Introduction to Permissions

Scrivito is equipped with a permission control system that lets you fine-tune the actions editors may take as they edit content in place.

This article introduces the basic ideas behind permissions in Scrivito. For a detailed tutorial on how to implement permission control, watch this video (three parts, total time: 19 minutes):

Protect your content

As a default, everyone who creates a working copy has full control over it, meaning that they can create and modify content anywhere on the website. All editors can finally publish their working copy, making their changes visible to the world.

This should be acceptable for smaller organizations where only half a dozen people are entrusted with content maintenance tasks. Larger companies offering a diverse spectrum of information to their website visitors, however, might rather want to be able to restrict publishing content to their specialists in order to preserve the quality and integrity of their content.

To achieve this, Scrivito lets you refine the privileges individual users have regarding working copies and the content. This is a development task. The in-place editing mechanisms Scrivito provides rely on custom callback functions for determining whether or not the current user is permitted to perform a particular action.

Quick start

For a quick result, if you just deployed your website for the first time and wish to edit content in production, simply add a minimalistic editing_auth callback to your application:

Copy
# config/initializers/scrivito.rb
Scrivito.configure do |config|
  # Authentication stuff goes here...
  config.editing_auth { |env| Scrivito::User.system_user }
end

This is the “Chuck Norris mode”, so please provide basic authentication to your site to prevent passers-by from manipulating your content. There are neither Scrivito users in this mode, nor is your application connected to any kind of user management.

Translating users

Think of a Scrivito user as an extension to a user defined somewhere else. The main purpose of Scrivito users is to equip real users with CMS-specific properties and methods, the latter for determining the real users' CMS-related privileges.

The minimalistic editing_auth callback above doesn't make use of this. If we wanted it to, we'd have to provide an interface (referred to as “ScrivitoUser” below) that translates real users to Scrivito users, authenticating them and allowing or denying them editing actions on-the-fly, like so:

Copy
Scrivito.configure do |config|
  …
  config.editing_auth do |env|
    user = … # read user from environment
    ScrivitoUser.from(user) if user
  end
  …
end

In the process of translating a user originating from your user management back end to a Scrivito user, you can restrict or extend a user's privileges depending on any criteria accessible to the translation method. For details, take a look at Making an Editor a Supereditor or Defining Users and Their Permissions.