While roles in Mattrbld allow you to toggle the visibility of certain interface elements such as sidebar entries, they also form the backbone of the granular permission system. This model allows you to finely control what actions users with certain roles are allowed to perform in Collections and the Media Library. In this article, you will learn how these permissions work and how they are set up.
By design Git does not do access control. This means that there is nothing keeping a user with write permissions to a branch in a repository from modifying any file they choose to.
Since every user in a Mattrbld project has to have write access to that project’s repository in order to user Mattrbld, it means that every member of a project can theoretically change any file from a Git client other than Mattrbld. On top of that, since Mattrbld runs entirely on the user’s device, the roles and permissions system does not provide real security. It is intended only to mitigate the risk of unintentional mistakes and to simplify the experience for a non-technical user.
A malicious user has many ways to tamper with Mattrbld’s code or files on their device, or just use another Git client to access and modify any file in the project’s repository.
You are responsible for configuring the remote repository at your Git provider to ensure the safety and integrity of your content, for example by protecting branches and enforcing read/write permissions for your collaborators.
You may define individual permissions for each collection of content in your project. For example, you could allow content editors to do everything in a “Blog Posts” Collection, but only create and delete files in a “Pages” Collection to avoid unintentionally nested file paths.
To do so, simply open the details of a Collection in the Collections tab of the project settings and scroll to the Permissions section at the bottom.
By default, any Collection will only have one permission rule: “Everybody can do everything”. You can remove that rule to start from scratch, or edit it to your liking. You may also add an unlimited number of rules by setting them up in the last line of the list and clicking the “plus” button.
Permission rules consist of a role or the special “Everyone” keyword and an action or the special “do everything” keyword that may be performed by users with that role in that Collection.
If you have added no custom roles, only “Everybody”, “Project Owner”, “Developer” and “Content Editor” will be available in the “Select a role…” dropdown, otherwise all your custom roles will show there as well.
The possible permitted actions for a Collection are:
do everything: the role is allowed to perform all actions
create content: the role is allowed to add new files to the Collection
create folders: the role is allowed to add new folders to the Collection
delete content: the role is allowed to delete files in the Collection
delete folders: the role is allowed to delete folders in the Collection
edit content: the role is allowed to rename and move files, as well as edit their contents in the Collection
edit folders: the role is allowed to rename and move folders in the Collection
publish drafts: the role is allowed to toggle “draft” status in the Collection, this option is only available if “Drafts” are enabled in the General Settings tab of the project settings, you can learn more about them in the configuration article.
These rules should be flexible enough for you to exactly control what actions will be available to each role so the editing experience will be simpler and less error-prone for everybody, whether they are tech-savvy or not.
Media Library Permissions
The permissions for the Media Library are structured the same way as the ones for the individual Collections, and once again by default everyone is allowed to do everything. To adjust that for your project’s needs, open the Media Library tab of the project settings, where you’ll find the same component to edit the permission rules for the Media Library.
The possible actions are much the same, except that they now refer to media instead of content files and since media files cannot be drafts themselves, there is no action for toggling drafts, even if the drafts functionality is set up.
This concludes the series of articles on collaboration. As you have learned, you can invite as many collaborators to your projects as you would like and assign different roles to them that you can then use to tailor Mattrbld’s UI to make it even easier for them to use and take away the nasty feeling of being able to break something important with one wrong click.
In the next article, we will take a look at how to sync local changes with the remote Git repository, so that you and your collaborators can always stay up to date, before we move on to the section on Data Modelling.