|
Article relates to
|
Sitefinity 3.2 SP2 Hotfix 1616
|
|
Created by
|
Yasen Kiprov
|
|
Last modified by
|
Rebecca
|
HOW TO
Restrict public access to a page when Anonymous access is set to Deny, for users authorized by a custom role provider?
DESCRIPTION
If you have multiple membership/role provider pairs, currently Sitefinity supports permissions for only one of them: the one set in the Telerik > Security section of the web.config. When the View permission for a page is set to Allow or Deny and the page property Anonymous Access is set to Deny, permissions are considered only if the current user is a CMS user. If s/he is not a CMS user and is authenticated, s/he will be able to view the page.
SOLUTION
To limit the access for users who are not authenticated by the default CMS provider (non-CMS users), you can add a custom http module that filters users for the restricted pages. On the post_authenticate event of every request, a check if Anonymous Access is set to Deny will be performed, and then if the user is a CMS user.
| using System; |
| using System.Web; |
| using System.Security.Principal; |
| using Telerik.Cms.Web; |
| using System.Web.Security; |
| using Telerik.Security; |
| |
| public class CustomHttpModule : IHttpModule |
| { |
| public void Dispose() |
| { |
| // do nothing |
| } |
| |
| public void Init(HttpApplication context) |
| { |
| context.PostAuthenticateRequest += new EventHandler(context_PostAuthenticateRequest); |
| } |
| |
| void context_PostAuthenticateRequest(object sender, EventArgs e) |
| { |
| ICmsUrlContext urlContext = CmsUrlContext.Current; |
| if (urlContext == null) |
| return; |
| |
| if (urlContext.DenyAnonymous) |
| { |
| // If the current user is not a CMS user, redirect to a login form. |
| // This will redirect all requests to restricted pages to a login form. Further customizations |
| // depending on which restricted pages are requested are also possible. |
| if (!IsCmsUser()) |
| { |
| HttpContext.Current.Response.Redirect(FormsAuthentication.LoginUrl, true); |
| } |
| } |
| } |
| |
| protected virtual bool IsCmsUser() |
| { |
| IPrincipal user = HttpContext.Current.User; |
| |
| if (user != null |
| && user.Identity.IsAuthenticated |
| && (user is RolePrincipal) |
| && (user.Identity is FormsIdentity)) |
| { |
| string roleProvider = ((FormsIdentity)HttpContext.Current.User.Identity).Ticket.UserData; |
| if (!String.IsNullOrEmpty(roleProvider)) |
| { |
| // If the role provider is the same as the one used in the UserManager, |
| // then the user is a CMS user. |
| if (UserManager.Default.RoleProvider.Name.Equals(roleProvider)) |
| return true; |
| } |
| } |
| return false; |
| } |
| } |
| |
| |
It is possible to limit this check to specific pages only and not for all restricted ones. It is also possible to check role membership of the user, based on their custom role provider.
If you save the code in a file CustomHttpModule.cs in the App_Code folder in order to use it, you should add this line in the in the system.web > httpModules section of the web.config:
| <add name="RestrictedPages" type="CustomHttpModule"/> |
| |