I am looking for some pointers on how it could be possible to control access to tabs in the Umbraco UI. It would be helpful to have the ability to specify which UserGroups have access to tabs and the ideal place to do this would be in the dashboard.config.
By tabs, do you mean the sections in the lower left area of the umbraco backend? Editors can be restricted to specific sections from the Users section, where you can tick off the sections available to each editor user.
If you mean tabs on Document Types, I don't know of any way to do this.
I believe that you'd need to modify the Umbraco core, the user permissions are only at a node level, not at a node property level.
If you wanted a hack you could have a custom data type which looks at the user group and injects JavaScript which either removes or disables the tabs depending on the user permissions.
Dennis, the area you are referring to I call sections and not tabs. The tabs I was referring to were the ones that hold user controls and are controlled via the dashboard.config.
Slace, thanks and that is what I was hoping wouldn't be the case however looks like it might be the only option at the moment unless in future something is built into the core which I think should be and controlled via dashboard.config.
Example of how th dashboard.config tab node could look:
I have a working solution for this now that I hope to be able to post for others very soon. I am just trying to make it less of a hack and more of a future proof addition to Umbraco as I can.
I don't recall this problem/ feature having been raised to the core team prior to now so it's not something that we have previously though of implementing. In addition I don't think that this will be very high on the feature list. It definately wouldn't make a v4.1 release and I really doubt it would make it to a v5 release unless it was in very high demand.
If you do think it's a valuable feature please feel free to add it to codeplex and if it is voted into a very high position we'll be more likely to investigate ho to achieve it.
In the meantime I plan to offer a package to allow others to add the option to their installs. To be honest I would be surprised if I am the only developer not to have the need to hide certain things from different user types but still needing to give that group access to a particular section.
You could copy all of the functionality from the editContent page from the Umbraco source and create your own page and add whatever custom functionality you like (using member roles, etc... to limit security for tabs), then add a URL rewrite for the editContent page in the admin section to point to your custom page.
This is a bit of a ui hack and is security by obscurity but it does the trick from the user interface perspective, and prevents you from having to recompile the source.
I have created a usercontrol and placed it in the editcontent.aspx file. On loading of the page it checks the currently logged in user and if not an admin user, registers a jquery function to hide any tab prefixed with an asterisk as it's name. When creating a document type, simply store all "admin" properties on one or more tabs prefixed with a '*' and the properties will only be available to 'admin' users. This obviously can be extended with a prefix character per user role to hide tabs per role.
Create a new usercontrol (ASCX) file with the following code and save it to the usercontrols folder.
<%@ Control Language="C#" AutoEventWireup="true" %>
Then add the control within the contentplaceholder:
<tsc:TabSecurity runat="Server"/>
Obviously the best option is to get this integrated into the core but should solve your problem in the meantime. I am currently extending this to store the prefix characters in a configuration file for easier management.
Chris, it would be much nicer to actually find the .Net tab control to set it's Visible property to false so that it is not rendered out on the client side whatsoever... otherwise, people can easily use Firebug or whatever to modify the DOM to re-enable the tab...
That would have been my first choice too, but unfortunately the TabView control stores the tabs arraylist in a private variable and custom renders the tab which gives me no access to the tabs to show/hide. It does provide public access to the associated panels, but again since I don't have access to the tabs array, I can't determine the tab caption to know which panel to hide/show. If the tabs arraylist were public, I would be all set. It's a shame one word like 'private' can stop you in your tracks :)
I notice this never actually got changed in the core (its still the same as in 4.0x in the latest source). Is there any chance of getting this changed?
I'm not really sure why there are two arrays to be honest, would it not have made more sense to just have a property called "TabCaption" on the TabPage object? Then you could just have one ListArray instead of two, and it would mean that the panel has an idea of which tab it belongs to.......
I'd be hapy to change this in the core myself if need be, but I'm not sure what the protocol is for making changes to it.......
I made a tab hider extension that allows you to hide tabs by user type and content type, you could use that to hide the tabs. For the properties, there's a protected property extension in the projects as well!
Controlling Access to Tabs in the UI
I am looking for some pointers on how it could be possible to control access to tabs in the Umbraco UI. It would be helpful to have the ability to specify which UserGroups have access to tabs and the ideal place to do this would be in the dashboard.config.
Is this possible now or is a hack required?
By tabs, do you mean the sections in the lower left area of the umbraco backend? Editors can be restricted to specific sections from the Users section, where you can tick off the sections available to each editor user.
If you mean tabs on Document Types, I don't know of any way to do this.
I believe that you'd need to modify the Umbraco core, the user permissions are only at a node level, not at a node property level.
If you wanted a hack you could have a custom data type which looks at the user group and injects JavaScript which either removes or disables the tabs depending on the user permissions.
Like I said it's a hack ;)
Dennis, the area you are referring to I call sections and not tabs. The tabs I was referring to were the ones that hold user controls and are controlled via the dashboard.config.
Slace, thanks and that is what I was hoping wouldn't be the case however looks like it might be the only option at the moment unless in future something is built into the core which I think should be and controlled via dashboard.config.
Example of how th dashboard.config tab node could look:
I have a working solution for this now that I hope to be able to post for others very soon. I am just trying to make it less of a hack and more of a future proof addition to Umbraco as I can.
I don't recall this problem/ feature having been raised to the core team prior to now so it's not something that we have previously though of implementing. In addition I don't think that this will be very high on the feature list. It definately wouldn't make a v4.1 release and I really doubt it would make it to a v5 release unless it was in very high demand.
If you do think it's a valuable feature please feel free to add it to codeplex and if it is voted into a very high position we'll be more likely to investigate ho to achieve it.
In the meantime I plan to offer a package to allow others to add the option to their installs. To be honest I would be surprised if I am the only developer not to have the need to hide certain things from different user types but still needing to give that group access to a particular section.
New work item created - please vote now!
http://umbraco.codeplex.com/WorkItem/View.aspx?WorkItemId=23256
You could copy all of the functionality from the editContent page from the Umbraco source and create your own page and add whatever custom functionality you like (using member roles, etc... to limit security for tabs), then add a URL rewrite for the editContent page in the admin section to point to your custom page.
Another way to do custom security for editing content is just create your own custom data types which lock content down based on roles, etc...
This is a bit of a ui hack and is security by obscurity but it does the trick from the user interface perspective, and prevents you from having to recompile the source.
I have created a usercontrol and placed it in the editcontent.aspx file. On loading of the page it checks the currently logged in user and if not an admin user, registers a jquery function to hide any tab prefixed with an asterisk as it's name. When creating a document type, simply store all "admin" properties on one or more tabs prefixed with a '*' and the properties will only be available to 'admin' users. This obviously can be extended with a prefix character per user role to hide tabs per role.
Create a new usercontrol (ASCX) file with the following code and save it to the usercontrols folder.
<%@ Control Language="C#" AutoEventWireup="true" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
if (umbraco.helper.GetCurrentUmbracoUser().IsAdmin()==false)
{
string jcode = "$(document).ready(function(e){$(\"#ctl00_body_TabView1 div.header ul li a:contains('*')\").css(\"display\",\"none\");});";
}
}
</script>
Open the editcontent.aspx page (located in the umbraco folder) in notepad. Add a register tag to the top of the page.
<%@ Register TagPrefix="tsc" TagName="TabSecurity" Src="../usercontrols/TabSecurity.ascx" %>
Then add the control within the contentplaceholder:
<tsc:TabSecurity runat="Server"/>
Obviously the best option is to get this integrated into the core but should solve your problem in the meantime. I am currently extending this to store the prefix characters in a configuration file for easier management.
-Chris
Good stuff Chirs, thanks! In the true spirit of hacking for the better.
-Paul
Great stuff Chris, added my vote!
Chris, it would be much nicer to actually find the .Net tab control to set it's Visible property to false so that it is not rendered out on the client side whatsoever... otherwise, people can easily use Firebug or whatever to modify the DOM to re-enable the tab...
Shannon,
That would have been my first choice too, but unfortunately the TabView control stores the tabs arraylist in a private variable and custom renders the tab which gives me no access to the tabs to show/hide. It does provide public access to the associated panels, but again since I don't have access to the tabs array, I can't determine the tab caption to know which panel to hide/show. If the tabs arraylist were public, I would be all set. It's a shame one word like 'private' can stop you in your tracks :)
Good to know... this sort of stuff we can definitely change in the core so that we can easily create things to extend the UI without hacking things.
Well, noted. Any chance you want to log a bug for this in CodePlex? and i'll see to changing it for 4.1.
I notice this never actually got changed in the core (its still the same as in 4.0x in the latest source). Is there any chance of getting this changed?
I'm not really sure why there are two arrays to be honest, would it not have made more sense to just have a property called "TabCaption" on the TabPage object? Then you could just have one ListArray instead of two, and it would mean that the panel has an idea of which tab it belongs to.......
I'd be hapy to change this in the core myself if need be, but I'm not sure what the protocol is for making changes to it.......
Did this ever get resolved?
I would like to hide a tab or just a specific property for everyone except administrators when loading the content.
Rich
Hi @Rich
I made a tab hider extension that allows you to hide tabs by user type and content type, you could use that to hide the tabs. For the properties, there's a protected property extension in the projects as well!
Hope that helps.
:)
Cheers,
Tim.
is working on a reply...