In Flow: The Mura Blog

Mura Plugins Boot Camp: Day 5 - Permissions

August 11, 2015 by Grant Shepert

Security is an important part of any application development. In my last post in this series, I looked at application-level security. This time we're going to look at authentication and permissions.

Authentication and permissions go hand in hand. In part this process is simply the process of verifying a person is who they say they are. Another aspect of this, or perhaps the "contextual" part of this, is verifying they have the necessary rights to perform a specific action like view or edit a page.

The Mura Scope (a.k.a. "$") has some handy helper functions that you can use in your plugin to help with the authentication process, the most basic of which is:


The $.currentUser() is, as you might expect, the user currently viewing the Mura website (or accessing the Mura CMS administrator). They don't have to be logged in; every Mura "user" has their own session, and this is part of what $.currentUser() represents. The helper function isLoggedIn() returns true if the user has logged in to Mura, and false if they have not. Pretty easy, right? So, you might have the following logic in your application:

if( $.currentUser().isLoggedIn() ) {
   ... do something ...
} else {
   location( "?display=login" );

In this case, if the user is not logged in the page will redirect and the Mura CMS login screen will be displayed.

Once we have determined if a user is logged in, we can then evaluate if they have permission to perform a specific act. Mura uses the concept of "Groups" to assign permissions. For instance, you might have a "Member" group that handles permissions for your site members, a "Subscriber" group for people who have subscribed to a part of your site, and a "Contributors" group that determines whether or not they can create content on a particular part of your site. These Groups can of course be used in the Mura Site Administrator to determine some of these permissions, but you can easily use them in your plugin as well:

if( $.currentUser().isInGroup( "Contributors" ) {
   ... let them access the area ...
} else {
   return "Sorry, you are not a contributor!"

Another important helper function is $.currentUser().isSuperAdmin(). As the name suggests, if the user is a super-administrator, the function will return true.

That's really all there is to it. There are of course more complex use cases such as authenticating against external repositories like LDAP or Active  Directory and single-sign on, but they are big enough topics to be handled in a future blog post (if this specific aspect is of particular interest to you, I'd suggest contacting Blue River to discuss the matter directly as we have a ton of experience implementing these services and they can be quite particular to the network/security regime/etc. of an organization).

In the next blog post, we're going to be migrating our plugin into a framework, specifically FW/1 (a.k.a. Framework/One). See you then!

Additional Resources

Mura CMS Documentation: Plugins

This Mura CMS Blog entry is part of the "Mura Plugins Boot Camp" series by Grant Shepert:


About the Author

Grant Shepert has been a developer for nearly 20 years, and started using Mura the year it was released. Since then he has written dozens of plugins, spoken about Mura in conferences around the world, contributed code to the core project in numerous ways (his favorite being the FormBuilder), acted as Mura instructor, mentor and evangelist and, when time has permitted, written a blog post or two.