So you came to Tridion Developer Summit and heard about this hip new Tridion framework called Alchemy. Or maybe you’d already heard of Alchemy and have been anxiously awaiting the chance to try building your own plugin. The problem is, you can’t build and test a plugin on your Tridion environment because you can’t let just any user play with your plugin as you develop. Fortunately, we at Alchemy recognize that security is a huge concern for many users and we are working hard to address this as comprehensively as we can. Unfortunately, we aren’t there yet. However, if you are really anxious to start building I’m going to show you how to lock down your plugin so that only certain users have access to your ribbon bar or context menu extension, using just the Alchemy API and some JavaScript.
To do this we first need to add a couple new fields to our custom settings in our A4T.xml file:
As you can see I’ve added 3 custom settings, 2 of which are related to this task, adminRequired and allowedUsers. These plugins will do exactly what they sound like by the time we’re done.
Next I head over to my command javascript file. This is the file where you set the “isAvailable†and “isEnabled†logic. In this file I set a global variable for this file (see my article on managing JS scope here), in my case called “jsonSettings†and initialize it as null. Now I need to use the Alchemy API to retrieve the settings I’ve created, assigning them to this new jsonSettings variable:
Now I have global access to my settings throughout this JS file. All I need to do now is compare my settings to my current user information to decide if this user gets to use my plugin. I do this in my isEnabled and/or isAvailable functions and the logic is identical:
The function “isAppropriateItem†is unrelated to what we’ve just done, it is checking if the selected item has where used data (we’re looking at WhereUsedPlus as an example). Assuming the item actually has where used data we retrieve the settings we’ve set up, along with the current user (the “user†var). Then it’s a simple matter of checking if we are requiring an admin user and if we are making sure the user is an admin, then checking if we’ve set an allowed user (or users, since this is just a string search we can list as many users as we want using any delimiter between), then seeing if the list of allowed users contains our current user. If no allowed user is set this feature will be ignored. If the adminRequired field is not set to “true” we assume it is not required. You can tweak the logic to meet your specific needs.
Now that this is set we can go view our plugin in the dashboard and configure our permissions right from the Alchemy GUI, no fuss, no XML and no one using our plugin who shouldn’t. With the below settings only the TRIDION\ADMIN user will be able to use the plugin, and only if this user is a Tridion administrator.