Entity Permissions
Confinity allows restricting access to individual entities. For this purpose, it is defined for an entity which roles have access. If no role is assigned, all authors have access. Access restrictions only apply to author instances. A distinction is made between read and write access.
Tips
A possible scenario for access restrictions is press releases, which should not be seen by other authors before publication.
Read Access
If an entity is assigned roles that restrict read access, this has the following consequences for authors who are not assigned at least one of the roles:
- the entity does not appear in the table
- the entity does not appear in selection fields of forms of other entities*
- Example: When creating a page link, only the pages for which the author has read permission appear for selection.
- the entity does not appear on any page
- Example: The blog overview only shows blog articles for which the author is authorized.
The assigned roles for read access are automatically removed when the entity is published, and the entity can be read by all authors.
Warning
If an entity that references another entity for which the author does not have read permission is edited, the selection field will be empty, and the reference will be deleted upon saving.
Write Access
If an author lacks write access to an entity, it means that they cannot edit, delete, or publish the entity.
Publishing does not affect the assigned roles for write access.
Configuration
By default, read- and write permissions are available on all entities that inherit from ConfinityEntity. Developers can restrict this using the ConfinityPermissionsAttribute with a PermissionOption. The following options are available:
- All: edit- and read-roles can be defined (default)
- EditOnly: only edit-roles can be defined
- None: no roles can be defined
Tips
Read permissions are implemented using query filters and have a negative impact on the performance. Consider disabling read permissions on tables with lots of data.
Navigation properties
To deliver consistent results for your queries when joining related data, Confinity needs to know how to handle non-nullable navigation properties. There are two options to handle those:
- Disable read permissions for the principal entity by marking it with
[ConfinityPermissions(PermissionOption.EditOnly)]or[ConfinityPermissions(PermissionOption.None)] - Make the property nullable
Example
Let's have a look at an example. In an online shop, Authors should be able to define permissinons on EssentialsShop and EssentialsCategories, but not on EssentialsArticles.
[ConfinityPermissions(PermissionOption.All)]
public class EssentialsShop : ConfinityEntity
{
public string Name { get; set; } = null!;
public ICollection<EssentialsCategory> Categories { get; set; } = [];
}
[ConfinityPermissions(PermissionOption.All)]
public class EssentialsCategory : ConfinityEntity
{
public string Name { get; set; } = null!;
public EssentialsShop? EssentialsShop { get; set; }
public Guid? EssentialsShopId { get; set; }
public ICollection<EssentialsArticle> Articles { get; set; } = [];
}
[ConfinityPermissions(PermissionOption.None)]
public class EssentialsArticle : ConfinityEntity
{
public string Name { get; set; } = null!;
public decimal Price { get; set; }
public EssentialsCategory? EssentialsCategory { get; set; } = null!;
public Guid? EssentialsCategoryId { get; set; }
}
Reading ConfinityEntities
When working with the IConfinityDbContext, read permissions for the current user are automatically checked on the author instance. On all other instances, they are ignored. This means that entities are not returned to which the current user is not authorized.
When all entities should be returned regardless of the current users permissions, use IgnoreQueryFilters() on your IQueryable<T>.
Typical use cases for doing so:
- Background services
- Implementations of
IDynamicPageResolver<T> - Implementations of
IScheduledTask
Tips
The query filter works with simple queries, projections, joins and includes.