scipress docs
Ben Gorman

Ben Gorman

Life's a garden. Dig it.

Scipress has powerful access control capabilities that let authors control who can view each post. Authors can even gate content within a post.

Keep in mind

Designated Scipress employees (AKA "admins") can see everything. This special permission is required to guard Scipress against illicit and plagiarised material.

So when you hear us say things like "Only the post author can see this content", keep in mind that Scipress admins can also see that content!

Fundamentals

Access control deals with answering two questions:

  1. Can Bob see post X?
  2. Can Bob see gated content in post X?

Can Bob see post X?

In other words,

  • Can Bob go to the post URL without getting an "Access Denied" error?
  • Does post X show up in Bob's search results?
  • If Bob can access another post in the same tree as X, can he see X in the navigation?

To answer the question Can Bob see post X? you can use the following sequence of logical if -> then statements 👇

If Bob is the author of post X -> yes
 
Otherwise...
  If post X is trashed -> no
  If post X was disapproved by an admin -> no
  If post X or any of its ancestors is a draft -> no
  If Bob is excluded from the restricted_access property of post X or any of its ancestors -> no
 
  Otherwise -> yes

Question

If post X's parent or grandparent post is trashed from the post editor, can Bob still see post X?

No. When a post is trashed from the post editor, all of its descendants are automatically trashed as well. So,if post X's parent or grandparent post is trashed, post X is necessarily trashed, and Bob cannot see trashed posts unless he is the author.

Can Bob see gated content in post X?

Content within a post may be gated by wrapping it with a gate::: tag. For example,

---
title: My Secret Lasagna Recipe
is_draft: false
---
 
Anyone can see this
 
:::gate
Only subscribers and special people can see this
:::

To answer the question Can Bob see gated content in post X? you can use the following sequence of logical if -> then statements 👇

If Bob can't see post X -> no
 
Otherwise...
  If Bob is the author of post X -> yes
  If Bob is actively subscribed to post X or any of its ancestors -> yes
 
  Otherwise -> no

is_draft

Every post has an is_draft property in its YAML frontmatter which must be true or false. (The default value is true.) When a post has is_draft: true, it can only be seen by the post author.

Post Trees

If any of post X's ancestors have is_draft: true, post X can only be seen by the post author, even if post X is not a draft. For example, if you have a post tree like this 👇

              Post A 
          is_draft: false
           /           \
          /             \
         /               \
     Post B             Post C 
 is_draft: false   is_draft: true
                    /           \
                   /             \
                  /               \
              Post D             Post E
         is_draft: false     is_draft: false

posts A and B are publicly viewable (barring other conditions), and posts C, D, and E can only be seen by the author. This mechanism allows you to "publish" or "unpublish" multiple posts at the same time by switching the is_draft state of their ancestor.

restrict_access

Posts may include a restrict_access property that determines which users are allowed to see it. This is particularly nice when you want to create a private knowledgebase for a small group of individuals.

restrict_access is an array property that may contain user ids and/or email addresses. For example,

---
title: Who's Winning Week 12 in the NFL
is_draft: false
restrict_access: 
  - [email protected]
  - [email protected]
  - GHaqqjxgwTSAq8km9uXj
---
 
Here are my picks for this week's games...

(Ignoring other possible factors..) This post would be visible by

Note

Marissa and Corey cannot see the post until they sign up as users on Scipress and verify their email addresses. User GHaqqjxgwTSAq8km9uXj does not need to verify their email address to see the post.

restrict_access can be set to an empty array [] to prevent all users from viewing the post.

---
title: Just for me
is_draft: false
restrict_access: []
---
 
Only I (the post author) can see this!

Post Trees

To understand how restrict_access behaves in the context of a post tree, consider the following rules:

  • If the restrict_access property is omitted from the root post's YAML frontmatter, everyone can see it.
  • If the restrict_access property is omitted from a non-root post, it inherits the restrict_access of its parent.
  • The users who can see a child post are the ones listed in its restrict_access property intersected with the users who can see its parent.

Consider the following post tree.

          Post A 
        /        \
       /          \
      /            \
  Post B          Post C 
           restrict_access: [1, 2, 3]
                 /           \
                /             \
               /               \
           Post D             Post E
                       restrict_access: [1, 4]
  • Everyone can see posts A and B
  • Only users 1, 2, and 3 can see posts C and D
  • Only user 1 can see post E
Notice user 4 cannot see post E even though user 4 is included in post E's restrict_access property.

Trashed posts

You can trash a post with the Trash button in the post editor or by removing the post from the bulk editor. The only person who can see a trashed post is its author.

Post Trees

When you trash a post from the post editor, all of its descendants are trashed as well.

Consider the following post tree 👇

       Post A 
       /    \
   Post B   Post C 
            /    \
        Post D   Post E

If you were to trash post C from the post editor, posts C, D, and E would all be trashed.

When you trash a post by removing it from the bulk editor, its descendant posts are not trashed unless you explicitly remove them as well.
A trashed post only appears in the navigation if you're viewing that specific post or one of its descendants.

Disapproved posts

Posts may be disapproved by an admin if they violate our terms of service. (All posts are approved by default.) If a post is disapproved, it can only be seen by the post author.

Post Trees

If an admin disapproves a post, its descendant posts can only be seen by authors and admins. Note, however, that when a post is disapproved, its descendants are not automatically disapproved as well.

Gated content

You can gate content in a post by wrapping it in a gate::: tag.

---
title: My Secret Lasagna Recipe
is_draft: false
---
 
Anyone can see this
 
:::gate
Only subscribers and special people can see this
:::

Tip

You can use multiple gates in a single post.

Even if post X is publicly viewable, the gated content inside post X is only visible to subscribers.

In the edit post page, you can toggle the Subscribed button to see how a post looks to subscribers and non-subscribers.

Toggle subscribed view

Note

You can include a description of the gated content in the :::gate tag label, in square-brackets [].

:::gate[Subscribe to view this week's winning lottery numbers]
The winning lottery number is 123456
:::

How do users subscribe to a post?

Technically, users don't subscribe to posts - they subscribe to products. A product is like a key that unlocks gated content in one or more posts.

If an author creates a post with gated content, they should also create at least one product that unlocks the post. When a post can be unlocked by one or more products, those products will automatically appear in the Gated Content sections seen by non-subscribers.

Products in gate

Post Trees

Every product directly unlocks the gated content in some specified posts. Products indirectly unlock the gated content in the descendants of those posts.

For example, consider the following post trees and products 👇

     Post A 
     /    \
Post B   Post C
         /    \
     Post D   Post E
 
 
        Post F 
      /   |    \
Post G  Post H  Post I
          |       |    \
        Post J  Post K  Post L
 
Product Foo
* Post A
* Post H
 
Product Bar
* Post C
* Post H
* Post I
  • Product Foo
    • directly unlocks posts {A, H}
    • indirectly unlocks posts {B, C, D, E, J}
  • Product Bar
    • directly unlocks posts {C, H, I}
    • indirectly unlocks posts {D, E, J, K, L}

If the author creates a new post M as a child of post L, subscribers of Bar would automatically get access to M's gated content.

Images

Every image uploaded to Scipress is publicly accessible. However, images are "hidden in plain sight" thanks to random, unguessable tokens attached to each image URL.

For example, this image 👇

cat

has the URL https://firebasestorage.googleapis.com/v0/b/scipress-prod.appspot.com/o/users%2FkD4y7yuzujZBPul6hqGgMyUUxUJ2%2Ffiles%2Fcat.jpg?alt=media&token=47b27998-304f-47d4-aa5e-7680fb517fc6

The image's random token is specified in the URL by token=47b27998-304f-47d4-aa5e-7680fb517fc6.

Thanks to that random token, people and webcrawlers can't stumble upon or guess this image's URL. People and machines can only obtain the URL if someone else gives it to them. This means it's safe to embed private images in a post as long as you trust the people who have access to that post not to share the image links.