[This article is part of the documentation preview for the Programming Security section of the Developer manual. You can view the temporary TOC here]
In Sitefinity terms, Programming Security does not mean building a web application that is immune to hackers. Here, rather, we mean that some users can be have limited rights about what they can do for a given module.
For starters, you should refresh your memory about Security in Sitefinity. In a nutshell: users belong to groups (roles), and roles are granted or denied permissions to do basic operations.
What should the end result of a secured module look like? Well, it depends on you, the developer. You could do either of the following
In Sitefinity, we call modules that provide security "Secured modules". Actually, we call every object that implements some kind of security a "secured [insert name here]". That being cleared, a secured module needs the following things:
- Hide parts of the user interface if a user is not granted certain permissions
For example of this approach, try the following: create a new user that has only CmsAccess permission and log in with his/her credentials.
- Apply different style to commands in UI that a user is not granted permission to execute
- Display error messages
If you want to see an example of how to implement a secured module, you can take a look at the sample Contacts pluggable module.
- First and foremost, it needs SecurityRoot
- One or more permission classes
- Use custom permission classes in module to tell if a user is granted permission to perform a task
- Register security root(s) in the module class