+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Securing an intra-site module

Securing an intra-site module

31 posts, 0 answered
  1. viscious
    viscious avatar
    31 posts
    Registered:
    10 Aug 2006
    28 Sep 2007
    Link to this post
    I have created two fully working modules.  One is for a calendar, and one is for ecommerce.  I have implemented them using the intra-site module pattern.

    However I noticed that any authenticated user can access the modules if they log into sitefinity.   I would like to set it so that only users in the administrators role can get to these modules.  

    How can this be accomplished?  I have read all of the documentation in the developer manual, and the topics that talk about security are not anywhere near complete, and provide no useful information on how to go about doing this.

    Ideally I would like to mimic the behavior exactly like the blogs, news, generic content modules etc work in regards to security and permissions.

    However, this is time sensitive and there may not be time to do it that way depending on how complicated the process is.   So as an alternative it would be acceptable to just have it set so that people in the administrators role had access.

    I hope I have been clear.  Thanks for the help
  2. Bob
    Bob avatar
    330 posts
    Registered:
    24 Sep 2012
    01 Oct 2007
    Link to this post
    Hi Erick,

    It is hard to explain in short how to accomplish securing an intra-site module. We fully understand that it is an important issue for you, so we are going to provide you not only with an explanation, but with fully working example after some days.

    Thanks for your understanding and patience.

    Best wishes,
    Bob
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. rolls rolls
    rolls rolls avatar
    24 posts
    Registered:
    02 Nov 2002
    26 Nov 2007
    Link to this post
    Hi Please could you send me the sample of how to implement permissions using the intrasite pattern.

    Many thanks
  4. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    26 Nov 2007
    Link to this post
    I posted same request on the different thread and still looking for the samples on how to implement the permission for intra-site module. Hope we can hear from Sitefinity team soon.

    Tim
  5. Slavo
    Slavo avatar
    295 posts
    Registered:
    24 Sep 2012
    27 Nov 2007
    Link to this post
    Hi Tim,

    I've attached a sample Intra-site module with implemented permissions just to illustrate the concept. It is a module for Real Estate property listings. Currently, you can only view the listings and create a new one from the administration part of the module. If you do not have permissions to create a listing, the button is hidden. You can have a look at the code itself. When developing your own modules, you can use similar implementation of permissions and similarly check for permissions when a user wants to perform an action.

    Some notes:

    • The created web site does not have the RadControls folder to save some space. You HAVE TO COPY THAT FOLDER before using the site.
    • The module has a database coming with it. There are two users (admin:admin, test:test). The admin user is the default unrestricted user. The test user is one with no Create permissions for the RealEstate module. The test user CAN change permissions for the module no matter what, because there are no checks in the code for doing that (this is to make testing easier, without having to logout and change users).
    • In order to launch the project, extract the ZIP to a folder on your hard drive. Copy the RadControls folder from another project or from ~/Sitefinity3.1/ProjectManager/EmptyProject to the /RE2 folder. Open the RE2.sln file with Visual Studio and run the project.
    • All code for the module is located in the /RE2/App_Code folder. The controls for the module are located in the /RE2/RealEstate folder.
    • This is only a sample to illustrate how permissions are implemented for intra-site modules. It is not a full-blown module and DOES NOT illustrate best development practices.
    • Data access for the module is implemented using Nolics.net in the second project in the solution - Telerik.Samples.RE2.Data.
    Please post any questions regarding the sample module in this thread. If you have general questions on Intra-site modules, refer to the developer manual.

    Best wishes,
    Slavo
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  6. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    27 Nov 2007
    Link to this post
    Sitefinity Team,

    Thank you very much for the sample code. I do have question after reviewing the sample.

    The sample program checks permission, if user has permission, the create new button shows. Otherwise the create new button hides.

     What about update and delete function which has been built into the grid. How can I prevent user who doesn't have permission to delete and update records through grid.

    Tim
  7. Slavo
    Slavo avatar
    295 posts
    Registered:
    24 Sep 2012
    28 Nov 2007
    Link to this post
    Hi Tim,

    The GridView control exposes events, which are fired before and after every Update/Delete. You can subscribe to those events and check for permissions there. Please see MSDN documentation for more information about the GridView control and how to handle those events:
    http://msdn2.microsoft.com/en-us/library/system.web.ui.webcontrols.gridview.aspx

    More specifically, I'm talking about the RowUpdating and RowDeleting events.

    Regards,
    Slavo
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  8. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    28 Nov 2007
    Link to this post
    Sitefinity Team,

    Actually I am using RadGrid control in my Intra-site module and following is my source code.

    <radG:RadGrid ID="gridCategory" runat="server" AutoGenerateColumns="False" DataSourceID="CategoryQuery" 
                        GridLines="None" Skin="Sitefinity" SkinsPath="~/Sitefinity/Admin/Themes/Default/Skins/Grid" 
                        OnItemCommand="gridCategory_ItemCommand"
                        <MasterTableView DataKeyNames="ID" DataSourceID="CategoryQuery"
                            <NoRecordsTemplate> 
                                No Category Records Found!</NoRecordsTemplate> 
                            <Columns> 
                                <radG:GridTemplateColumn HeaderText="Action" UniqueName="TemplateColumn" FilterImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/Filter.gif" 
                                    SortAscImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortAsc.gif" 
                                    SortDescImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortDesc.gif"
                                    <ItemTemplate> 
                                        <asp:ImageButton ID="ibtnEdit" ImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/Edit.gif" 
                                            runat="server" CommandName="EditCategory"></asp:ImageButton> 
                                        &nbsp; 
                                        <asp:ImageButton ID="ibtnDelete" ImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/Delete.gif" 
                                            runat="server" CommandName="Delete" /> 
                                    </ItemTemplate> 
                                </radG:GridTemplateColumn> 
                                <radG:GridBoundColumn DataField="ID" DataType="System.Int64" FilterImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/Filter.gif" 
                                    HeaderText="ID" ReadOnly="True" SortAscImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortAsc.gif" 
                                    SortDescImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortDesc.gif" 
                                    SortExpression="ID" UniqueName="ID" Visible="False"
                                </radG:GridBoundColumn> 
                                <radG:GridBoundColumn DataField="name" FilterImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/Filter.gif" 
                                    HeaderText="name" SortAscImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortAsc.gif" 
                                    SortDescImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortDesc.gif" 
                                    SortExpression="name" UniqueName="name"
                                </radG:GridBoundColumn> 
                                <radG:GridBoundColumn DataField="DateModified" DataFormatString="{0:g}" DataType="System.DateTime" 
                                    FilterImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/Filter.gif" 
                                    HeaderText="DateModified" SortAscImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortAsc.gif" 
                                    SortDescImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SortDesc.gif" 
                                    SortExpression="DateModified" UniqueName="DateModified"
                                </radG:GridBoundColumn> 
                            </Columns> 
                        </MasterTableView> 
                        <FilterMenu NotSelectedImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/NotSelectedMenu.gif" 
                            SelectedImageUrl="~/Sitefinity/Admin/Themes/Default/Skins/Grid/Sitefinity/SelectedMenu.gif"></FilterMenu> 
                    </radG:RadGrid> 

    I am just wondering if you could show me how to disable update and delete function on the RadGrid when the user doesn't have a permission.

    Thanks in advance
    Tim
  9. Sebastian
    Sebastian avatar
    2 posts
    Registered:
    15 Nov 2016
    28 Nov 2007
    Link to this post
    Hello Tim,

    How to disable edit/delete depending on a permission field you can learn from the following topic in the product documentation:

    http://www.telerik.com/help/aspnet/grid/?grdSetEditPermissionsDependingOnPermissionField.html

    Best regards,
    Stephen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  10. S. Webb
    S. Webb avatar
    36 posts
    Registered:
    28 Dec 2006
    30 Jan 2008
    Link to this post
    Hi viscious,

    Is your ecommerce module fully functional? Are you reselling it?
  11. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    24 Apr 2008
    Link to this post

    Slavo,

    Thanks for the example.  One question...

    Could you provide the code behind event for  the save permissions button(<asp:LinkButton ID="saveButton" runat="server" CssClass="CmsButLeft okdark">)

    on the ControlPanel.ascx page.

    Thanks Damian
  12. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    28 Apr 2008
    Link to this post
    To explain more.....

    I am using the RealEstateSample project.

    If I enter some permissions for a role and click save.  When I select that role again in the drop down box all the tixk boxes have been reset.  The permissions are also not being saved.

    Any help at all would be greatly appreciated.

    Damian
  13. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    29 Apr 2008
    Link to this post
    Ok..

    It seems the issue is with 3.2 SP1.

    I ran the RealEstate example straight from the zip file on this thread and it all worked.  I then upgraded the RealEstate Solution to 3.2 SP1 and the same thing I was experiencing with the permissions began to happen.

    Is this a known bug with SP1 ?  If so is there any solution available.

    Damian
  14. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    30 Apr 2008
    Link to this post
    Hello Damian,

    This is not a known issue for us, it seems to happen only in Sitefinity 3.2 sp1 but I was unable to reproduce it. This is what I have done:
    • Created an empty 3.2 sp1 project
    • Added the needed files to app_code folder
    • Added the data project to the solution
    • Updated the Nolics assembly
    Could you please provide some more information about how exactly did you get this issue? It would be helpful if you could send us a sample project where this could be reproduced (you could exclude the RadControls and bin folders).

    Thank you in advance for the cooperation.

    All the best,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  15. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    01 May 2008
    Link to this post

    To reproduce the problem, please follow these steps exactly...

    Take the RealEstate Sample attached higher up this thread

    and....

    Patch it with the SiteFinity_3_2_standard_patch_1526.zip file (SP1 patch)


    Please can someone confirm that the causes the problem with saving permissions fpr the Real Estate module.

    Also can any one think what could be causing this and a solution.

    Thanks

    Damian
  16. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    07 May 2008
    Link to this post
    Hello Damian,

    Thank you for your cooperation. We were able to reproduce the problem and, as expected, there was a tricky bug in the control panel of the example module. The reason I was not able to reproduce the problem eariler was that it is related to case sensitive role names. I only tried with lower case roles while your role names probably include capital letters ("RealEstate").

    By default Sitefinity stores permissions, using lower case roles, so permissions for the "RealEstate" role were actually saved under "realestate", which is the right way. The issue comes when one tries to collect permissions for roles, using the GetPermission method of the GlobalPermissions class. You can see in the example module that the method uses TryGetValue for incorrect role names, concerning capital letters.

    What I did to make this work was to change line 84:
    if (this.Permissions.TryGetValue(role, out curr)) 

    in the GetPermission method to look like this:
    if (this.Permissions.TryGetValue(role.ToLower()out curr)) 

    This way correct role names are used. Hope this solves your problem.

    Regards,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  17. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    08 May 2008
    Link to this post

    Yasen.

    That  worked a treat, thank you very much :-)


    Damian

  18. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    15 May 2008
    Link to this post
    I'm still having an issue with this.  The permissions all work, then when I come out of the system and go back in later the permissions have all reset again.  Is there anywhere else I need to set this ToLower() or anything else I should be doing.  The data seems fine in secPermission table, so I don't know why this would reset.

    Thanks

    Damian
  19. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    16 May 2008
    Link to this post
    Hi Damian,

    We found the reason for that. If you open GlobalPermissions.cs file, located in your application App_Code directory, you will see:

    public GlobalPermissions() 
            this.securityManager = new SecurityManager(); 
            this.rootID = Guid.NewGuid(); 

    The highlighted text is always creating a new guid, rather than checking if the guid already exists in the database. All permissions are associated with this guid. When you set permissions, then restart the application and the server, if you go to the Real Estates module, a new guid is created with no permissions associated.

    Usually we store all permissions in temporary table, but for the examlpe, We suggest you using this line of code:
    this.rootID = new Guid("daaaaaaa-daaa-daaa-daaa-daaaaaaaaaaa"); 
    instead of the highlighted one. This way, your application will always search for permissions associated with this guid and the RealEstate module, rather than creating new guid with all permissions cleared.

    You don't need to set ToLower() anywhere else in the code.

    Best wishes,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  20. Damian
    Damian avatar
    42 posts
    Registered:
    25 Mar 2008
    19 May 2008
    Link to this post

    Thanks Georgi,

    that did the trick

    Damian.

  21. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    28 May 2008
    Link to this post
    do the global permissions classes have to be created for every intra site module? i'm making my third one, and I would like to secure them, but I'm quite confused about what exactly all of this does and how it works.

    I notice that for the global permissions you use an IProperty interface from the Data class, but my intrasites use datasets and have no interfaces, so how would I go about securing the modules in that case?

    any help would be greatly appreciated.
    thanks!
  22. viscious
    viscious avatar
    31 posts
    Registered:
    10 Aug 2006
    28 May 2008
    Link to this post
    It is nice to know I wasn't the only one facing this delima.

    Since I started this thread I have stopped building Intra site modules and switched over to plugable modules.  With the help of the contacts sample module I was eventually able to start building secured modules.

    The problem is, I generally have to copy security code.  I don't just copy and paste, I retype it with the hope that I will gain some understanding of what that code actually does or how it works.   I have to admit that I haven't had much success.

    For instance, each of my pluggable modules ends up having an extra table in the database that has exactly one row that stores a GUID value in it.  I know it gets auto populated the first time my module is used, and I know it has something to do with security, because I deleted it once and lost all access to my module, but I have no idea why it is here or how it is used.

    I think what would be nice is if Telerik provided some in depth documentation on the security model of sitefinity.  Code examples with detailed explanation of the how and why.

    There are so many classes and interfaces, its hard to tell what they are used for or how to use them

    ISecured, ISecuredModule, IOwnership, I AccessPermission, CrudRights, DynamicRights, Rights, SecuredModule, GlobalPermission, GlobalPermissions, etc etc etc.

    where to even begin?
  23. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    29 May 2008
    Link to this post
    well I kinda figured it out, I removed the interface'd overload from the manager class and now it works great, but do I really have to make a manager for each module? can't I make a single security manager class since it's just a dictionary mapping the keys (which appear to be the module names) to their permissions?
  24. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    29 May 2008
    Link to this post
    i tried playing with this idea, making a permissionsmanager class, and it ALMOST seems to work, except that it's giving the same permissions to all three modules instead of separating them as expected. I add a key to the securityroots dictionary for each module, and then its associated globalpermissions is instantiated with a new constructor that gets a specific guid for each module. that way each module has its own rootid for the permissions...

    that seems logically correct to me, but i'm apparently missing something because if I enable permissions on just ONE module, those permissions are somehow read by ALL my modules (the custom ones I mean, not the built in ones, those work fine) and the user gets access...

    HOWEVER, if I check the permissions as an admin for the three modules, the permissions are indeed saved correctly. I set module 3 as View for a given role, and if I check module 3, that one is selected. if I check module 1 and 2, all of the permissions are clear, just as I'd expect, and even in the database, it does add the row correctly using the unique guid for that module for the associated permission...

    but when I login as that role, all three modules show up in the menu, and I can view them each as if I had assigned the permission to them all...

    how can I get the modules to read their own permissions correctly from the database?
  25. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    29 May 2008
    Link to this post
    okay! i think i may have got something here... the problem seems to be in the module class, because the permissions are being set and saved correctly, it's the module that's not reading them... looking over the module classes for each of my modules, it looks like the problem is in the SecurityRoots property...

    My guess is that whatever calling method that is reading this property is expecting to find just a single entry in the Dictionary. so I've changed the code in this property to return a subset of the PermissionsManager.SecurityRoots (which has three entries, one for each of my modules) that is the expected entry. For example, for my Departments Module, I used this code:

    public override IDictionary<string, Telerik.Security.Permissions.ISecured> SecurityRoots  
    {  
        get 
        {  
            Dictionary<string, ISecured> sec = new Dictionary<string, ISecured>();  
            sec.Add("Departments", PermissionsManager.SecurityRoots["Departments"]);  
            return sec;  
        }  

    I tried to find a more optimized method of subsetting a Dictionary but this is all I could come up with. the good news is that it is now correctly filtering out the modules according to permissions granted to the role!

    Please let me know if I've overlooked something that will break what I'm trying to do (or anything else for that matter!)
  26. Slavo
    Slavo avatar
    295 posts
    Registered:
    24 Sep 2012
    04 Jul 2008
    Link to this post
    Hi Josh and Erick,

    You've been going in the right direction with your implementation up to now. As a note I can add that the SecurityRoots property is expected to have only one item only in the Real Estate sample. Usually, in other modules, we store a different item in the collection for each provider that you have for the module. This means that you would be able to set permissions for each provider separately. (See the new sample in the DevManual mentioned below)

    We are aware of the many topics we miss in the documentation, and recently we put a lot of effort into a new version of the Sitefinity Developer manual. Its structure has been changed and a lot of new topics and examples have been added. We hope that with these efforts we'll be able to reach the needed depth of documenting the security classes and interfaces. You can already download the new CHM version, and the online version is being uploaded as we speak. Check out http://www.sitefinity.com/support/documentation.aspx.

    In this new version, the sections about IntraSite modules have been recreated and you can look at all the samples there, including a new sample for a secured IntraSite module. Hopefully, this would give you a better picture of how to implement this in your custom modules.

    You can contact us for any other questions or suggestions you may have.

    Kind regards,
    Slavo
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  27. Saumitra
    Saumitra avatar
    127 posts
    Registered:
    10 Mar 2009
    30 Jun 2010
    Link to this post
    Hi,

    Can I get an updated version of the sample Real Estate module for Sitefinity 3.7 SP3 ?

    Thanks,
    Saumitra
  28. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    09 Dec 2016
    30 Jun 2010
    Link to this post
    Hi Saumitra,

    The Real Estate module is obsolete example. You can use Contacts Sample module or Products module. The Real Estate module is an old example that do not implement the new backend architecture since Sitefinity 3.6.

    Regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  29. Saumitra
    Saumitra avatar
    127 posts
    Registered:
    10 Mar 2009
    30 Jun 2010
    Link to this post

    Hi,

    The "CanCreate" method for the secured intra-site module that i've developed is returning false in the Page_load event of Sitefinity/Default.aspx. Following is the code :

    List<IWebModule> webModules = new List<IWebModule>();
           foreach (IWebModule module in ModuleManager.GetWebModulesValues())
           {
               if (module is SecuredModule && ((SecuredModule)module).CanCreate())
                   webModules.Add(module);
           }

    And due to this, the module does not get displayed in the main menu in the administration interface. Any clue why this must be happening ?

    Thanks,
    Saumitra
  30. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    09 Dec 2016
    30 Jun 2010
    Link to this post
    Hello Saumitra,

    CanCreate() - returns a boolean value of whether a secured module could be created or not after check of permissions. This means that you have not set CrudRights. for View and Create in your module and it is not displayed. Basically specified secured object does not have access rights to test against the current user roles.

    Greetings,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
Register for webinar
31 posts, 0 answered
1 2