This repository has been archived by the owner on Oct 7, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #140 from contember/mail-templates
tenant docs improvements
- Loading branch information
Showing
13 changed files
with
432 additions
and
233 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
--- | ||
title: Tenant Permissions | ||
--- | ||
|
||
The Tenant permissions feature in Contember allows you to fine-tune control over various actions and roles. These permissions are specified under the `tenant` field when you define a role. | ||
|
||
## <span className="version">Engine 1.3+</span> Invite Permissions | ||
|
||
The `invite` permission controls the ability to invite other users to a project. You can use either a simple boolean value or a more advanced [membership match rule](#understanding-membership-match-rules) object. If `invite` is set to `true`, the existing rules under `manage` will apply. | ||
|
||
#### Example: Simple Invite Permission | ||
|
||
```typescript | ||
export const editorRole = acl.createRole('editor', { | ||
tenant: { | ||
invite: true, | ||
}, | ||
}); | ||
``` | ||
|
||
:::note | ||
Before Engine 1.3, the `invite` and `unmanagedInvite` allowed only a boolean value. | ||
::: | ||
|
||
### <span className="version">Engine 1.3+</span> Unmanaged Invite Permissions | ||
|
||
Similar to `invite`, the `unmanagedInvite` field can accept a boolean value or a [membership match rule](#understanding-membership-match-rules) object. This permission allows you to use the `unmanagedInvite` mutation. | ||
|
||
### <span className="version">Engine 1.3+</span> View Permissions | ||
|
||
The `view` field enables you to specify which roles and their associated variables a user can view. | ||
|
||
#### Example: View Permissions | ||
|
||
```typescript | ||
export const editorRole = acl.createRole('editor', { | ||
tenant: { | ||
view: { | ||
editor: { | ||
variables: { | ||
language: true, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}); | ||
``` | ||
|
||
### Manage Permissions | ||
|
||
The `manage` field helps you specify the roles and their variables that a user can manage. | ||
|
||
#### Example: Manage Permissions | ||
|
||
```typescript | ||
export const editorRole = acl.createRole('editor', { | ||
tenant: { | ||
manage: { | ||
editor: { | ||
variables: true, | ||
}, | ||
}, | ||
}, | ||
}); | ||
``` | ||
|
||
## Understanding membership match rules | ||
|
||
The membership match rules is an object that enables you to define more granular rules for managing memberships, roles, and variables. It comes into play when you set values for `invite`, `unmanagedInvite`, `view`, and `manage` fields in the `tenant` permissions. | ||
|
||
This rule allows you to: | ||
|
||
- Define which roles can be managed | ||
- Specify what variables within those roles can be managed | ||
|
||
For example, if you only want to allow a user to manage the `editor` role and assign any value to the `language` variable but restrict values for the `site` variable, your rule would look like this: | ||
|
||
```typescript | ||
{ | ||
editor: { | ||
variables: { | ||
language: true, | ||
site: 'assignable_site', | ||
}, | ||
}, | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
title: User invitations | ||
--- | ||
|
||
The `invite` mutation provides a way to add a new member to a specified project within the system. | ||
|
||
#### Example: sending and invitation | ||
|
||
```graphql | ||
mutation { | ||
invite( | ||
email: "[email protected]", | ||
projectSlug: "my-blog", | ||
memberships: [ | ||
{ | ||
role: "editor", | ||
variables: [{name: "language", values: ["en}] | ||
} | ||
], | ||
options: { | ||
mailVariant: "en_us", # Optional | ||
method: RESET_PASSWORD # Recommended | ||
} | ||
) { | ||
ok | ||
error { | ||
code | ||
} | ||
} | ||
} | ||
``` | ||
### Invite permissions | ||
By default, users with the global roles `super_admin` and `project_admin`, along with project-level `admin`, are authorized to issue invitations. However, you can extend this capability to other user roles by configuring [Tenant ACL permissions](/reference/engine/schema/acl.md#tenant-permissions). | ||
### Existing vs new users | ||
If the specified email address already corresponds to a user in the system, that user will simply be added to the designated project. If the user does not yet exist, a new account will be created, and login instructions will be sent to the provided email address. | ||
### Password handling | ||
By default, the invitation process auto-generates a password and sends it via email. However, it's recommended to set the invite method to `RESET_PASSWORD`. This way, a reset token is sent instead of a generated password. Ensure your [mail templates](./mail-templates.md) are appropriately configured to include the password setup link. Note that the default method will transition to `RESET_PASSWORD` in future updates. | ||
### Customizing Email Templates | ||
You can specify a preferred email template variant by setting the `mailVariant` option, as outlined in the [mail templates](./mail-templates.md) section. |
Oops, something went wrong.