Prerequisites
-
Setup webiny-js
repo - this is where Webiny is located. You're gonna want to read the Contributing document.
-
Clone this repository - this is where you'll write the actual docs (the whole site is based on Docusaurus V2). A short intro can be found in the README
file.
Introduction
Once a new Webiny project is set up, out-of-the-box, users get access to the Admin app, which looks like this:
![image](https://user-images.githubusercontent.com/5121148/77308329-1699f100-6cfb-11ea-90ba-aba8f45a3af4.png)
The above image actually shows the Page Builder app, which is just one of the apps Webiny offers out of the box. If we open the main menu, located on the left side of the screen, we can see the other apps as well:
![image](https://user-images.githubusercontent.com/5121148/78506975-acaf2c00-777d-11ea-9a61-71658a5aef12.png)
Who can access these apps?
Every time a new Webiny project is deployed, in a short installation wizard, users get to create the initial "full access" admin user, which, as you might have already guessed, can access everything in the system.
After that, via the Security app, we can create additional users, with a specific set of access permissions.
![image](https://user-images.githubusercontent.com/5121148/78506956-94d7a800-777d-11ea-9525-4b47cd68648c.png)
How do permissions work?
The Security app uses the following structure:
Security Scopes < Security Roles < Security Groups
So, it all starts with "security scopes", for example: page:read
, page:create
, page:publish
, and so on. Then, in order to group one or more scopes together, a "security role" can be created, for example, "Security - Roles", which could contain all scopes needed to be fully able to manage roles. Another example would be "Page Builder - Pages" - this allows the user to fully manages pages as well. Finally, the user can also group roles by creating "security groups". An example of a security group could be "Security - Full Access", which, as the name of the security group states, gives complete access to the Security app.
The task
Now that we have an overview of how security is organized, we can proceed to the actual task.
We want you to document a couple of components and helper functions that our Security app offers, which help developers to check current user's permissions (scopes, roles, groups) easier, and act accordingly.
The Security app actually consists of two packages:
API
On the API side, the Security app offers a couple of neat helpers.
For doing checks on the GraphQL schema level and restrict executing a resolver, we offer hasScope
and hasRoles
helpers. There a really a lot of examples in the existing codebase because we used this in all of our apps:
Note that for now, we didn't have the need to utilize the hasRole
, but it's there and it should be documented.
App
React Components
On the app side, the Security app offers two React components: SecureView
and SecureRoute
.
Again, there are a lot of examples.
We used SecureView
component for deciding whether or not menu items needs to be shown:
Also, we used SecureRoute
to decide if the complete route needs to be rendered:
Note: the difference between the two is just in the fallback render. While SecureView
doesn't render anything at all, the SecureRoute
will render a default You are not authorized to view this route.
message (can be customized via a plugin as well).
Helpers
With shown components, the app also offers hasScopes
and hasRoles
helper functions. Might be useful when coding non-React logic.
How to write the docs?
Please check our other documentation pages, to get a feel of how we've approached it. These are some of the latest Admin app articles we added:
Organisation
I would create two categories in the Webiny Apps > Security > Development
section: App
and API
.
![image](https://user-images.githubusercontent.com/5121148/78507970-a7ed7680-7783-11ea-958f-c6df3101509e.png)
In there, in the API
section, I would maybe create the "GraphQL" menu item, which would point to a page that describes the above shown API/GraphQL helper functions.
For the Apps section, I would create React Components
and Helpers
, where you could describe the shown components and helpers.
Not 100% about both suggestions, if another idea comes to your mind, feel free to let us know.
Bonus
The other day, I noticed that we might add another, more practical example, into the Menus article.
So, at the end of the article, just add a new title, name it for example "Menus with the Security app" (or something along those lines), and create a simple example, that shows how you can create a menu, and also have it rendered only if a security check has passed.
Cross-linking is encouraged, so feel free to link the Security app as well. Often we like to use quote sections for these quick tips:
![image](https://user-images.githubusercontent.com/5121148/78508342-71fdc180-7786-11ea-9202-922f4aca8e0d.png)
The same could be done with the Routes article as well.