CMS: About Collection Permissions

6 min read
In the CMS (Content Management System), you can change your collection permissions to control who can view, add, update, or delete collection content on your live site. The most common way visitors modify collection content from the live site is with input elements set to collect content

Collection permissions help you manage live site access to your collection content and maintain the security of your site's data. For example, if you run an online community, you might want to allow only registered members to view and contribute to certain collections, ensuring that sensitive information stays within your trusted user base.
Velo by Wix users:
The Wix Data API lets you access your collections directly using code, giving you more capabilities than the preset and custom collection permissions.

Manage live site access to collection content

Collection permissions determine who can access CMS collection content from your live site and what they can do with the content (e.g. view, add items, update existing content, delete content). Usually, this is done with input elements but can also be done with the Data API. Collaborators are always considered 'admins' in collection permissions that control what people can do from the live site.

About site owners and collaborators:
Site owners and collaborators are always treated as admins when logged in to the live site. This means they can always view, add, update, and delete collection content from the live site. This rule applies no matter which collection permission you select. 

Use the 'Show content' permission for view-only access

The 'Show content' permission allows your collection content to be viewable on the live site by site visitors. This setting is useful when you want to make certain information publicly accessible without allowing any modifications. You can choose to make the content viewable by everyone, or restrict it to site members only. This ensures that sensitive content remains protected while still being accessible to those who need it.

It's important to note that depending on the permissions you apply, the collection content can still be accessed if it doesn't appear on your live site. For example, if "Everyone" is selected under "Who can view this content", then anyone can use the Data API to view the collection content. 
Screenshot of setting the collection permissions to show content.

Use the 'Collect content' permission to allow adding new items

The 'Collect content' permission lets visitors add new items to your collection through input elements or API. This is particularly useful for sites that gather user-generated content, such as reviews, comments, or posts. However, this permission does not allow visitors to update existing items or their field values. Use custom permissions if you need to allow existing items or their field values to be updated from the live site. 

You can decide whether any site visitor or only site members can add new content to the collection. Additionally, you can control who can view the added content, ensuring that it meets your site's privacy and security standards.

Dataset settings impact the actions that can be taken on the page, but only collection permissions can actually limit operations that can be performed on data by various roles. Learn more about configuring dataset settings
Screenshot of setting collection permissions to collect content.

Set 'Custom' permissions for more access control

For more control over who can view, add, update, or delete content, set 'Custom' permissions. This allows you to tailor access based on different roles, such as site admins, item creators, members, and general site visitors. For instance, you might allow only admins to delete content, while letting item creators update their own submissions. This flexibility ensures that you can manage your collection content in a way that aligns with your site's specific needs and security requirements.

When using custom permissions, make sure that the permissions you assign match the business logic and the confidentiality classification of the data in the collection. For example, collections with details about customers or business leads should be treated differently than collections about products.
Screenshot of setting custom collection permissions.
Note:
Data access permissions do not change with PII encryption. Appropriate permissions must be set to maintain the confidentiality of the data. Learn more about PII and data security.

Modify permissions for all your collections

Understanding and managing permissions for all your collections is crucial for maintaining the integrity and security of your site. Each collection can have its own set of permissions, allowing you to customize access based on the type of content and the intended audience. By regularly reviewing and adjusting these permissions, you can ensure that your site's data remains secure and that users have the appropriate level of access.

The roles you see in the custom permissions table are assigned to live site visitors based on their activity and status on the site. CMS roles you assign to collaborators do not matter in collection permissions as all collaborators are considered admins in regards to collection permissions on the live site. 

However, with Velo, you can implement a custom role on a collection by using code to make a data call from the backend with the suppressAuth option. The data call should be made after the membership custom role is validated with the wix-users API functionality in the code. 

The admin always retains permissions for all actions. When you preview your site, you do so in the admin role. To interact as another type of user, first publish your site and then navigate to your live site and either log in as a different user (site member) or not log in at all (anyone). Remember that, if sandbox collections are enabled on your site, your live site works with the live collections and not with the sandbox collections.

Velo by Wix: Authorization suppression

When interacting with your collections using the Data API, you can choose to bypass the permissions model in certain cases. The optional WixDataOptions argument can be sent to the API function call with the suppressAuth property set to true. This will cause the function to run without checking if the current user has the correct permissions. You can only bypass permissions when making API calls from backend code. Client-side API calls will always run permission checks, regardless of what options are passed.

For example, a collection may contain comments as well as the email address of the comment creator. Visitors should be able to view the comments, however only the admin should be able to view the email addresses. The authorization suppression can enable the visitors to view the comments without granting visitors the permission to 'read' the comments collection.

This can be done by writing a web module in a .jsw file in the backend that will call the comments collection with the suppressAuth property set to true and then filter out the response and return only the desired fields (comments) to the client for the visitor to view, without the other fields of the collection, specifically without the emails.
1import wixData from 'wix-data';
2// ...
3let options = {
4    "suppressAuth": true
5};
6wixData.query("myCollection")
7  .find(options)
8  .then( (results) => {
9    if(results.items.length > 0) {
10      let items = results.items;
11      let firstItem = items[0];
12    } else {
13      // handle case where no matching items found
14    }    
15  } )
16  .catch( (error) => {
17    let errorMsg = error.message;
18    let code = error.code;
19  } );
Another example for the use of suppressAuth, is where you want to allow a custom role (a specific site member or a specific group of site members) access to a collection that is set with admin permissions. In this case, the web module must check the identity or the role of the site member before calling for the data.
Notes:
  • Collection permissions impact what data is loaded by datasets that connect to the collection. Learn more about dataset modes which determine whether the dataset can read, write, or read and write collection data. 
  • Dataset settings can be used to refine what data operations can be performed by the elements connected to that specific dataset. Data is always accessible to the extent specified by collection permissions using the Data API.
  • Some roles depend on your having a Members Area on your site. If you use Velo by Wix, you can also add membership functionality with the wix-members-backend API.

Did this help?

|