Advanced Content Security Module

The advanced content security module is a simple open source module designed primarily to handle the ‘restriction’ of Sitecore content. Restriction is a state in between the user being able to read the item (in the Sitecore security sense) and the user not being able to read. This typically manifests itself as a paywall with a call to action instructing the user to sign up or register with your site, but I have already heard of other use cases.

The current features of the module are:

  • Addition of a ‘Restricted’ permission in the Sitecore Security Editor
  • Addition of a ‘Rules’ permission in the Sitecore Security Editor
  • Rules based restriction security
  • Rules based read security
  • Addition of a ‘Where the current user is restricted’ rule for use with Conditional Renderings
  • Automatic switching of content item device to a ‘Restricted’ device, to allow entire page presentation change.
  • Automatic fallback of ‘Restricted’ device back to ‘Default’ if no layout present.
  • Rules based user initialisation.

Additional Permissions

2 Additional permissions have been added out of the box by the Advanced Content Security Module.

Additional Security Permissions

Applying the ‘Restricted’ security permission using either of the Sitecore security dialogs will define the desired user or role as restricted for the piece of content you are looking at. This is a common use case where a member might be restricted from seeing a piece of content but does not require a rule to determine this restriction.

Applying the ‘Rule’ security permission denotes that Read and Rules Restrictions will be evaluated if set to determine the appropriate security permissions.

Applying security read permissions based upon the Sitecore rules engine

Firstly, you must set up any rules you want to be able to check, these can be found in ‘/sitecore/system/Modules/Advanced Content Security/Read Content Security Rules’

Read rule setup

Once completed, apply the ‘Rules’ permission to the content item(s) you wish to have check the rules you have specified, without this, the Advanced Content Security module ignores the item (by design for performance reasons).

Rules Security Applied

For any content you wish to be able to select rules for, you must inherit from the Advanced Security Module’s base template to allow selection of your rules. This can be found at ‘/sitecore/templates/Advanced Content Security/Base Templates/Advanced Content Security – Read Rules’

Read Rules Base Template

Finally, you can simply select the required rules from the field on your content item.

Read Rules Applying

It is worth noting that the executed rules result is NOT cached, it would be the responsibility of the conditions you create.

Restricting content based upon the Sitecore rules engine

Firstly, you must set up any rules you want to be able to check, these can be found in ‘/sitecore/system/Modules/Advanced Content Security/Restricted Content Security Rules’

Rules Restriction Setup

Once completed, apply the ‘Rules’ permission to the content item(s) you wish to have check the rules you have specified, without this, the Advanced Content Security module ignores the item (by design for performance reasons).

Rules Security Applied

For any content you wish to be able to select rules for, you must inherit from the Advanced Security Module’s base template to allow selection of your rules. This can be found at ‘/sitecore/templates/Advanced Content Security/Base Templates/Advanced Content Security – Restricted Rules’

Restriction Base Template

Finally, you can simply select the required rules from the field on your content item.

Restricted Rules Applying

Media Restrictions

Media restrictions can be achieved by replacing the default handler in the section of the web.config, with that of the Advanced Content Security module, using the following line of code.

<add verb="*" path="sitecore_media.ashx" type="AdvancedContentSecurity.Core.Media.MediaRequestHandler, AdvancedContentSecurity.Core" name="Sitecore.MediaRequestHandler" />

Changing presentation using conditional renderings for restricted content

The Advanced Content Security Module ships out of the box with a ‘where the user is restricted’ conditional rendering rule. You can use this to apply conditional renderings to your presentation.

Restriction on conditional rendering

NOTE: Restriction is evaluated both from the security permission and from the rules based restrictions.

Changing presentation using the ‘Restricted’ device for restricted content

In many scenarios, simply changing odd components might prove labour intensive for the content editors, and is often more clumsy when applied to standard values. For this reason, the Advanced Content Security Module ships out of the box with a ‘Restricted’ device. This device gets applied when the content is restricted, and therefore allows the whole page to be presented in a different manner.

Restricted Layout

User initialisation using the rules engine

Another useful feature of ACS is the applying of user logic based upon rules. This is particularly useful with implementations that utilise 3rd party SSO and security, but allows a more agile solution to user initialisation.

Rules User Init

This does require the code to be fired whereever you control your user log in actions, an example of which can be found below.

        private void AddRolesFromRules(User virtualUser)
        {
            IUserSecurityManager userSecurityManager = ConfigurationFactory.Default.GetUserSecurityManager();
            userSecurityManager.ApplySecurityFromRules(virtualUser);
        }

Custom checking & advanced scenarios

There are many other more advanced use cases and scenarios that are not covered in this introduction, feel free to contact me or watch this space for some more of them being covered.