How to authorize (or not) a user to use a template?
Question
Here is the use-case: we want to allow some basic users to be able to use some templates, and we want to allow some advanced users to use more templates.
Answer
The idea is
- update the "editor" role and reduce the list of the available templates,
- then create a new role that will provide access to more templates.
Imagine that we have 4 templates in our template set: template1, template2, template3 and template4.
But we want this limitation:
- We want the basic users to only use the template1 and the template2,
- and the advanced users can use all templates (template1, template2, template3 and template4)
By default, the editor role allows using all templates.
First, we need to limit the number of templates on the editor role and only select the template we want to use (template1 and template2). This means that all other existing templates (template3 and template4) won't be available for the users that only have this editor role.
Then, we need to create a new role, let's call it advanced-templates to extend the list of available templates. We choose to create a site role. Under the "Templates and Components" tab, we select the template3 and template4, and we save the role. Now we can go to the site settings of our site and add this role to some users.
Behind the scene...
First, we need to know that every time that a new template is deployed (meaning a page template node is created), Jahia create a new dedicated permission. This is done using the following rule:
rule "Create permission for template"
when
A new node is created
- the node has the type jnt:pageTemplate
then
Create a permission in node.getNode().getAncestor(3).getPath() + "/permissions/templates" named "template-" + node.getName()
end
For instance, if you deploy a new template set "my-template-set" on version 1.0.1 that embed 4 templates, template1, template2, template3 and template4, then this rule create the following 4 template permissions
/modules/my-template-set/1.0.1/permissions/templates/template1/modules/my-template-set/1.0.1/permissions/templates/template2/modules/my-template-set/1.0.1/permissions/templates/template3/modules/my-template-set/1.0.1/permissions/templates/template4
The editor role has a sub-node called currentSite-access
The full path of this node is /roles/editor/currentSite-access
And by default, the value of the j:permissionNames property is:
editModeAccesseditModeActionseditSelectorviewCategoriesTabviewContentTabviewContributeModeTabviewLayoutTabviewMetadataTabviewOptionsTabviewSeoTabviewVisibilityTabmanagersview-full-wysiwyg-editorcomponentstemplates
The last value, "templates" means that there is no restriction in the templates.
But once you choose to limit the amount of template by only selecting template1 and template2, then the value of the j:permissionNames is updated:
editModeAccesseditModeActionseditSelectorviewCategoriesTabviewContentTabviewContributeModeTabviewLayoutTabviewMetadataTabviewOptionsTabviewSeoTabviewVisibilityTabmanagersview-full-wysiwyg-editorcomponentstemplate-template1template-template2
This also means that if you try to deploy a new template5, this template5 won't be available for users with the editor role until you allow this tole to use template5; it's not automatic.
So if you want to create a new role advanced-templates and allow to use the template3 and the template4, you can do it from the administration UI, or you could also create a role.xml file in your template set with the following content.
<?xml version="1.0" encoding="UTF-8"?>
<roles xmlns:j="http://www.jahia.org/jahia/1.0"
xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="jnt:roles">
<advanced-templates j:hidden="false"
j:nodeTypes="jnt:virtualsite"
j:permissionNames="template-template3 template-template4"
j:privilegedAccess="true"
j:roleGroup="site-role"
jcr:primaryType="jnt:role"/>
</roles>