|
Article relates to
|
Sitefinity 3.0
|
|
Created by
|
Yasen Kiprov and Georgi Chokov
|
HOW TO
Enable role-based permissions for restricted pages in
Sitefinity 3.0.
DESCRIPTION
In Sitefinity 3.1 and later, page access is controlled based
on user roles. If a page has “Anonymous access” set to deny, only users from roles that have View permissions are able to visit it.
In the previous version 3.0, however, when “Anonymous
access” is set to deny, every
authenticated user is allowed to visit it, no matter which roles s/he is member
of.
SOLUTION
Using the following code, you could include this functionality
in Sitefinity 3.0. It adds a custom http module and hooks on the
PostAuthenticate event, so if a request is made to a secure page, roles and
permissions are checked.
You should be careful using multiple membership/role
providers as this class will no longer work properly with user names that
appear in both providers.
| 1 |
using System; |
| 2 |
using System.Web; |
| 3 |
using System.Security.Principal; |
| 4 |
using Telerik.Cms.Web; |
| 5 |
using System.Web.Security; |
| 6 |
using Telerik.Cms; |
| 7 |
|
| 8 |
public class SecuredPageHttpModule : IHttpModule |
| 9 |
{ |
| 10 |
public void Dispose() |
| 11 |
{ } |
| 12 |
|
| 13 |
public void Init(HttpApplication context) |
| 14 |
{ |
| 15 |
context.PostAuthenticateRequest += new EventHandler(context_PostAuthenticateRequest); |
| 16 |
} |
| 17 |
|
| 18 |
void context_PostAuthenticateRequest(object sender, EventArgs e) |
| 19 |
{ |
| 20 |
HttpContext context = HttpContext.Current; |
| 21 |
IPrincipal user = context.User; |
| 22 |
|
| 23 |
ICmsUrlContext cmsContext = CmsUrlContext.Current; |
| 24 |
|
| 25 |
if (cmsContext != null && cmsContext.DenyAnonymous) |
| 26 |
{ |
| 27 |
if (user.Identity.IsAuthenticated) |
| 28 |
{ |
| 29 |
// You should be careful with multiple role providers! User could be authenticated, but if his username duplicates in |
| 30 |
// both providers, his membership can be incorrect! |
| 31 |
CmsManager manager = new CmsManager(); |
| 32 |
ICmsPage cmsPage = manager.GetPage(cmsContext.PageID) as ICmsPage; |
| 33 |
|
| 34 |
Telerik.Cms.Security.PagePermission perm = new Telerik.Cms.Security.PagePermission(cmsPage, Telerik.Cms.Security.PageRights.View); |
| 35 |
if (!perm.CheckDemand()) |
| 36 |
{ |
| 37 |
throw new HttpException(403, "Access to page denied"); |
| 38 |
} |
| 39 |
} |
| 40 |
else |
| 41 |
{ |
| 42 |
string login = String.Concat(FormsAuthentication.LoginUrl |
| 43 |
, "?ReturnUrl=" |
| 44 |
, HttpContext.Current.Server.UrlEncode(HttpContext.Current.Request.RawUrl)); |
| 45 |
HttpContext.Current.Response.Redirect(login, true); |
| 46 |
} |
| 47 |
} |
| 48 |
} |
| 49 |
} |
| 50 |
|
This code should be included in the App_Code folder, named for example SecuredPageHttpModule. Then in the web.config
=> system.web => httpModules section this should be added after the
default HttpModule:
| <httpModules> |
| <add name="Cms" type="Telerik.Cms.Web.CmsHttpModule, Telerik.Cms"/> |
| <add name="SecuredPageHttpModule" type="SecuredPageHttpModule"/> |
| ... |
NOTE: We recommend upgrading to Sitefinity 3.1 or later, where this
is implemented out of the box, as well as some other security features.
Enjoy :)