Mura Plugins Boot Camp: Day 5 - Permissions

Security is an important part of any application development. In my last post in this series, I looked at application-level security. This time we're going to look at authentication and permissions.

Security is an important part of any application development. In my last post in this series, I looked at application-level security. This time we're going to look at authentication and permissions.

Authentication and permissions go hand in hand. In part this process is simply the process of verifying a person is who they say they are. Another aspect of this, or perhaps the "contextual" part of this, is verifying they have the necessary rights to perform a specific action like view or edit a page.

The Mura Scope (a.k.a. "$") has some handy helper functions that you can use in your plugin to help with the authentication process, the most basic of which is:

$.currentUser().isLoggedIn()

The $.currentUser() is, as you might expect, the user currently viewing the Mura website (or accessing the Mura CMS administrator). They don't have to be logged in; every Mura "user" has their own session, and this is part of what $.currentUser() represents. The helper function isLoggedIn() returns true if the user has logged in to Mura, and false if they have not. Pretty easy, right? So, you might have the following logic in your application:

if( $.currentUser().isLoggedIn() ) {
   ... do something ...
} else {
   location( "?display=login" );
}

In this case, if the user is not logged in the page will redirect and the Mura CMS login screen will be displayed.

Once we have determined if a user is logged in, we can then evaluate if they have permission to perform a specific act. Mura uses the concept of "Groups" to assign permissions. For instance, you might have a "Member" group that handles permissions for your site members, a "Subscriber" group for people who have subscribed to a part of your site, and a "Contributors" group that determines whether or not they can create content on a particular part of your site. These Groups can of course be used in the Mura Site Administrator to determine some of these permissions, but you can easily use them in your plugin as well:

if( $.currentUser().isInGroup( "Contributors" ) {
   ... let them access the area ...
} else {
   return "Sorry, you are not a contributor!"
}

Another important helper function is $.currentUser().isSuperAdmin(). As the name suggests, if the user is a super-administrator, the function will return true.

That's really all there is to it. There are of course more complex use cases such as authenticating against external repositories like LDAP or Active  Directory and single-sign on, but they are big enough topics to be handled in a future blog post (if this specific aspect is of particular interest to you, I'd suggest contacting Blue River to discuss the matter directly as we have a ton of experience implementing these services and they can be quite particular to the network/security regime/etc. of an organization).

In the next blog post, we're going to be migrating our plugin into a framework, specifically FW/1 (a.k.a. Framework/One). See you then!