In this article I’m going to describe an approach that we’ve taken creating a solution for a universal workflow requirement. The idea was to create one workflow for all content items as they all would follow the same workflow process.
Here is a use case that came from one of our wonderful customers:
- All content items should have the same workflow process.
- Different security roles may have or not have access to a workflow state at different parts of a content tree.
- Workbox should respect aforementioned security configuration.
To understand what access rights provide editing permission to the user let’s take a look at the way Sitecore resolves access level to a content item.
- Check if a user has Read (item:read) access to an item. If so, the user will be able to see the item in a Content Editor.
- Check if the user has Write (item:write) access to the item. If the item is in workflow, check whether the user has Write access to a workflow state the item is in (workflowState:write). If either of those access rights is not granted, reclaim modification access.
As you can see both Write and Workflow State Write access rights are required for a user to edit the item.
This is the approach we came up with to address all the requirements. We can meet all requirements by extending standard Workflow class and using it to run workflow process.
First. Define additional access right that along with Workflow state Write one would determine access to items in workflow at different parts of the content tree. In this approach we decided to use “workflowState:write” access right which is available only to workflow related items by default. In this case the only thing we need to do is to make it available for all of the items. And it could be easily configured in web.config file:
- <rules>
- <add prefix="workflowState:write" typeName="Sitecore.Data.Items.Item"/>
- </rules>
Now you can set this right for any item in Security Editor. Just don’t forget to add an appropriate column to see it there.
Second. Extend default Sitecore.Workflows.Simple.Workflow class to take into account new security configuration.
- namespace TwinPeaks.Workflows
- {
- public class Workflow : Sitecore.Workflows.Simple.Workflow, IWorkflow
- {
- private const string CheckRequiredFieldName = "Check required";
- public Workflow(string workflowId, WorkflowProvider owner)
- : base(workflowId, owner)
- {
- Owner = owner;
- }
- /// <summary>
- /// Returns workflow state commands.
- /// </summary>
- /// <param name="item">Content item.</param>
- /// <returns></returns>
- public override WorkflowCommand[] GetCommands(Item item)
- {
- Assert.ArgumentNotNull(item, "item");
- string stateID = this.GetStateID(item);
- if (stateID.Length > 0)
- {
- return GetCommands(stateID, item);
- }
- return new WorkflowCommand[0];
- }
- /// <summary>
- /// Returns workflow state commands.
- /// </summary>
- /// <param name="stateId">Workflow state ID</param>
- /// <param name="item">Content item</param>
- /// <returns></returns>
- public WorkflowCommand[] GetCommands(string stateId, Item item)
- {
- Assert.ArgumentNotNullOrEmpty(stateId, "stateID");
- Item stateItem = GetStateItem(stateId);
- WorkflowState workflowState = GetState(stateId);
- if (stateItem == null || workflowState == null)
- {
- return new WorkflowCommand[0];
- }
- Item[] itemArray = stateItem.Children.ToArray();
- ArrayList list = new ArrayList();
- foreach (Item entity in itemArray)
- {
- if (entity != null)
- {
- Template template = entity.Database.Engines.TemplateEngine.GetTemplate(entity.TemplateID);
- if (workflowState.CheckRequired && !string.IsNullOrEmpty(AccessRight.WorkflowStateWrite.Name))
- {
- if (((template != null) && template.DescendsFromOrEquals(TemplateIDs.WorkflowCommand)) &&
- AuthorizationManager.IsAllowed(entity, AccessRight.WorkflowCommandExecute, Context.User) &&
- AuthorizationManager.IsAllowed(item, AccessRight.FromName(AccessRight.WorkflowStateWrite.Name), Context.User))
- {
- list.Add(new WorkflowCommand(entity.ID.ToString(), entity.DisplayName,
- entity.Appearance.Icon, false,
- entity["suppress comment"] == "1"));
- }
- }
- else if (((template != null) && template.DescendsFromOrEquals(TemplateIDs.WorkflowCommand)) &&
- AuthorizationManager.IsAllowed(entity, AccessRight.WorkflowCommandExecute, Context.User))
- {
- list.Add(new WorkflowCommand(entity.ID.ToString(), entity.DisplayName, entity.Appearance.Icon, false, entity["suppress comment"] == "1"));
- }
- }
- }
- return (WorkflowCommand[])list.ToArray(typeof(WorkflowCommand));
- }
- /// <summary>
- /// Returns workflow state item
- /// </summary>
- /// <param name="stateId">Workflow state ID</param>
- /// <returns></returns>
- protected Item GetStateItem(string stateId)
- {
- ID iD = MainUtil.GetID(stateId, null);
- if (iD == (ID)null)
- {
- return null;
- }
- return ItemManager.GetItem(stateId, Language.Current, Version.Latest, Owner.Database, SecurityCheck.Disable);
- }
- /// <summary>
- /// Returns workflow state ID
- /// </summary>
- /// <param name="item">Content item</param>
- /// <returns></returns>
- protected string GetStateID(Item item)
- {
- Assert.ArgumentNotNull(item, "item");
- WorkflowInfo workflowInfo = item.Database.DataManager.GetWorkflowInfo(item);
- if (workflowInfo != null)
- {
- return workflowInfo.StateID;
- }
- return string.Empty;
- }
- /// <summary>
- /// Need to override to respect new right in Workbox application
- /// </summary>
- public override DataUri[] GetItems(string stateId)
- {
- if (CheckStateAdvancedSecurity(stateId))
- {
- Assert.ArgumentNotNullOrEmpty(stateId, "stateID");
- Assert.IsTrue(ID.IsID(stateId), "Invalid state ID: " + stateId);
- DataUri[] itemsInWorkflowState =
- Owner.Database.DataManager.GetItemsInWorkflowState(new WorkflowInfo(WorkflowID, stateId));
- DataUri[] filteredItems = ApplyAdvancedSecurity(itemsInWorkflowState, stateId);
- if (filteredItems != null)
- {
- return filteredItems;
- }
- return new DataUri[0];
- }
- return base.GetItems(stateId);
- }
- /// <summary>
- /// Indicates if advanced security should be checked for a workflow state.
- /// </summary>
- /// <param name="stateId">Workflow satate ID</param>
- /// <returns></returns>
- protected bool CheckStateAdvancedSecurity(string stateId)
- {
- WorkflowState workflowState = GetState(stateId);
- if (workflowState != null && workflowState.CheckRequired && !string.IsNullOrEmpty(AccessRight.WorkflowStateWrite.Name))
- {
- return true;
- }
- return false;
- }
- /// <summary>
- /// Filters out items that a user should not have access to.
- /// </summary>
- /// <param name="items">DataUri array of content items.</param>
- /// <param name="stateId">Workflow state ID.</param>
- /// <returns></returns>
- protected DataUri[] ApplyAdvancedSecurity(DataUri[] items, string stateId)
- {
- if (items == null || items.Length == 0)
- {
- return new DataUri[0];
- }
- WorkflowState workflowState = GetState(stateId);
- if (workflowState == null)
- {
- return new DataUri[0];
- }
- var filteredItems =
- items.Where(
- item => Owner.Database.GetItem(item) != null &&
- AuthorizationManager.IsAllowed(Owner.Database.GetItem(item),
- AccessRight.FromName(AccessRight.WorkflowStateWrite.Name),
- Context.User));
- if (!filteredItems.GetEnumerator().MoveNext())
- {
- return new DataUri[0];
- }
- return filteredItems.ToArray();
- }
- /// <summary>
- /// Returns an extended WorkflowState object.
- /// </summary>
- /// <param name="stateId">Workflow state ID.</param>
- /// <returns></returns>
- new protected WorkflowState GetState(string stateId)
- {
- Assert.ArgumentNotNullOrEmpty(stateId, "stateId");
- Item stateItem = GetStateItem(stateId);
- if (stateItem != null)
- {
- return new WorkflowState(stateId, stateItem.DisplayName, stateItem.Appearance.Icon, stateItem[WorkflowFieldIDs.FinalState] == "1", stateItem[CheckRequiredFieldName] == "1");
- }
- return null;
- }
- /// <summary>
- /// Returns access result of whether the user has write access to the item.
- /// </summary>
- /// <param name="item">Content item.</param>
- /// <param name="account">User account</param>
- /// <param name="accessRight">Access right</param>
- /// <returns></returns>
- new public AccessResult GetAccess(Item item, Account account, AccessRight accessRight)
- {
- Assert.ArgumentNotNull(item, "item");
- Assert.ArgumentNotNull(account, "account");
- Assert.ArgumentNotNull(accessRight, "operation");
- Item stateItem = GetStateItem(item);
- if (stateItem == null)
- {
- return new AccessResult(AccessPermission.Allow, new AccessExplanation(item, account, AccessRight.ItemDelete, "The workflow state definition item not found.", new object[0]));
- }
- if (accessRight == AccessRight.ItemWrite)
- {
- return GetWriteAccessInformation(item, account, stateItem);
- }
- return base.GetAccess(item, account, accessRight);
- }
- /// <summary>
- /// Resolves whether the user has write access to the item.
- /// </summary>
- /// <param name="item">Content item.</param>
- /// <param name="account">User account.</param>
- /// <param name="stateItem">Workflow state item.</param>
- /// <returns></returns>
- protected AccessResult GetWriteAccessInformation(Item item, Account account, Item stateItem)
- {
- WorkflowState workflowState = GetState(stateItem.ID.ToString());
- if (workflowState != null && workflowState.CheckRequired)
- {
- if (AuthorizationManager.IsAllowed(stateItem, AccessRight.WorkflowStateWrite, account) && AuthorizationManager.IsAllowed(item, AccessRight.WorkflowStateWrite, account))
- {
- return new AccessResult(AccessPermission.Allow, new AccessExplanation(item, account, AccessRight.ItemWrite, string.Format("The workflow state definition item allows writing (through the '{0}' access right).", AccessRight.WorkflowStateWrite.Name), new object[0]));
- }
- }
- else if (AuthorizationManager.IsAllowed(stateItem, AccessRight.WorkflowStateWrite, account))
- {
- return new AccessResult(AccessPermission.Allow, new AccessExplanation(item, account, AccessRight.ItemWrite, string.Format("The workflow state definition item allows writing (through the '{0}' access right).", AccessRight.WorkflowStateWrite.Name), new object[0]));
- }
- return new AccessResult(AccessPermission.Deny, new AccessExplanation(item, account, AccessRight.ItemWrite, string.Format("The workflow state definition item does not allow writing. To allow writing, grant the '{0}' access right to the workflow state definition item.", AccessRight.WorkflowStateWrite.Name), new object[0]));
- }
- /// <summary>
- /// Returns workflow state item the content item is in.
- /// </summary>
- /// <param name="item">Content item.</param>
- /// <returns></returns>
- protected Item GetStateItem(Item item)
- {
- Assert.ArgumentNotNull(item, "item");
- WorkflowInfo info = item.Database.DataManager.GetWorkflowInfo(item);
- if (info != null)
- {
- return item.Database.SelectSingleItem(info.StateID);
- }
- return null;
- }
- #region Properties
- protected WorkflowProvider Owner { get; set; }
- #endregion Properties
- }
- }
To provide an ability to choose whether access to a workflow state should be combined with access to a content item, I extended System/Workflow/State template with a checkbox field that indicates whether a custom logic should be triggered. Here how it looks now:
I extended WorkflowState class with an appropriate property for the new field.
- namespace TwinPeaks.Workflows
- {
- public class WorkflowState : Sitecore.Workflows.WorkflowState
- {
- public WorkflowState(string stateId, string displayName, string icon, bool finalState, bool checkRequired) : base(stateId, displayName, icon, finalState)
- {
- CheckRequired = checkRequired;
- }
- /// <summary>
- /// Indicates if workflowState:write access right should be considered while resolving access to the item.
- /// </summary>
- public bool CheckRequired { get; private set; }
- }
- }
Now in order to make Sitecore use our new Workflow class we need to override WorkflowProvider to return our extended Workflow instance.
- using Sitecore;
- using Sitecore.Data;
- using Sitecore.Data.Items;
- using Sitecore.Diagnostics;
- using Sitecore.Workflows;
- namespace TwinPeaks.Workflows
- {
- /// <summary>
- /// This class overrides required methods to return an object of extended Workflow class.
- /// </summary>
- public class WorkflowProvider : Sitecore.Workflows.Simple.WorkflowProvider
- {
- public WorkflowProvider(string databaseName, HistoryStore historyStore) : base(databaseName, historyStore)
- {
- }
- public override IWorkflow GetWorkflow(Item item)
- {
- Assert.ArgumentNotNull(item, "item");
- string workflowID = GetWorkflowID(item);
- if (workflowID.Length > 0)
- {
- return new Workflow(workflowID, this);
- }
- return null;
- }
- public override IWorkflow GetWorkflow(string workflowID)
- {
- Assert.ArgumentNotNullOrEmpty(workflowID, "workflowID");
- Error.Assert(ID.IsID(workflowID), "The parameter 'workflowID' must be parseable to an ID");
- if (this.Database.Items[ID.Parse(workflowID)] != null)
- {
- return new Workflow(workflowID, this);
- }
- return null;
- }
- private static string GetWorkflowID(Item item)
- {
- Assert.ArgumentNotNull(item, "item");
- WorkflowInfo workflowInfo = item.Database.DataManager.GetWorkflowInfo(item);
- if (workflowInfo != null)
- {
- return workflowInfo.WorkflowID;
- }
- return string.Empty;
- }
- public override IWorkflow[] GetWorkflows()
- {
- Item item = this.Database.Items[ItemIDs.WorkflowRoot];
- if (item == null)
- {
- return new IWorkflow[0];
- }
- Item[] itemArray = item.Children.ToArray();
- IWorkflow[] workflowArray = new IWorkflow[itemArray.Length];
- for (int i = 0; i < itemArray.Length; i++)
- {
- workflowArray[i] = new Workflow(itemArray[i].ID.ToString(), this);
- }
- return workflowArray;
- }
- }
- }
Third. Configure Sitecore solution to work with this customization. Below is a complete example of UniversalWorkflow.config file that could be placed into /App_Config/Include folder to enable this customization:
- <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
- <sitecore>
- <databases>
- <database id="master">
- <workflowProvider>
- <patch:attribute name="type">TwinPeaks.Workflows.WorkflowProvider, TwinPeaks.Workflows</patch:attribute>
- </workflowProvider>
- </database>
- </databases>
- <accessRights defaultProvider="config">
- <rules>
- <add prefix="workflowState:write" typeName="Sitecore.Data.Items.Item"/>
- </rules>
- </accessRights>
- </sitecore>
- </configuration>
Why is this solution is worth to blog about? Because it allows us to address all the requirements by customizing only one thing – Workflow class. Both Workbox and Content Editor will respect security configuration if “check required” field is selected on a workflow state item.
Feel free to share your thoughts on this approach as well as suggest improvements or even better solution.
Hope you find it helpful.