In the daily operation and template development of Anqi CMS, we often need to obtain site data from different perspectives, classification list (categoryList) is undoubtedly one of the most commonly used tags. However, around the wordcategoryListDoes the returned category data include user group or permission-related setting information?This topic, we deeply analyze the design philosophy and functional implementation of AnqiCMS, and reveal the logic behind it.

From the AnqiCMS feature design document,categoryListThe core responsibility of the tag is to retrieve and display the classification structure and basic metadata of the website.It is designed to quickly present the category ID, title, link, description, cover image, and information about whether there are subcategories.tag-/anqiapi-category/151.htmllisted in detail,categoryListParameters such asmoduleId/parentId/limitand the available return fields such asId/Title/Link/Description/Logo/HasChildren/ArchiveCountAll of them clearly point to the scope of content organization and presentation.These fields mainly reflect the attributes of the classification itself, aiming to help template developers build navigation menus, category lists, and other basic structures.

However, we did not find any fields directly related to user group ID, permission level, access restriction flags, and other information in these returned fields. This is not a shortcoming of AnqiCMS, but an important consideration in its system design.separation of duties and security.

AnqiCMS has a strong and flexible user group management and permission control mechanism. According toAnQiCMS 项目优势.mdThe description, the system is built-in with "Group Management and VIP System

  1. Can the user manage specific content or features in the backend.
  2. Can the user access specific pages or content on the frontend.

From a technical implementation perspective, exposing the category access permission information directly incategoryListData returned by tags may bring some unnecessary complexity and potential security risks. For example:

  • Security risk:If the front-end directly accesses the permission information of a certain category, malicious users may analyze this information to deduce the system's permission rules and attempt to bypass them.Placing permission judgment in the backend can better protect the system's access control logic.
  • Separation of duties: categoryListFocus on 'what' and 'where' - that is, the attributes and positions of classification.And who can view or who can operate is the work of the permission system.Separate these two, making the system structure clearer and defining the responsibilities of each module more clearly.
  • Performance optimization:If each category of data is accompanied by complex permission information, it will increase the amount of data transmission and the burden of front-end processing, especially when the number of categories is large.

This means, when you use in the templatecategoryListWhen you get the category list, you get the general information of the category. If you need to implement category display based on user groups or permissions, such as displaying a "VIP exclusive course" category only to VIP users, or hiding a "internal document" category, it is usually necessary to combine it at the template level.User's own permission informationPerform logical judgment, or rely on the backend's permission filtering before rendering data.

For example, you can usetag-/api-user/3522.htmlandtag-/api-user/3524.htmlGet the details of the currently logged-in user or the details of the user group they belong to. Then, use conditional judgment in the template (ifTags to determine whether to render a category link or content.The AnqiCMS backend also performs final verification and filtering of actual content requests based on the current user's permissions, ensuring that even if users obtain the URL of restricted categories in some way, they cannot access content they are not allowed to view.

In short,categoryListThe tag returns category data that does not contain user group or permission-related settings information.AnqiCMS has effectively separated the acquisition of content data from the permission control logic, which is a more secure and efficient design practice.

Frequently Asked Questions (FAQ)

  1. Q: How do I determine whether the current user has permission to access the content under a specific category?A:categoryListThe tag itself does not provide this information because the access permission of the category is judged and implemented on the system backend. If you want to implement similar logic on the frontend, you need to usetag-userDetailortag-userGroupDetailThe label retrieves the current logged-in user's identity and permission information, then combines it with the template inifJudgment statement, display content under the category link conditionally. The real access permission verification will be performed again by the backend when the user tries to access specific content.

  2. Q:categoryListWill the tag automatically filter out categories that the user does not have access to based on their permissions?A: No.categoryListThe tag returns all category structure data that meets the query conditions, it does not perform user permission filtering. If filtering based on user permissions is required, there are usually two ways: one is to filter through a custom backend interface before the data is returned to the front end; the other is to manually filter in the front-end template after obtaining all category data, based on the current user's permissions (obtained through other tags)ifDetermine to selectively display.

  3. Q: If I want to display a 'VIP Exclusive' category on the front end and only VIP users can see it, what should I do?A: You can usetag-userDetailortag-userGroupDetailtags to get the current user's group information. For example, if the ID of the VIP user group is 5, you can write the logic in the template like this: 

    {% userDetail currentUser with name="GroupId" %} {# 获取当前用户的用户组ID #}
{% categoryList categories with moduleId="1" parentId="0" %}
    {% for item in categories %}
        {# 假设“VIP专属”分类的ID是10 #}
        {% if item.Id == 10 %}
            {% if currentUser == 5 %} {# 如果当前用户是VIP用户组 #}
                <li><a href="{{ item.Link }}">{{ item.Title }} (VIP专属)</a></li>
            {% endif %}
        {% else %}
            <li><a href="{{ item.Link }}">{{ item.Title }}</a></li>
        {% endif %}
    {% endfor %}
{% endcategoryList %}

    This way implements conditional display at the template level, and when a VIP user actually clicks to enter the "VIP Exclusive" category, the backend system will re-check their permissions to ensure data security.