Friday, November 12, 2004

MSCMS - Disabling delete for authors

The last couple of months I have been doing a lot of Microsoft Content Management Server (MSCMS) development and I think it definitely allows you to do some cool stuff. For those of you who don't know, MSCMS allows users without any html knowledge or special tools to publish content to a corporate website while maintaining a common look and feel and supporting an approval process for all of your published content.

The product has however some shortcomings and last week the functional analyst of our project stumbled on one of them. For every posting you can define an approval process with authors, editors and moderators, so after an author creates a posting, the editor first approves the layout and then the moderator approves the content (This is a very quick overview). So for about every change, you need to go through this approval process EXCEPT for deletion of postings

The obvious thing todo to disable the delete for authors was to add an ASP.Net panel control around the delete section in the defaultconsole.ascx and put it to visible false when a user had no editor or approve rights. Well this doesn't seem to be very simple:

  • Microsoft.ContentManagement.Publishing.CmsContext.UserCanApprove : you can't use this one, since it is a site-wide check, if the user has somewhere in your site editor or moderator rights, this property will return true.

  • Microsoft.ContentManagement.Publishing.CmsContext.Posting.CanApprove : seemed to be promising, it already checks the rights for this specific rights, but unfortunately it also takes into account the postingstate of the mode, so when your posting is published it will return false even when the current user has sufficient rights to approve

  • Microsoft.ContentManagement.Publishing.CmsContext.PostingApprovers() : returns a Microsoft.ContentManagement.Publishing.UserCollection with all the approvers, but it also takes the posting state into account.

  • So basically I'm stuck, anybody any ideas....


    Mark said...

    In MCMS.Rapid ( we will have some changes around Delete - will support a Soft Delete function.

    Anonymous said...

    In the past we have created a hidden channel to which only 'users who can delete' have access. This is then checked and if the current user can access that channel then delete is available otherwise it is hidden.

    Anonymous said...

    We generally implement this using ad lookup, and only show the delete function if the user is a member of an NT/AD group. Drawbacks are that you are maintaining another group, but having said that in the cases where you want to control delete there are generally only a few people you want to give access to so the overhead is really minimal.
    In MCMSRapid, what we've done is you setup a hidden channel, then when a delete is triggered, just move the page to this channel, this is a nice graceful solution, it also wrappers publishing workflow and approval around the delete event without any nasty code just by adding moderators onto the 'SoftDelete' channel.
    This kind of circumnavigates the need to hide delete as you can protect the authors and editors from themselves.