Find Page Security Roles via the API (or other means)

Steven Logan asked on March 19, 2021 19:09

I am trying to figure out how to get all the roles assigned to a page via the security (permissions) tab on the page. I do not see an API call that has that info.

Here is the specific use case:

We use Azure as a search provider. I want to filter what results appear in a list of results on the page by the roles assigned to the page. For example, if the "staff" role is assigned to a page, I do not want it to appear to non-staff. I am currently doing this via the check permission function, but I am going to roll out more roles, and do not want do this check over and over again.

Thanks, Steven

Correct Answer

Dmitry Bastron answered on March 22, 2021 12:29

Hi Juraj,

Although .CheckPermissions() works well on database requests via API, when you perform a search against smart search index it's a little bit different.

For local indexes, there is a search parameter "CheckPermissions" that you can set to true and search will take ACLs into account. However, for Azure search, there isn't such an alternative. But Azure Search stores the same "nodeaclid" field that can be used to filter only pages that the current user has access to without additional database query.

1 votesVote for this answer Unmark Correct answer

Recent Answers

Juraj Ondrus answered on March 21, 2021 09:37

What is the code you arte using right now? The recommended way is using ther .CheckPermissions() method which should do all the job for you. Or, you might want to use e.g. IsAuthorizedPerDocument to see ig a particular user has access to given page.

0 votesVote for this answer Mark as a Correct answer

Steven Logan answered on March 22, 2021 14:36

Thanks Dmitry. I did not notice that was in the Azure search. That is a good idea, and I'll check that out.

Thanks Juraj. I use the checkpermission call now, but we may be adding more user roles. My concern was looping through several of the checkpermission calls.

0 votesVote for this answer Mark as a Correct answer

Dmitry Bastron answered on March 22, 2021 18:45

You are welcome Steven.

One more thing to mention if you are going to implement this query on Azure Search index. It works the following way (also ACL structure may be useful here):

  • every node in CMS tree has ACL assigned (CMS_ACL table)
  • every ACL consists of one or multiple ACL items, one item for each entity like Role or User you are assigning permissions to (CMS_ACLItem)
  • there is a "default" ACL with ID=1 which is a root node allowance to read the tree for everyone
  • when the system needs to query something with checking permissions, it gets for the current user list of allowing ACL IDs and a list of denying ACL IDs this user is involved(via User or Groups)

This could be a logic for your aclid query. Hope it makes sense.

0 votesVote for this answer Mark as a Correct answer

Steven Logan answered on March 26, 2021 14:23

Thanks Dmitry. That is helpful background. I pulled together that through a query and joined with the nodeacl and pulled it together.

Unfortunately, I realized I have been thinking about the problem backwards. I was planning to add this filter after the Azure results are returned, and show or hide individual entries. What I really need to do is have an Azure filter, so only the entries are returned I want to begin with. This would be more efficient and make all the niffy Azure feature, like facets work correctly.

Your idea did solve the question I asked, and I marked it as correct.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.