News Module Permissions
Hello,
I have a client running in Sitefinity 3.7. They would like to lock the articles that are published through the News Module so that only people with the proper credentials can view them.
They would also like this to reflect in the RSS feed they have set up that pulls from the news module. Any suggestions without having them upgrade to a Sitefinity 4+.
Thanks!
Stephanie
Northeridge
stephanie.andersen@northridge.com
770-255-0643
Hello Stephanie,
Thank you for using our services. You can set permissions per role on a module level in Sitefinity by going to that module and selecting permissions. It will allow you to specify a certain role from the Role dropdown, and then allow/deny the actions it can perform on that module. I've attached a sample screenshot for further reference. However, please note that in Sitefinity 3.x permissions are on a provider level, i.e. you will be able to specify who can View/Edit/Publish etc. all news items, but it's not possible to specify these actions on a granular level (per item).
Now concerning the permissions reflecting to the RSS output, can you please elaborate a little bit further on the exact functionality that needs to be achieved there? In general it might be possible to customize the RSS feed to take permissions into account, however how would you check if the user who has subscribed to your feed has the permissions to view it or not (e.g. you have a role Editor A and it is allowed to view News items, but Editor B is not and you customize this to be reflected int he feed, there will be no way to check whether user X who has subscribed to your feed belongs to any of these roles). I hope you find this information useful, if you need some further information or have any additional questions, please let me know. I'll be glad to assist you further.
Best wishes,
Boyan Barnev
the Telerik team
Hi Boyan,
Thanks for the information. Is it possible to customize a way so that each individual news article can have separate permissions or do you recommend an upgrade to 4.x.
As for the RSS feed issue, the credentials will hopefully be pulling from the Administrator > Roles section. Would that require customization as well? Is that a feature that can be used in 4.x or would it work the same as assigning permissions to specific articles?
Thanks so much!
Stephanie
Northeridge
stephanie.andersen@northridge.com
770-255-0643
Hi Stephanie,
Thank you for getting back to me.
Implementing your custom security logic per content item would be a really tough task, up to my knowledge we did not have such a request so far. However, like you properly pointed out our Sitefinity 4.x Security implementation will suit perfectly this functionality as it allows setting granular permissions per content items (you'll need to have Standard Edition license or higher, for further information, please check our License comparison table)
As per your second request, I hope I'm not getting you wrong, but just to make sure we're on the same page here, can you please let me know in details of the exact use case scenario that needs to be implemented? As far as I understand you want to control which content items get included in your RSS feed, depending on the user viewing this feed, is that correct? The problem as we see it on our side, is that virtually any internet user can subscribe to your RSS feed and there would be no way to check whether he/she is a Sitefinity user
and consequently the role he/she respectively belongs to. please do not hesitate to correct me if I have not understood properly your request, I'll be glad to help you further.
Kind regards,
Boyan Barnev
the Telerik team
Hi Boyan,
Thanks for the information regarding locking the news widget articles.
As of right now, they are within 3.7 and the permissions are not working. Basically, they have libraries that are supposed to be locked to outside users. However, an outside user can still search for a particular document within a search engine, find it, and download it even if they do not have access.
I am trying to get them to upgrade, however, we do need some sort of solution to the problem currently. This also ties into the RSS feed issue. These documents that are within the libraries that are supposed to be locked are also showing up within the RSS Feed (as they are supposed to), but outside users can still access them.
Any advice would be helpful. Thanks.
Stephanie
Hello Stephanie,
I apologize if I have misled you with my previous reply. Setting permissions for content items will be reflected in the Sitefinity backend, i.e. it will allow or deny a certain user/role to edit/create/modify certain library or module. However, for the frontend such functionality is nto supported out of the box. What you can do is implement some logic in the ContentHttpHandler where you can check whether the current user is authenticated, and if not redirect him to a page saying he/she does not have sufficient permissions. For example:
1.Override the ContentHttpHandler. Then, check whether the user from a specified role has permissions to see the files in our library.
using System;using System.Web;using System.Web.Security;using Telerik.Cms.Engine; //Override ContentHttpHandlerpublic class CustomCmsContentHandler : ContentHttpHandler public override void ProcessRequest(HttpContext context) //restrict access to mylib string path = String.Concat(context.Request.ApplicationPath, "/libraries/mylib/"); if (context.Request.RawUrl.StartsWith(path, StringComparison.OrdinalIgnoreCase)) //check whether the user is authenticated or not. RolePrincipal principal = context.User as RolePrincipal; if (principal == null || !principal.Identity.IsAuthenticated || !principal.IsInRole("Administrators")) throw new HttpException(403, "Access forbidden"); return; base.ProcessRequest(context); <add name="SitefinityThumbnail" path="*.tmb" verb="*" preCondition="integratedMode" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> <add name="SitefinityThumbnailAdd" path="*.tmb.ashx" verb="*" preCondition="integratedMode" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> <add name="SitefinityLibrary" path="*.sflb" verb="*" preCondition="integratedMode" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> <add name="SitefinityLibraryAdd" path="*.sflb.ashx" verb="*" preCondition="integratedMode" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /><add name="SitefinityThumbnail" path="*.tmb" verb="*" preCondition="integratedMode" type="CustomCmsContentHandler, App_Code" /> <add name="SitefinityThumbnailAdd" path="*.tmb.ashx" verb="*" preCondition="integratedMode" type="CustomCmsContentHandler, App_Code" /> <add name="SitefinityLibrary" path="*.sflb" verb="*" preCondition="integratedMode" type="CustomCmsContentHandler, App_Code" /> <add name="SitefinityLibraryAdd" path="*.sflb.ashx" verb="*" preCondition="integratedMode" type="CustomCmsContentHandler, App_Code" /><httpHandlers> <add verb="GET" path="*.sflb" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> <add verb="GET" path="*.sflb.ashx" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> <add verb="GET" path="*.tmb" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> <add verb="GET" path="*.tmb.ashx" type="Telerik.Cms.Engine.ContentHttpHandler, Telerik.Cms.Engine" /> </httpHandlers><httpHandlers> <add verb="GET" path="*.sflb" type="CustomCmsContentHandler, App_Code" /> <add verb="GET" path="*.sflb.ashx" type="CustomCmsContentHandler, App_Code" /> <add verb="GET" path="*.tmb" type="CustomCmsContentHandler, App_Code" /> <add verb="GET" path="*.tmb.ashx" type="CustomCmsContentHandler, App_Code" /> </httpHandlers>