Evaluating Live Server Read Permissions

CMS Fiona lets you assign read permissions to published content to control which visitors should be permitted to access this content. These permissions are given to user groups you can also access by means of the Rails Connector in order to evaluate them.

Control access to protected content

If dedicated read permissions have been assigned to the released version of a CMS object, the Rails Connector automatically blocks this content depending on the visitor's group memberships. When attempting to access blocked content, the Rails Connector delivers a 403 error page.

To change this behavior, you can override the method that performs this check. This method is common to all Obj models, i.e. to all object classes:

# app/models/obj.rb

class Obj < RailsConnector::BasicObj
…
  def permitted_for_user?(user)
    is_editable = RailsConnector::Configuration.mode == :editor
    return true if is_editable or (permissions.live & user.groups).size > 0
    return false
  end
…
end

The code in the example above checks whether at least one of the user's groups (maintained by your own user management) is contained in the list of groups assigned to the live read permission (permissions.live) of the CMS object in question. Thus, user.groups needs to be implemented in accordance with your user model.

Note that different permissions can be queried, depending on the mode in which the Rails Connector is operating.

  • In editor mode, the list of the groups permitted to read, write , act as root, or create_children of the object are available.
  • In normal mode, the live permission groups of the CMS object can be queried.

Authenticating users

The Rails Connector offers no functionality to authenticate users. This functionality can be provided by using one of the several publicly-available gems. What the Rails Connectors does offer, though, is an interface for making a user model known to your application. To use it, override the following methods:

# app/controller/application_controller.rb

class ApplicationController < ActionController::Base
…
  def current_user
    return User.from_session(session[:user]) if session[:user]
  end
  
  def logged_in?
    return current_user.nil?
  end
  
  def admin?
    return current_user.admin?
  end
…
end