Menu Permission Limitation

  • Updated

Developers may have a need to limit the items rendered by permission in the Ektron menu system on the front end. There are some limitations because the menu system does not have a baked in permission model.  Additional custom code would neeed to be developed for this implementation requirement.

MenuView Control only currently respects privacy settings. The MenuView and the MenuManager framework API which it is built on do not have permission models integrated at this time.  Until only recently the MenuManager/MenuView did not respect privacy either. This was added into the product in 9.0SP2 with Cu24 in issue #74149.  At this time any additional Permission models to be respected is something that is with Product Management to consider since the impact to code and to existing customers would be a large risk without a proper plan and redesign.

The current recommendation moving forward is to use the MenuManager.GetTree API to get the list of items and then iterate through the list checking for permissions on the content using a separate API.

The MenuManager API is included here. Samples are in the documentation.

Then one can use something like the PermissionManager to evaluate permissions on the returned items.

Here are the following methods:

GetUserPermissionForContent(Int64,Int64,Int32)— Gets the users permission to a piece of content, for either the user or group the user is part of.
GetUserPermissionForFolder(Int64,Int64,Int32)— Gets the users permission to a folder, for either the user or group the user is part of.

which are documented here:

There are many ways to build menus, such as building a menu by Taxonomy. Here is a sample below.


Taxonomy Menu Sample

However, even in this example as outlined in the comment one will need to still implement checks since the nodes are public.

This code below is taken from the TaxonomyMenu.ascx which is the code download from the link above.

protected void Page_Load(object sender, EventArgs e) {     //not that permissioning will not take place unless you come up with a new method to check permissions as taxonomy node viewing is public