Skip to content

Add Clerk-based RBAC for TinaCMS#576

Closed
jamiefolsom wants to merge 3 commits intofeature/tinacms-upgrade-3.6from
feature/clerk-rbac
Closed

Add Clerk-based RBAC for TinaCMS#576
jamiefolsom wants to merge 3 commits intofeature/tinacms-upgrade-3.6from
feature/clerk-rbac

Conversation

@jamiefolsom
Copy link
Copy Markdown
Member

@jamiefolsom jamiefolsom commented Mar 16, 2026
edited
Loading

Summary

  • Adds Clerk as a third auth provider option (alongside Keycloak SSO and AuthJS)
  • Implements role-based access control: admin (full access) and editor (own content only)
  • Adds published field to posts, pages, and paths (replaces old drafts system)
  • Adds ownership tracking (owner_id, owner_name) to content collections
  • Backend enforcement via GraphQL mutation interception in Netlify function
  • Frontend restrictions: editors can't see admin-only collections or toggle published

Test plan

  • Set TINA_PUBLIC_AUTH_USE_CLERK=true with Clerk keys, verify admin loads
  • Admin role: all collections visible, can toggle published, can edit any content
  • Editor role: Settings/Branding/I18n/Navbar hidden, can only edit own content, gets 403 on others' content
  • Public site: unpublished content filtered out, published content visible, home page always renders
  • Backward compat: Keycloak/AuthJS modes still work when Clerk env vars not set

Includes #575 and #574

@jamiefolsom
add clerk, clerk-js, and tinacms-clerk packages
6ba7ecb
@jamiefolsom
add Clerk-based RBAC for TinaCMS
b1d64ff 
Two roles: admin (full access) and editor (own content only).
Clerk added as third auth option alongside Keycloak SSO and AuthJS.

Backend:
- Custom ClerkRBACAuth verifies tokens and extracts role from
  Clerk publicMetadata with 60s token cache
- enforceEditorRules() intercepts GraphQL mutations: blocks
  admin-only collections, strips published field, enforces
  ownership on updates/deletes

Schema:
- Add published, owner_id, owner_name fields to posts, pages, paths
- Replace conditional publish/drafts with unconditional published
- Add beforeSubmit hooks for auto-populating ownership
- Remove posts_config.drafts from settings

Frontend:
- PublishedToggle: visible to admins, hidden for editors
- ReadOnlyText: displays owner_name as static text
- role-ui.ts: sets data-tina-role, hides admin-only sidebar items
- Exclude TinaUserCollection when using Clerk auth

Public site:
- Filter all content queries by published: true
- Individual document fetches return null if unpublished
- Home pages and preview routes bypass published check
@jamiefolsom jamiefolsom requested a review from ajolipa March 16, 2026 20:52
@jamiefolsom jamiefolsom self-assigned this Mar 16, 2026
@jamiefolsom
Copy link
Copy Markdown
Member Author

jamiefolsom commented Mar 23, 2026

Superseded by #577 (RB-clerk-auth) which implements Clerk RBAC independently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ajolipa ajolipa Awaiting requested review from ajolipa

Assignees

@jamiefolsom jamiefolsom

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamiefolsom