarantee an item has been published from Master to Web?
Alternately, I could create the Item in the Web DB... then re-create/copy a Master version at some point. But this strategy seems fraught with peril. And maybe just a bad idea in general.
Suggestions? Am I being needlessly paranoid about creating items directly in Web?
I'll start by saying my answer is not necessarily advisable. However, depending on your situation it should work.
If the items that users are creating always have the same template you could try creating a custom item resolver that falls back to using the Master database.
Allow Sitecore to attempt to resolve the item normally.
When it fails, look in the Master database.
If the item is in there, make sure it has the correct template
Set the found item as the context item.
Using this method, you can publish the items from Master->Web s normal, but you don't have to wait until publishing is completed to see it.
Once again, this should solve the problem, but it's up to you to weigh the risks of serving up Master DB content.
You can't "guarantee" because publishing may be queued and won't go live instantly. Instead if you need instant access, I recommend a preview site that points to the master database:
How to Setup a Sitecore Preview Site to Review Content Before Publishing
You could create a event mapping to a class with the code to publish the item. In the code you can define any rule you want regarnding whether to publish or not.
<event name="item:saved">
<handler type="YourType.ItemEventHandler, YourType" method="OnItemSaved" />
</event>
And the OnItemSaved would look like this: (not tested)
protected void OnItemSaved(object sender, EventArgs args)
{
if (args == null)
{
return;
}
Item item = Event.ExtractParameter(args, 0) as Item;
var webDb = Sitecore.Configuration.Factory.GetDatabase("web");
var masterDb = Sitecore.Configuration.Factory.GetDatabase("master");
foreach (Language language in masterDb.Languages)
{
var options = new PublishOptions(masterDb, webDb, PublishMode.SingleItem, language, DateTime.Now)
{ RootItem = item, Deep = true };
var myPublisher = new Publisher(options);
myPublisher.Publish();
}
}
And about creating the item in the web db, I also wouldn`t go that way. It would be replaced by the default publishing process unexpectedly.
Personally i don't like front-end user creating items in master database, i feel only content authors/editors should be the ones who create items from either content editor or page editor.
There is no guarantee the item gets published instantly, I would recommend you to store any user-created data in a separate database and on the redirect URL just read the data from this database.
Sitecore workbox does not create a new version hence it does not track the change set. (Workbox being used by staff people, admin needs to track these changes.)
According to what I have noticed, When the item is not in the final workflow state, Sitecore allows to override the content, but if the item is in the final workflow state, it will create a new version, which tracks all these changes.
Is it possible to create a new version for non final workflow states? Is it a good idea? Why Sitecore does not do this by default?
The behavior you described is what documentation says. New version of item is created only when item is in final workflow state and
The next time a content author clicks Edit for this item to lock it
before making changes, Sitecore automatically creates a new version of
the item and places the new version in the Draft state, while the
first version remains published.
There is also important information:
Make sure that content authors or other workflow users don't have a
Sitecore administrator account. Otherwise, the workflow will behave
differently. For more information about why the workflow behavior is
different for a Sitecore administrator, see the section Using a
Workflow.
According to workflow reference documentation you can use __OnSave command to create new version of item when a user saves changes to an item.
Use the /sitecore/templates/System/Workflow/Action template to create custom action.
Create a class that implement your desired behavior.
namespace OnAction
{
public class WorkflowAction
{
public void Process(WorkflowPipelineArgs args)
{
}
}
}
Here is example of creating new item version:
var language = Sitecore.Globalization.Language.Parse("en");
var item = master.GetItem(itemPath, language);
using (new Sitecore.SecurityModel.SecurityDisabler())
{
try
{
item .Versions.AddVersion();
item .Editing.BeginEdit();
....
item .Editing.EndEdit();
item .Editing.AcceptChanges();
}
catch (Exception ex)
{
item .Editing.CancelEdit();
}
}
More information about creating custom action here. Link to workflow reference.
I have seen a post in Stackoverflow regarding how to hide the "Publish sub items" from Sitecore publish pop up by overriding the visibility of the checkbox. This is really good which can avoid so many performance issues when there is large amount of content in the content tree.
Is it possible to dynamically hide this checkbox? Coz, as a developer I need to publish other Sitecore items (Templates, Settings etc.) when it comes to deployments. Therefore "Publish sub items" is a essential feature for me. Still I need it to be hidden from content editors.
How can I achieve this task?
(If there was a security configuration to control access to this feature it would have been ideal)
First of all you need to change Publish.xml file from Folder:
\web\sitecore\shell\Applications\Dialogs\Publish\
You need to change CodeBeside it will look like this :
<WizardForm CodeBeside="YourNameSpace.CustomPublishForm,YourAssembly">
Your class will be :
class CustomPublishForm:PublishForm
{
public CustomPublishForm()
: base()
{
}
protected override void OnLoad(System.EventArgs e)
{
base.OnLoad(e);
//you need to change here with users that you want to see CheckBox
if (Sitecore.Context.User.Name.Equals("lorenipsum"))
{
base.PublishChildren.Visible = true;
}else
{
base.PublishChildren.Visible = false;
}
}
}
I tested and it's working fine this solution you have just to do minor changes to your requirements.
Here is the post: Sitecore - Hide "Publish Subitems" from publish pop up
You'll want to alter the CodeBeside attribute from Sitecore.Shell.Applications.Dialogs.Publish.PublishForm,Sitecore.Client to your own class that wraps that one. In your own class override any methods you need to in order for the logic to show or hide the box per your needs, e.g. user is in a certain role.
Be aware that such modifications make upgrades a bit harder.
Copying the Publish.xml and triggering this from a new button makes it clear for everyone, that this is not Sitecore but your own logic.
I have a Sitecore 6.4 setup where an editor can click a button to generate a Word doc. I was adding the file to the media library and that was working fine. The editor would click the button in the content editor, the file was generated, media item was generated, then the content editor would show the new item in the media library and the editor could click the "download" button on the ribbon or the item to download it. However, my media library was getting unnecessarily filled up so I am trying to bypass the media library.
Instead of making the file in an arbitrary location as before, I am putting it in the temp directory like this:
wordOutputPath = Sitecore.IO.FileUtil.GetWorkFilename(Sitecore.Configuration.Settings.TempFolderPath, printItem.Name, ".docx");
File.Copy(wordTemplatePath, wordOutputPath);
WordprocessingDocument doc = WordprocessingDocument.Open(wordOutputPath, true);
After I "fill in" the file with content, I do this:
Sitecore.Context.ClientPage.ClientResponse.Download(wordFilePath);
Now if I am logged in as a Sitecore admin I get the browser's download dialog and can download the file. However, if I am logged in as a non-admin user, I get a little clicking and whirring, so to speak, and the file is generated, but the save file dialog never comes up in the browser. I can go in through the file system and see & open the Word doc, and it looks fine.
I found something in the Sitecore release notes for 6.6:
Released Sitecore CMS and DMS 6.6.0 rev. 130111 (6.6.0 Update-3)
[...]
Miscellaneous
Only Administrators were allowed to download files. (316774, 348557)
This was a problem in several areas of the system, for example the Package Generator and the Export Language Wizard in the CMS. It also affected the Export Users Wizard in the ECM module.
So I tried using SecurityDisabler (no longer have the code handy) and UserSwitcher like this:
using (new Sitecore.Security.Accounts.UserSwitcher(Sitecore.Security.Accounts.User.FromName("sitecore\admin", false)))
{
Sitecore.Context.ClientPage.ClientResponse.Download(wordFilePath);
}
The IUSR and IIS_IUSRS accounts both have read, list & read/execute permissions on the temp folder and the individual files show read & read/execute permissions for those two accounts as well.
What can I do to allow non-admin users to download these files? Does the bug that was fixed in 6.6 have anything to do with it?
Thank you.
Calling Sitecore.Context.ClientPage.ClientResponse.Download() method will result in a Download command sent back to the Sitecore Client in the Web browser, which in turn will make a call back to the server to execute it. This will be why using a security switcher (or a security disabler for that matter) before calling the Sitecore.Context.ClientPage.ClientResponse.Download() method has no effect, as the admin only restriction is being applied to the download else where.
If you search through sitecore\shell directory in your webroot, you will find that there is a file called download.aspx. This should be the actual page the download request is sent to. This web form page inherits the Sitecore.Shell.DownloadPage class, so if you take a look at that class's implementation, you will find that the OnLoad method is implemented as such:
protected override void OnLoad(EventArgs e)
{
Assert.ArgumentNotNull(e, "e");
base.OnLoad(e);
string fileHandle = StringUtil.GetString(new string[] { base.Request.QueryString["file"] });
bool flag = false;
string filename = FileHandle.GetFilename(fileHandle);
if (!string.IsNullOrEmpty(filename))
{
fileHandle = filename;
flag = true;
}
if (!string.IsNullOrEmpty(fileHandle))
{
if (MediaManager.IsMediaUrl(fileHandle))
{
this.DownloadMediaFile(fileHandle);
}
else if (fileHandle.IndexOf("id=", StringComparison.OrdinalIgnoreCase) >= 0)
{
this.DownloadMediaById(fileHandle);
}
else if (flag || Context.IsAdministrator)
{
this.DownloadFile(fileHandle);
}
}
}
As you can see, the last if block has an IsAdministrator check which would be where your non-admin users are getting blocked.
Although I haven't 100% verified that this is where the problem lies, the download restriction issue can be resolved, by creating a new class that inherits Sitecore.Shell.DownloadPage and overrides the OnLoad implementation with some extra security checks as required. I recommend that you don't remove the IsAdministrator check altogether as it is there for a good reason. Update the Inherits attribute in the download.aspx to make it use it instead.
I have a shopping cart like application running on SharePoint 2007.
I'm running a very standard update procedure on a list item:
using (SPWeb web = site.OpenWeb())
{
web.AllowUnsafeUpdates = true;
SPList list = web.Lists["Quotes"];
SPListItem item = list.GetItemById(_id);
item["Title"] = _quotename;
item["RecipientName"] = _quotename;
item["RecipientEmail"] = recipientemail;
item["IsActive"] = true;
item.Update();
site.Dispose();
}
This item updates properly, however it briefly appears as modified by System Account. If I wait a second and refresh the page, it shows up again as modified by CurrentUser.
This is an issue because on Page_Load I am retrieving the item that is marked as Active AND is listed as Modified By the CurrentUser. This means as a user updates his list, when the PostBack finishes, it shows he has no active items.
Is it the web.AllowUnsafeUpdates? This is necessary because I was getting a security error before.
What am I missing?
First off, it's not AllowUnsafeUpdates. This simply allows modifying of items from your code.
It's a bit hard to tell what's going on without understanding more of the flow of your application. I would suggest though that using Modified By to associate an item to a user may not be a great idea. This means, as you have discovered, that any modification by the system or even potentially an administrator will break that link.
I would store the current user in a custom field. That should solve your problem and would be a safer design choice.
There could be some other code running in Event Receivers and updating the item. Because event recievers runs in context of system user account, and if you update item from event reciever, the modified field will show just that: the system account has modified the item.