Episerver

Implementing field level editing restrictions in Episerver

Woman working on her laptop

Often times when building content models inside of a CMS, it’s important to consider the various types of editors and the permissions they may have within the eco-system.  One technique that I find highly effective is to limit the amount of fields a user may see based on their CMS role.  Removing non-essential fields from your every day content authors leads to system robustness and higher adoptability.  In a lot of cases, these fields need to be locked down to special administrative level roles.  Here’s how you can do it within Episerver.

Defining Fields within Episerver

First of all, defining a field within Episerver is quite simple.  To do it, you simply need to add properties to your corresponding model.  For instance, your Home Page may be defined like this:

[ContentType (GUID = "49fda103-1b15-4d1c-81bd-32263cf0d46d")]
public class HomePage : EPiServer.Core.PageData {
    [Display (Name = "Header Content Area")]
    public virtual ContentArea HeaderContentArea { get; set; }

    [Display (Name = "Body Content Area")]
    public virtual ContentArea BodyContentArea { get; set; }

    [Display (Name = "Footer Content Area")]
    public virtual ContentArea FooterContentArea { get; set; }
}
SAS IDC Episerver Commerce Guide
Delivering Customer-Centric Experiences for Digital Commerce

The IDC Technology Spotlight explores the rapidly changing commerce landscape and the top 5 benefits of a modern DXP.

Get the Guide

In this case I’ve defined a page type with 3 fields: Header Content Area, Body Content Area, and Footer Content Area.  I do find it beneficial to create the header and footer as dedicated content areas that receive specialized blocks, but more on this later.

Restricting Fields within Episerver

Now, let’s say we want to lock down our Header and Footer content areas to specific roles.  This can easily be done by creating an IMetadataAware attribute.

public class EditingRestrictionAttribute : Attribute, IMetadataAware
{
    public EditingRestrictionAttribute()
    {
    }

    public void OnMetadataCreated(ModelMetadata metadata)
    {
        // interrogate the EPiServer.Security.PrincipalInfo object to determine if the
        // current user has access to edit this field

        if (EPiServer.Security.PrincipalInfo.CurrentPrincipal.IsInRole("CmsAdmins"))
        {
            return;
        }

        // if user failed the above check, set the field to readonly and hide it for editing mode
        metadata.IsReadOnly = true;
        metadata.ShowForEdit = false;
    }
}

The cool part about this is that you can create complex authorization rules.  You could interrogate the page and check it’s location within the tree, check it’s type, compare against the user, etc.  After your logic is in place, you can simply update your models to use your new attribute:

[ContentType (GUID = "49fda103-1b15-4d1c-81bd-32263cf0d46d")]
public class HomePage : EPiServer.Core.PageData {
    [Display (Name = "Header Content Area")]
    [EditingRestriction]
    public virtual ContentArea HeaderContentArea { get; set; }

    [Display (Name = "Body Content Area")]
    public virtual ContentArea BodyContentArea { get; set; }

    [Display (Name = "Footer Content Area")]
    [EditingRestriction]
    public virtual ContentArea FooterContentArea { get; set; }
}

Hope this helps!

About the Author

I am a certified Sitecore developer, code monkey, and general nerd. I hopped into the .NET space 10 years ago to work on enterprise-class applications and never looked back. I love building things—everything from from Legos to software that solves real problems. Did I mention I love video games?

More from this Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up
Categories