Webflow's current security design allows...
- Per-page protection, by setting a password for that page
- Per-folder protection, by setting a password for that folder
Current challenges & limitations
- Collection Pages are not treated as pages or folders, and cannot be secured
- Each page or folder must be individually password-protected, even when they are functionally related, e.g. a page at /member, and a folder at /member.
- No ability to secure individual CMS items
- No ability to secure in-page items, e.g. to hide / show elements or navigation based on current login status.
SOLUTION - SECURITY CONTEXTS
- Add "Security Contexts" to Site Settings, and allow those contexts to be applied to pages, collections, items, and elements, A Security Context is a defined role / actor, like "public" ( the default context ), "admin", or "member."
- Make the "Public" context default and non-editable.
- Allow the addition of others, e.g. "Member", or "Admin".
- Currently allow setting a password per-context ( later, a membership system, and/or support for OAuth to 3rd party services )
Allow a Context to be applied to;
- CMS Collections ( which defines the security for those collection pages )
- CMS Collection Items ( which allows individual items to be locked )
- Page Elements. Here, allow the ability to hide or show a page element, depending on the status of
For each of these, the designer can choose which contexts to Restrict Access to. No restriction means everyone can see it.
For Page Elements, that same capability is "Display only to [Contexts]". This way login buttons, registration buttons, navigation elements, content and content sections, can all be hidden from users who should not see them.
Some examples of how this would be used;
- Restrict a specific CMS collection page to members only
- Restrict a specific CMS item to members only ( while other items are public )
- Restrict a two pages and a folder to Admins ( while only having to update the password in one place )
- Hide a login button to Members when they're already logged in.