Give Me an API for Filtering Content

By Deane Barker on November 1, 2008

Here’s something that should be a required feature of any CMS —

You should be able to “wash” a list of content against the permissions model of the CMS. Meaning, if I get a list of content IDs, I should be able to “strain” them through some API call on the CMS, and get back a list of IDs the current user is allowed to see.

This would make my life so much easier, though what that really means is that I’d be able to hack systems at a lower-level, which probably makes CMS vendors nervous so they have little impetus to actually implement this, but I can dream.

Here’s an example of where I’m going with this —

Sometimes, you just can’t get “at” the content you want through the exposed APIs. You try, but you need to do something really hairy and the API is just not playing ball with you. So, you do the unthinkable and go straight to SQL. The idea is that you query for content IDs, then use the API to retrieve that content by specific IDs.

This is bad, for the primary reason that you may get back content that the current user should not see, either because they don’t have sufficient permissions or the content isn’t published yet. Essentially, you’re going around the permissions and publishing model of the CMS, and untold horrors await you.

But, what if you could say —

Hey, CMS, I have this list of content IDs here… How did I get them? Yeah, well, that’s not that important right now…

Anyway, can you look at this and tell me which ones I can show Nathaniel Snerpis? Here, just take them all, and give me back the ones I can show him.

In this case, the CMS has filtered your list, and everyone is happy. In the end, it doesn’t much matter how you got the list of content, just so long as you filter it.

Although I mentioned directly querying SQL, that’s just an example. There’s a number of different ways you could obtain an arbitrary list of content, and that’s the beauty of this idea — it doesn’t matter how you got the list. A filter just let’s you “correct” any list of content, regardless of origin.

Another good example is using a search system external to your CMS —

We have three Ektron installs using the Google Mini search appliance. One of the problems with the Mini is that it’s not plugged into Ektron’s permissions model, so it has no idea which content it can show an anonymous user in search results and which it can’t. To get it to play ball, you have to go to complicated lengths to expose user groups in META tags, then filter against them, etc. A good content filtering API would remove this problem.

I wonder if CMS vendors would be disinclined to do this because to do so would open their systems up to being…extended, in ways that they weren’t planning on. In the end, is this a bad thing?

Update: Henri Bergius of Midgard was nice enough to blog with some code of how to do this in his system. If you’re an expert with System X, would you be willing to indicate whether or not it can be done, how difficult it is, and how far you’d be coloring outside the lines to do it?

What Links Here


  1. Drupal has the concept of pluggable access control, so it’s REALLY important to do all this through the API. Since any module can layer on access restrictions, trying to query through the database is guaranteed to cause you headaches.

    This code is untested, but should give you the general idea. It’s basically two lines of code that you run against every node id that you’re checking access for.

Comments are closed. If you have something you really want to say, email and we‘ll get it added for you.