Custom Workflow Security in Sitecore

One of the great things about Sitecore is the ability to extend and customize basic Sitecore. Recently I had a project where the client wanted the ability to specify workflow security per item. The standard Sitecore workflow allows to specify the security per workflow state.
To implement this functionality I had to create a class that extends Sitecore.Workflows.Simple.Workflow.
public class CustomWorkflow: Sitecore.Workflows.Simple.Workflow, IWorkflow
{
}
Next we need to give the ability to filter what items are displayed in the workbox and what workflow commands a user can execute. In order to filter what items are displayed in the workbox the workflow needs to override the GetItems (string) function. This function is called by the workbox to get the list of items to display.
public override DataUri[] GetItems(string stateId)
{
List<DataUri> list = base.GetItems(stateId).ToList();
DataUri[] finalList = list.Where(p => HasWorkflowAccess(p)).ToArray();
return finalList;
}
The above function calls the standard workflow GetItem function. Then the items are filtered out to only return the items that have access. The next step is to restrict access to an item in the workflow and to restrict what commands a user can execute. To do this we need override the GetCommands (Item) function. This function is called to get the list of commands the user can execute per item.
public override WorkflowCommand[] GetCommands(Item item)
{
Assert.ArgumentNotNull(item, “item”);
if (!HasWorkflowAccess(item))
return new WorkflowCommand[0];
WorkflowCommand[] commands = base.GetCommands(item);
return commands;
}
The above function checks to see if the user has access to the item. If the user does not have access no commands will be returned. If the user does have access to the item it will return the commands that are available using the standard Sitecore workflow.
With the following customization we have the ability to specify workflow security at the item level.

Leave a Reply

Your email address will not be published.