We have a multiple site, multiple language solution. We have a particular site (Site A) where we wish to have English as a "master" language, which is then translated and published in various other languages. We wish to prevent e.g. a French editor being able to edit and publish in any other language than French.
However, the French editor will have both English and French language read/write permissions, for their work on another part of the solution (Site B), so we can't use these to specify directly which permissions they have on Site A. We also use only removal of inheritence to limit role permissions, and never explicit denial, so permissions are cumulative.
Is it possible to create language specific workflows, with associated roles assigned to them, to prevent this editor from editing or publishing items in other languages?
Note: it would also be OK if this editor could publish in all languages, but only language versions that had been moved to the "publishable" state, and couldn't make a foreign language version publishable himself (so that if he did publish e.g. a German version it would only be a finished, publishable version, not a work in progress).
EDIT: To clarify, I don't mind my editor being able to publish all publishable versions of an item, as long as he can only edit in the one language he has ownership of for that site and cannot make other versions publishable.
If not, is there a standard/best practice solution to this problem?
You can force Sitecore to publish only items to which a user has read/write access by changing the following settings in web.config:
Publishing.CheckSecurity = true
Publishing.RequireTargetDeleteRightWhenCheckingSecurity = false
Use Default or Custom Access Rights to Control Whether Users Can Publish an Item
This does mean that you need to separate your roles and permissions out to be quite granular, i.e. you will need separate roles for Site 1 English Editor, Site 1 French Editor, Site 2 English Editor etc.
EDIT: Thanks for the clarification above and I can see where your problem lies. As I mentioned in the comments above, maybe you can hide/disable the language option on the Publish dialog. Just been taking a look at Sitecore.Shell.Applications.Dialogs.Publish.PublishForm and as expected there are a few private methods you would have to replicate, but you can add your own logic to BuildLanguages() to get what you need. Just duplicate sitecore\shell\Applications\Dialogs\Publish\Publish.xml to sitecore\shell\Override and change the codebeside to point to your custom logic.
I hate to add fields to system templates normally, but maybe add another field to /sitecore/templates/System/Language to specify which roles/user can publish that language. You can use the Account Selector Field for this.
You can set security on workflow actions, thus preventing an action being performed by certain users. If that won't solve thing (because the same workflow is involved), you can always revert to implementing a workflow action yourself, this is easy.
I have handled this in the past by creating multiple accounts for the user. In your case, one for Site A in English and one for Site B in English and French. It may not be ideal, but i don't think creating extra languages is either. Good luck!
Related
I am making a blogging website using wagtail so we have multiple writers so I need that no one can see drafts of other users and only the superadmin can post the blogs but I can't find that setting.
Previewing and submitting pages for moderation
The Save/Preview/Submit for moderation menu is always present at the bottom of the page edit/creation screen. The menu allows you to perform the following actions, dependent on whether you are an editor, moderator [...]
Source: http://docs.wagtail.io/en/v2.3/editor_manual/new_pages/previewing_and_submitting_for_moderation.html
Editors (you call them writers) can submit for moderation. Moderators can publish. So this part of your requirements is built in. My advice is to create users for each type and play around to get a feeling for this workflow.
There is no (out of the box) way to show pages to their creators only. However, you can give groups access to parts of the page tree:
Go to a page in the admin.
Top right, click the Privacy setting. Public is the default.
Change to 'Private, accessible to users in specific groups'.
Choose a group.
Now only users in this group can edit this section. So this page and all it's child pages.
Default there are two groups: Editors and Moderators. You can create new groups via /admin/groups/new/. If you give each user it's own group, you have what you want. Their pages will live in their own part of the page tree though.
Note that when you create a group it is also possible to limit permissions per content type. So you can make a group of users responsible for content of a specific type.
Wagtail users, groups, permissions, workflows and privacy settings makes it possible to configure permissions in a fine grained way. This will be sufficient in most cases.
When you have a project requirement that is more demanding, you can always add some extra logic to meet your requirement. Python/Django/Wagtail is a flexible software stack. But before going there, I would advice you to see if the standard settings are sufficient. If not, you should describe your requirements in more detail.
It is very easy to give permissions to edit a specific page in django cms
However, I didn't find a way to give a permission to edit a page in a certain language.
It's a very common scenario, I have my Spanish, Russian and English editors, and I want that everyone will be able to edit only the pages in their language.
Is there a way of doing it that i'm missing? and if not, what can be done to solve it?
At this moment there is an overhaul done of the page permission in Django CMS. One of the things they want to solve is Permission per language.
https://github.com/divio/django-cms/issues/4598
If everything goes well, it will be released in DjangoCMS 3.4
As of today, there is no way to set permissions on a page+language basis.
The remaining options are to submit a feature request or fork django-cms and implement on your own.
We have chosen Alfresco for our project because Alfresco meets most of the functional requirements we need.
Share is a great app, nevertheless it has too much functionality for our scenario, much more than we need in our project. This is the reason of posting this question, we don't know what's the best option: either customize Share creating custom pages, custom dashboard, custom actions and metadata etc. or create a new web application that interacts with the repository.
Roughly, we have these requirements:
Custom header with custom menu, disabling direct access to Repository (users only can collaborate using Sites)
Custom dashboard that contains
On the left, list of Sites
On the center, custom dashlets which shows several content in different ways and formats
One of the dashlet would be a "dynamic" dashlet as I explain in my last question
Custom document details page, with custom actions and custom metadata
I would like to know opinions based on experience, explaining when and why would be a good idea to create a new web app that interacts with the Alfresco repository or when to customize Share according to your needs. I'm highly interested on knowing Share customization limits.
Thanks.
Alfresco Share doesn't really have any limitations, it's already an UI built upon the repository.
I've seen Share modification till the sky and one can't even see it's Share any more.
The things you've described above are just templating and building the rightfully freemarker templates/js to view the piece of information.
If you take a good look at the default templates with their regions and shift around the default regions you'll see that you don't need heavy customizations to achieve a different layout.
The only thing one probably lacks is experience with Share.
In the last year we've had a couple of incidents where a user accidentally unpublished the 'Home' item (which is the root item in our site), before publishing it to our 'Live' database, which removed it from the site.
What is the best way to prevent important content from being unpublished from a production Sitecore web site?
Your "easy" security options are to either protect the Home item itself from editing, or to restrict access to publishing options. Using standard Sitecore security, disable write access on Home for a particular user role, or disable read access on the Publishing Restrictions chunk or button in core (/sitecore/content/Applications/Content Editor/Ribbons/Chunks/Publish Restrictions/Change).
If you really don't need anyone besides admins editing the Home item, you can also Protect the item from the Configure ribbon.
If you'd like to just disable publishing restrictions on Home, that could be more complicated. Your best approach would likely be to extend the SetPublishing command. The following is untested:
Extend Sitecore.Shell.Framework.Commands.SetPublishing
Override Execute(CommandContext)
Check context.Items[0] to see if it's your home page (GUID or Template ID check if multi-site). If so, abort. If not, call base.Execute(context). (You could also add a check for Sitecore.Context.User.IsAdministrator if so desired.)
Replace item:setpublishing command in Commands.config.
Reference Sitecore.Shell.Framework.Commands.SetPublishing in your favorite decompiler as needed.
You can also just mark the home item as protected. You can double-check but I believe that prevents any mod/del of an item. In the Configure tab, see Protect Item button
This question is (I think) about object/row level permissions in Django.
We are building a community and need to be able to set permissions based on actions that users take. For example, you should not be able to start a thread until you have posted so and so many answers.
Also, the users should be able to remove content that belongs to themselves. Based on the Django documentation, it seems like the standard framework does not support permissions for instances.
Should we build on the "empty" API that Django supplies, or should we use an app for this like django-guardian, django-rules, etc? Which ones would you in that case recommend?
Thank you!
you should not be able to start a thread until you have posted so and so many answers.
You don't need to use per-object permissions for that. Actually, you don't need to use permissions for that at all. Just check if user meets the requirements in your views.
Or you can use standard django permissions engine. Create permissions like "Start a Thread", then set up signals to track when users add answers. When singal is emitted check if a user has enough answers and grant him the "Start a Thread" permission.
It's up to you to decide which one works better for you.
Also, the users should be able to remove content that belongs to themselves.
This can be done with per-object permissions. But if it's the only reason to use them then I'd just add a field author to your models and use a simple item.author == request.user check to test if user can delete the item.
So, my general advice is to keep it simple. Analyze your needs. Per-object permissions is a powerful tool which may be an overkill in your situation.
I recommend you to go with Django-guardian.
Django-guardian
Great, DRY, maintained and well-tested app, that solves the issue. As of today, this is the most maintained and actively developed library for implementing per-object permissions.
We are currently using django-guardian in one of our big projects and are very pleased with stability and functionality.
Django-guardian source code is very simple and easy to understand because it is built upon the permission code in Django core.
However, there is a minor issue with Django permissions for proxy models which is not fixed in Django core thus making it really tricky to set permissions (global and per-object alike) for them. One of the ways to overcome this is to declare all permissions in a non-proxy object and query for them every time when you need to check for permission to access a proxy model.
Per-object permission library by OSU Open Source Lab
It is more of a standalone application than Django-guardian and supports older versions of Django. This app is relatively well maintained. (I personally haven't used it.)
Other solutions form older posts.
But most of them are poorly maintained.
Of course, if you need to implement only a few minor checks, row-level permissions are overkill, just like Andrey said.