Scripting

Learn How to Use Scripting to Implement More Validation and Security Solutions

Introduction

This documentation is based on the FoodCrunch use case. Please open the link below alongside this page to understand the examples.

pageIntroduction and Use Case

Why Scripting?

Some business rules around security and validation are hard to solve with a generic feature that works for everybody and is easy to use. The workflow system has limitations as well and you cannot write permissions that depend on the data of the content.

In general, scripting can be used to handle gaps in the Squidex feature set.

Scripting for Content

You can create scripts that run whenever a content item is created, updated, deleted, queried or when the status changes (e.g. from Draft to Published).

Scripts can be defined in the schema editor:

Go to your App (1).
Go to the Schema (2) settings.
Select the schema (3) you want to write a script for, i.e startups in this example.
Select the Scripts (4) tab
Select the tab (5), depending on when you want the script to run, to work with the editor.

In the editor, you can define scripts for the following actions:

Query script is executed whenever a content item is queried with the API, but not when queried by the Management UI.
Prepare Query is called once for all content items of the current query. It can be used to precompute or prefetch data.
Create script is executed before a content item is created.
Change script is executed before the status of a content item is changed. When you use scheduling to change the status of a content item in the future, the script is called just before the status is changed and not when you schedule it. This can also stop your scheduling, when the script fails or it rejects the change.
Delete script is executed before a content item is deleted.
Update script is executed before a content item is updated.

Content creation and updates happen in the following order:

The content item is loaded. If it does not exist, the API responds with 404 (NotFound).
The data from the request is validated. The API responds with 400 (BadRequest) for invalid data.
The script is executed.
The data from the request is enriched with configured default values.
The constraints, such as unique fields are checked.

This means that you have the guarantee in your scripts, that the data is always valid and that you cannot violate constraints such as unique fields when you auto-generate or change content data.

Scripts are executed for the REST endpoint as well as for the GraphQL endpoint.

Scripting for Assets

Asset scripts can be defined in the settings:

Go to your App (1).
Go to the Settings (2).
Select the Asset Scripts (3) menu item.
Select the script type (4) you want to edit.

In the editor you can define scripts for the following actions:

Annotate script is executed before the metadata of an asset is changed.
Create script is executed before an asset is created.
Moved script is executed before an asset is moved to another folder.
Delete script is executed before an asset is deleted.
Update script is executed before an asset is replaced with a new file.

Execution and Variables

The scripts are executed in a Sandbox. You do not have access to the file system and only to allowed functions. Only the ES5 JavaScript syntax is implemented so far, which means you cannot use Lambda expressions, Promises or classes.

Variables

All variables are accessible over the ctx (Context) variable. The following fields can be used for all scripts:

Name Type Description

Name	Type	Description
`ctx.appId`	String	The ID of the current app.
`ctx.appName`	String	The name of the current app.
`ctx.operation`	String	The name of the operation, as it is also used in the UI. For assets: "Query", "PrepareQuery", "Annotate", "Create", "Update", "Delete", "Move". For content: "Query", "PrepareQuery", "Create", "Update", "Delete", "Change". In addition to that for content "Published" is used when the status is changed to "Published" and "Unpublished" is used when the previous status is "Published".
`ctx.user`	Object	Information about the current user. See next table.

ctx.appId

String

The ID of the current app.

ctx.appName

String

The name of the current app.

ctx.operation

String

The name of the operation, as it is also used in the UI. For assets: "Query", "PrepareQuery", "Annotate", "Create", "Update", "Delete", "Move". For content: "Query", "PrepareQuery", "Create", "Update", "Delete", "Change". In addition to that for content "Published" is used when the status is changed to "Published" and "Unpublished" is used when the previous status is "Published".

ctx.user

Object

Information about the current user. See next table.

The user object has the following structure:

Field Type Description

Field	Type	Description
`ctx.user.id`	String	The ID of the user or the name of the client, if the update or query is invoked from a client.
`ctx.user.email`	String	The email address of the user, if the user is not a client.
`ctx.user.isClient`	Boolean	True, if the current user is a client, false otherwise.
`ctx.user.claims.xxx`	String	Each user has a list of claims. Claim are just key-value-pairs. Such a claim could be the display name of the user or the link to the profile picture. Most of them are not interesting for scripting, but you can also go to your profile and add custom properties as claims to your account and use them in the scripts or rules.

ctx.user.id

String

The ID of the user or the name of the client, if the update or query is invoked from a client.

ctx.user.email

String

The email address of the user, if the user is not a client.

ctx.user.isClient

Boolean

True, if the current user is a client, false otherwise.

ctx.user.claims.xxx

String

Each user has a list of claims. Claim are just key-value-pairs. Such a claim could be the display name of the user or the link to the profile picture. Most of them are not interesting for scripting, but you can also go to your profile and add custom properties as claims to your account and use them in the scripts or rules.

Content Script Variables

The following fields can be used for content scripts:

Name Type Description

Name	Type	Description
`ctx.contentId`	String	The ID of the content item.
`ctx.data`	Object	The data for the content item as it is also described in the Use Case introduction.
`ctx.dataOld`	Object	The old data of the content item as it is also described in the Use Case introduction. Only for "Update" scripts. You can also use `ctx.oldData` as an alias.
`ctx.permanent`	Boolean	For delete operations only. True when the content should be deleted permanently.
`ctx.status`	String	The status of the content.
`ctx.statusOld`	String	The old status of the content item. Only for "Change" scripts. You can also use `ctx.oldStatus` as an alias.

ctx.contentId

String

The ID of the content item.

ctx.data

Object

The data for the content item as it is also described in the Use Case introduction.

ctx.dataOld

Object

The old data of the content item as it is also described in the Use Case introduction. Only for "Update" scripts. You can also use ctx.oldData as an alias.

ctx.permanent

Boolean

For delete operations only. True when the content should be deleted permanently.

ctx.status

String

The status of the content.

ctx.statusOld

String

The old status of the content item. Only for "Change" scripts. You can also use ctx.oldStatus as an alias.

Asset Script Variables

The following fields can be used for Asset scripts:

Name Type Description

Name	Type	Description
`ctx.assetId`	String	The ID of the asset.
`ctx.asset`	Object	The asset.
`ctx.asset.fileHash` or`command.fileHash`	String	The SHA256 hash of the file. Can be null for old files.
`ctx.asset.fileName` or`command.fileName`	String	The file name of the asset.
`ctx.asset.fileSize` or `command.fileSize`	Number	The size of the file in bytes.
`ctx.asset.fileSlug` or`command.fileSlug`	String	The URL slug of the asset.
`ctx.asset.fileVersion`	Number	The version of the file.
`ctx.asset.isProtected` or`command.isProtected`	Boolean	True, when the asset is not public.
`ctx.asset.metadata` or`command.metadata`	Object	The asset metadata.
`ctx.asset.metadata['n']` or`command.metadata['n']`	String	The asset metadata with name 'n'.
`ctx.asset.mimeType` or`command.mimeType`	String	The mime type.
`ctx.asset.parentId` or`command.parentId`	String	The ID of the parent folder. Empty for files without parent.
`ctx.asset.parentPath` or`command.parentPath`	Array[Object]	The full path in the folder hierarchy as array of folder infos.
`ctx.command.permanent`	Boolean	For delete operations only. True when the asset should be deleted permanently.
`ctx.asset.tags` or `command.tags`	String	The tags assigned to the asset.

ctx.assetId

String

The ID of the asset.

ctx.asset

Object

The asset.

ctx.asset.fileHash orcommand.fileHash

String

The SHA256 hash of the file. Can be null for old files.

ctx.asset.fileName orcommand.fileName

String

The file name of the asset.

ctx.asset.fileSize or command.fileSize

Number

The size of the file in bytes.

ctx.asset.fileSlug orcommand.fileSlug

String

The URL slug of the asset.

ctx.asset.fileVersion

Number

The version of the file.

ctx.asset.isProtected orcommand.isProtected

Boolean

True, when the asset is not public.

ctx.asset.metadata orcommand.metadata

Object

The asset metadata.

ctx.asset.metadata['n'] orcommand.metadata['n']

String

The asset metadata with name 'n'.

ctx.asset.mimeType orcommand.mimeType

String

The mime type.

ctx.asset.parentId orcommand.parentId

String

The ID of the parent folder. Empty for files without parent.

ctx.asset.parentPath orcommand.parentPath

Array[Object]

The full path in the folder hierarchy as array of folder infos.

ctx.command.permanent

Boolean

For delete operations only. True when the asset should be deleted permanently.

ctx.asset.tags or command.tags

String

The tags assigned to the asset.

Methods

Control Methods

These methods are used to make changes to the content item or to reject changes.

Name Description

Name	Description
`replace()`	Content scripts only. Tells Squidex that you have made modifications to the `ctx.data` object and that this change should be applied to the content.
`disallow()`	Tells Squidex that this operation is not allowed and that a `403 (Forbidden)` status code should be returned. The user will see an alert in the Management UI.
`reject(reason)`	Tells Squidex that this operation is not valid and that a `400 (BadRequest)`status code should be returned. The user will see an alert in the Management UI.
`complete()`	Tells Squidex that the script should complete successfully.

replace()

Content scripts only. Tells Squidex that you have made modifications to the ctx.data object and that this change should be applied to the content.

disallow()

Tells Squidex that this operation is not allowed and that a 403 (Forbidden) status code should be returned. The user will see an alert in the Management UI.

reject(reason)

Tells Squidex that this operation is not valid and that a 400 (BadRequest)status code should be returned. The user will see an alert in the Management UI.

complete()

Tells Squidex that the script should complete successfully.

Helper Methods

Squidex provides a set of general helper functions for scripting and rule formatting.

pageScripting Helper Methods

In addition to that, there are also methods that are only available for scripting.

Name Description

Name	Description
`getJSON(url, callback, headers?)` `postJSON(url, body, callback, headers?)` `putJSON(url, body, callback, headers?)` `patchJSON(url, body, callback, headers?)` `deleteJSON(url, callback, headers?)`	Makes a request to the defined URL. If the request succeeds with a HTTP response status code (2XX) and a valid JSON response is returned the callback is invoked and the JSON response is passed to the callback as a JSON object. The script fails otherwise. You can also pass in an object with headers
`getReferences(ids, callback)`	Queries the content items with the specified IDs and invokes the callback with the resulting content items when the request has been completed. If the current user does not have permissions to read the content items, the callback is invoked with an empty array.
`getReference(id, callback)`	Queries the content item with the specified ID and invokes the callback with an array that includes the resulting content item when the request has been completed. If the current user does not have permissions to read the content item, the callback is invoked with an empty array.
`getAssets(ids, callback)`	Queries the assets with the specified IDs and invokes the callback with the resulting assets when the request has been completed. If the current user does not have permissions to read assets, the script will fail.
`getAsset(id, callback)`	Queries the asset with the specified ID and invokes the callback with an array that includes the resolved asset when the request has been completed. If the current user does not have permissions to read assets, the script will fail.
`getAssetV2(id, callback)`	Queries the asset with the specified ID and invokes the callback with a a single asset when the request has been completed. If the current user does not have permissions to read assets, the script will fail.
`getAssetText(asset, callback)`	Takes the specified asset and computes the text. The asset can not be larger than 4 MB, otherwise an error is returned.
`getAssetBlurHash(asset, callback)`	Takes the specified asset and computes the blur hash. Read more: https://blurha.sh/
`translate( text, targetLanguage, callback, sourceLanguage?)`	Translates a given text to the target language and invokes the callback with the translated text when completed. The source language is usually detected automatically, but can be passed in and usually provides better results.
`generate(prompt, callback)`	Generates content described by the prompt using OpenAI or other services and invokes the callback with the generated text.

getJSON(url, callback, headers?)
postJSON(url, body, callback, headers?)
putJSON(url, body, callback, headers?)
patchJSON(url, body, callback, headers?)
deleteJSON(url, callback, headers?)

Makes a request to the defined URL. If the request succeeds with a HTTP response status code (2XX) and a valid JSON response is returned the callback is invoked and the JSON response is passed to the callback as a JSON object. The script fails otherwise. You can also pass in an object with headers

getReferences(ids, callback)

Queries the content items with the specified IDs and invokes the callback with the resulting content items when the request has been completed. If the current user does not have permissions to read the content items, the callback is invoked with an empty array.

getReference(id, callback)

Queries the content item with the specified ID and invokes the callback with an array that includes the resulting content item when the request has been completed. If the current user does not have permissions to read the content item, the callback is invoked with an empty array.

getAssets(ids, callback)

Queries the assets with the specified IDs and invokes the callback with the resulting assets when the request has been completed. If the current user does not have permissions to read assets, the script will fail.

getAsset(id, callback)

Queries the asset with the specified ID and invokes the callback with an array that includes the resolved asset when the request has been completed. If the current user does not have permissions to read assets, the script will fail.

getAssetV2(id, callback)

Queries the asset with the specified ID and invokes the callback with a a single asset when the request has been completed. If the current user does not have permissions to read assets, the script will fail.

getAssetText(asset, callback)

Takes the specified asset and computes the text. The asset can not be larger than 4 MB, otherwise an error is returned.

getAssetBlurHash(asset, callback)

Takes the specified asset and computes the blur hash. Read more: https://blurha.sh/

translate( text, targetLanguage, callback, sourceLanguage?)

Translates a given text to the target language and invokes the callback with the translated text when completed. The source language is usually detected automatically, but can be passed in and usually provides better results.

generate(prompt, callback)

Generates content described by the prompt using OpenAI or other services and invokes the callback with the generated text.

Use Cases

Debugging: Write the Context to a Field

If you want to understand your data structure and the context object, you can just write it to a string field.

ctx.data.debug.iv = JSON.stringify(ctx, null, 2);
// Tell Squidex that the content should be replaced.
replace();

Do Not Return Sensitive Information When Queried by a Client

if (ctx.isClient) { // ctx Variable contains all Context information
    ctx.data.password.iv = '********';
    // Tell Squidex that the content should be replaced.
    replace(); 
}

Do Not Allow the Client to Set Fields

if (ctx.isClient && ctx.data.password.iv) {
    // Tell Squidex to return a 403 (Forbidden)
    disallow();
}

Ensure that Two Fields Have the Same Value

if (data.password.iv !== data.passwordConfirm.iv) {
    // Tell Squidex to return a 400 (Bad Request)
    reject('Passwords must be the same');
}

Ensure that Only a Specific User can Publish Content

if (ctx.operation === 'Published' && ctx.user.email !== 'content@master.com') {
    // Reject the call if the publisher has another email address.
    reject('You are not allowed to publish the content');
}

Compute Field From Other Values

Store in a separate field if another field has a valid value:

ctx.data.hasPassword = { iv: !!ctx.data.password.iv };
// Tell Squidex that the content should be replaced.
replace();

Calculate the slug for a content title automatically:

ctx.data.slug.iv = slugify(ctx.data.title.iv);
// Tell Squidex that the content should be replaced.
replace();

Calculate the number of words in a Markdown field:

ctx.data.wordCount.iv = wordCount(markdown2Text(ctx.data.html.iv)));
// Tell Squidex that the content should be replaced.
replace();

Calculate the number of characters in a HTML field:

ctx.data.characterCount.iv = characterCount(html2Text(ctx.data.html.iv)));
// Tell Squidex that the content should be replaced.
replace();

Enrich Your Content with Data from External Services

You can use the getJSON function to enrich the content with data from external services. This example is a little bit more complicated that the other examples above, but let's jump into the code first:

var url = 'https://jsonplaceholder.typicode.com/todos/1';

var headers = {
    ApiKey: 'secret'
};

getJSON(url, function(result) {
    data.title.iv = result.title;
    // Tell Squidex that the content should be replaced.
    replace();
}, headers);

// I am done

When you make an asynchronous call to another service or content, the script engine cannot stop the script automatically. Therefore, it is very important to finish the script with a call to replace(), even if you do not make a change to the content data.

Restrictions

There are some existing restrictions:

You cannot include external libraries.
You cannot make calls to external services, except getJSON.
Scripts will timeout after 200ms of CPU execution.
Scripts will timeout after 5 seconds of total execution, e.g. waiting for external services with getJSON.

PreviousAutomation Tools (CLI)NextScripting Helper Methods

Last updated 2 months ago