SmartTarget Extensions: Better Security on Promotion Management

If you have used SmartTarget, you will probably know that the security model for managing promotions is pretty basic – you either have rights to manage promotions or you don’t. On my current implementation we have different business units managing their own SmartTarget promotions for various sites and applications, all within the same CMS, so all able to view, edit (and accidentally break!) each others promotions. This post shows a simple solution we came up with to ensure each user could only manage appropriate promotions.

The key to the solution is that each business unit (BU) manages promotions for a separate group of SmartTarget regions, and we use a naming convention for these regions (something like {BU}.{Channel}.{RegionName}, for example Sports.Web.Start and Sports.App.Dashboard for content areas on the Sports Website Start page and Sports Mobile App Dashboard screen).

If we can filter the list of regions shown in the SmartTarget UI by using the appropriate BU prefix when creating promotions, then a BU would only be able to create promotions using their own regions. We would then be able to filter the list of promotions to only show those set up for regions valid for that BU.

Filtering data shown in the GUI is pretty simple – you just need to implement a DataExtender GUI Extension to rewrite the XML in the ProcessResponse method, and add this as a Model extension.

using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Xml; using System.Xml.Linq; using Tridion.Web.UI.Core.Extensibility; namespace SmartTargetGUIExtensions { public class SmartTargetSecurityExtender : DataExtender { public override string Name { get { return "SimpleSecurityExtender.SmartTargetSecurityExtender"; } } public override XmlTextReader ProcessRequest(XmlTextReader reader, PipelineContext context) { return reader;//Nothing to do on request } public override XmlTextReader ProcessResponse(XmlTextReader reader, PipelineContext context) { var command = context.Parameters["command"] as String; command = command.ToLower(); if (command == "getpromotions" || command == "getregions") { List<String> data = new List<String>{"Sports"};//hardcoded for this example switch (command) { case "getregions": return FilterRegions(reader, context, data); case "getpromotions" : return FilterPromotions(reader, context, data); } } return reader;//default is to return unaltered XML } private XmlTextReader FilterRegions(XmlTextReader reader, PipelineContext context, List<String> allowedRegionPrefixes) { var listXml = XDocument.Load(reader); var regions = listXml.Root.Elements(); var regionsToRemove = new List<XElement>(); foreach (var region in regions) { bool regionOK = false; foreach (var prefix in allowedRegionPrefixes) { if (region.Value.StartsWith(prefix)) { regionOK = true; break; } } if (!regionOK) { regionsToRemove.Add(region); } } foreach (var region in regionsToRemove) { region.Remove(); } reader = new XmlTextReader(new StringReader(listXml.ToString())); reader.MoveToContent(); return reader; } private XmlTextReader FilterPromotions(XmlTextReader reader, PipelineContext context, List<String> allowedRegionPrefixes) { var listXml = XDocument.Load(reader); var promos = listXml.Root.Elements(); var promosToRemove = new List<XElement>(); foreach (var promo in promos) { if (!AllowedRegion(promo.Element(promo.Name.Namespace + "Regions"), allowedRegionPrefixes)) { promosToRemove.Add(promo); } } foreach (var promo in promosToRemove) { promo.Remove(); } reader = new XmlTextReader(new StringReader(listXml.ToString())); reader.MoveToContent(); return reader; } private bool AllowedRegion(XElement regionsXml, List<string> allowedRegionPrefixes) { foreach (var regionName in regionsXml.Descendants(regionsXml.Name.Namespace + "Name").Select(n => n.Value)) { foreach(var prefix in allowedRegionPrefixes) { if (regionName.StartsWith(prefix)) { return true; } } } return false; } } }

In the example above, we are simply hard-coding the list of region prefixes to filter on, but we actually want to have that configurable depending on the user. This was pretty simple to set up too – by using Tridion Groups with a special naming convention. For each BU we create a Tridion Group with name in the form Promotion Manager [Region Prefix Sport]. When processing the request in the Data Extender we read the current user’s group membership (using the Core Service) and work out if they are in any groups of this type. If so, we load in the prefixes and use these to filter the promotions and regions shown:

public override XmlTextReader ProcessResponse(XmlTextReader reader, PipelineContext context) { var command = context.Parameters["command"] as String; command = command.ToLower(); if (command == "getpromotions" || command == "getregions") { UserData currentUser = new CoreServiceHelper(System.Web.HttpContext.Current.User.Identity.Name).GetCurrentUser(); if (currentUser.Privileges != 1) //Skip for Admins { List<String> data = GetRegionPrefixesForUser(currentUser); switch (command) { case "getregions": return FilterRegions(reader, context, data); case "getpromotions" : return FilterPromotions(reader, context, data); } } } return reader;//default is to return unaltered XML } //Cache the region prefixes in a static variable to make processing a bit more efficient public static ConcurrentDictionary<String, List<String>> UserRegionPrefixes = new ConcurrentDictionary<string, List<string>>(); private List<String> GetRegionPrefixesForUser(UserData currentUser) { if (!UserRegionPrefixes.ContainsKey(currentUser.Id)) { List<String> regionPrefixes = new List<string>(); foreach (var groupTitle in currentUser.GroupMemberships.Select(m => m.Group.Title)) { var match = Regex.Match(groupTitle, @".*\[Region Prefix (.*?)\]"); if (match.Success) { regionPrefixes.Add(match.Groups[1].Value); } } UserRegionPrefixes.AddOrUpdate(currentUser.Id, regionPrefixes, (key, oldvalue) => regionPrefixes); } return UserRegionPrefixes[currentUser.Id]; }

Note that we also check if the user is an administrator, and if so, skip the whole filtering process. In the example above the CoreServiceHelper class is a simple helper class which handles the connection to the CoreService – its not the aim of this post to explain this, and you probably have your own library for doing this, so I am not putting the code here.

I’m not going to go into the details of how to create an install a Data Extender GUI Extension itself as this has been covered in other posts, such as this excellent one by Jamie. Its probably only worth noting that this extension is a Model extension, rather than an Editor extension and the Model.config configuration is as follows:

<?xml version="1.0"?> <Configuration xmlns="http://www.sdltridion.com/2009/GUI/Configuration/Merge" xmlns:cfg="http://www.sdltridion.com/2009/GUI/Configuration" xmlns:ext="http://www.sdltridion.com/2009/GUI/extensions"> <resources> <cfg:groups /> </resources> <definitionfiles/> <extensions> <ext:editorextensions /> <ext:dataextenders> <ext:dataextender name="SmartTargetDataExtender" type="SmartTargetGUIExtensions.SmartTargetDataExtender, SmartTargetGUIExtensions"> <ext:description> Filters Promotions and Regions in the SmartTarget GUI based on User's Group Membership </ext:description> </ext:dataextender> </ext:dataextenders> <ext:modelextensions /> </extensions> <commands /> <contextmenus /> <localization /> <settings> <customconfiguration /> </settings> </Configuration>

SDL Tridion Developer

SDL Tridion development and knowledge sharing blog, actively maintained by a number of SDL Tridion community experts.

SmartTarget Extensions: Better Security on Promotion Management

Leave a Reply Cancel reply