How to Implement Contentful CMS User Resource Access Control? - authorization

I'm building a website with different users that belongs to different "accounts"
Is there a way when using Contentful CMS or similar headless CMS service to restrict contents based on user and their accounts?
e.g. This document can only be accessed by users that belongs to account 1234
Thank You!

I don't know about Contentful, but with Content Chef (https://contentchef.io)
you can create different "spaces" and have different users for each space, so you should be able to easily do what you need!
Full disclaimer: I'm working in Content Chef:)

Related

How best to handle accounts across two different systems?

I want to use Shopify for our commerce solution but to build out a custom admin/user settings system. The key hurdle I'm dealing with is users and authentication. Let's assume my site is a.com and my admin system is my.a.com on a different host. I want the user to be able to log in to both the Shopify site and their custom admin/user page using the same username and password (effectively SSO but without a third-party service).
Constraints:
I don't want to build a custom application as I foresee us ultimately going fully custom at some point down the road
Just in case someone asks, yes the admin/user settings page is complex/unique enough that it warrants a custom solution to provide a good user experience.
Possible Solution 1
Have accounts created on the custom admin site and use the Create Customer API to keep the two databases in sync.
Questions:
How do I handle the email validation coming from Shopify (the customer should be oblivious to Shopify as it's an implementation detail)
Possible Solution 2
Have all accounts created via Shopify and the admin site and create an associated on on the admin site.
Questions:
How do I handle authentication for a specific user across origins. The only OAuth scenarios I seem to be able to track down are at the app level not per user.
I greatly appreciate any insights you all may have. Thank you.

Limited edit rights on pages in Piranha.Core

I've found piranha.core cms this week and it looks great and very extendable.
I need CMS in a site that will need user registration for a fundraiser event for a charity. This would be for donators as well as volunteers raising money.
But I also want some users to be able to create news post, etc.
This project would require volunteers to be able to edit content on a profile page and for dontators to track their donations.
I'd like the accounts of my registrants, volunteers and content creators to be the same accounts.
The Piranha.core example uses 'Piranha Identity With Seed', which in turn uses asp.net identity as I've seen in the UserController.
So here's what I'd like to do :
Register users,
Create a page for a volunteer when a volunteer registers,
Assign rights to the volunteer to be able to edit/publish only their own page.
So I think I could register a user using the Asp.net Identity UserManager, copy a template page using the PageEditService, but the question is: can I limit the rights of a user to just being able to edit the user's profile page? (maybe not even all content on the page)
Cheers,
Jurjen
The manager permissions are function based so that user groups can be assigned the rights to perform different actions on different types of entities. There is no support at the moment to limit access to specific pages to specific users.
My advice is to create the edit view in the front-end application as it is extremely easy to load & update pages with the existing Api, and this will probably give you more freedom in regards to what you want the users to be able to edit on the page.
For connecting the created pages with their users you could either:
Add a StringField to the PageType containing the user id, or
Add you own database table in your own DbContext connecting the user & page.
I would also consider using Posts for your volunteers instead of Pages. This way you could use the built in functionality for creating a Volunteer archive where volunteers could be categorized and tagged for easier searching. It will also make sure the sitemap stays uncluttered and focused.
Best regards

Implementing login for users at the frontend

I'm not very used to Apostrophe and currently checking out that CMS.
What I want to do is implementing a user login at the frontend.
I tried using the apostrophe-user module but users that were created using that module are able to login to the backend and I don't want them to be able to do this.
Is it somehow possible to achieve what I want to do?
Thank you very much in advance!
Edit: I'm also using apostrophe-headless
You can use apostrophe-groups to create a sub group of users with specific permissions and then check those permissions in various places (like templates) to show or not show certain admin experiences.
https://apostrophecms.org/docs/tutorials/intermediate/permissions.html
You could further customize the login experience of these users by tapping in to the apostrophe-login, redirecting them to a special part of the website, etc https://apostrophecms.org/docs/modules/apostrophe-login/index.html

Piranha CMS Login issue

I am using Piranha CMS , and i want to create multiple users in different group, i tried to do so but its not allowing me to login those users,even i have to implement that logged in user should only edit few pages which is permitted to that user. How can i restrict user to do so
The group permission system in Piranha CMS is hierarchical, this means that all users that should be able to log in to the manager should derive from the group admin.
When you have that set up you can take a look at the different permissions in the manager interface and assign these to different groups.
There are however no support to allow users to only edit certain pages, if you want that kind of behavior you'll have to implement it yourself in the available manager hooks.
Regards

Advice on implementing secure page with a list returned from REST API

I'm new to Piranha CMS and just trying to get my head around it. I'm using the MVC implementation and I need to do the following:
I need to extend the User with a property that stores an account number.
I need a page that is only accessible once the user logs in
On this page, I need to call a REST API on another server, using the account number a parameter, to retrieve a list of documents that the user has stored on this server.
When the user clicks the document, it will be downloaded as a PDF using the REST API once again
I just need general guidance on how to do this. How do I store the account number against the user (and manage this) and do I need to create a new Region that will show the list of documents from the remote server. Is there an example of creating a new Region anywhere and maybe returning a list from SQL that I can adapt?
Any help gratefully received.
Thanks in advance
Mike
The easiest way is to implement an extension with your custom fields that you attach to the user where you store this information.
When editing a page, go in under "settings" and select which groups should have access to your page. For this purpose I suggest creating a new group for site users that are not admins.
This should be easily implemented in either the controller or model for your page. When the user is logged in "User.Identity.Name" is the user id. Get the user, load the extensions & use the account number.
See number three.
Regards