Custom role in page editing
Good day
I have a custom role that can change some pages backend.
When logged in with a user in this role I cannot edit the pages from the front.
Do I have to enable something to give the role in page editing rights (did not find anything) or is this another custom role - not yet working as expected - bug.
Markus
Hello Markus,
Unfortunately this is a bug pages are not displayed for editing the issue is in PITS, and related PITS.
There is a way to make it work. Note that I am using the latest internal build for this, but iI think it will work in the SP too.
Create a Global.asax file in the project where you have created the custom role which have most of the permissions ( at least that was the testing case) and paste the code.
using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.Security;using System.Web.SessionState;using Telerik.Sitefinity.Abstractions;using Telerik.Sitefinity.Web;using Telerik.Sitefinity.Pages.Model;using Telerik.Sitefinity.Security;using Telerik.Sitefinity.Services;using Telerik.Sitefinity.Workflow;using Telerik.Sitefinity.Configuration;using Telerik.Sitefinity.Security.Model;using Telerik.Sitefinity.Modules.Pages.Configuration;using Telerik.Sitefinity.Modules.Pages;namespace SitefinityWebApp public class Global : System.Web.HttpApplication protected void Application_Start(object sender, EventArgs e) Bootstrapper.Initialized += new EventHandler<Telerik.Sitefinity.Data.ExecutedEventArgs>(Bootstrapper_Initialized); void Bootstrapper_Initialized(object sender, Telerik.Sitefinity.Data.ExecutedEventArgs e) ObjectFactory.RegisterSitemapNodeFilter<MyAdminFilter>("Admin"); protected void Session_Start(object sender, EventArgs e) protected void Application_BeginRequest(object sender, EventArgs e) protected void Application_AuthenticateRequest(object sender, EventArgs e) protected void Application_Error(object sender, EventArgs e) protected void Session_End(object sender, EventArgs e) protected void Application_End(object sender, EventArgs e) public class MyAdminFilter : ISitemapNodeFilter public bool IsNodeAccessPrevented(PageNode pageNode) var id = pageNode.Id; if (this.IsUserManagementSectionDenied(id) || this.IsSettignsAndConfigurationSectionDenied(id) || this.IsSystemSectionDenied(id) || this.IsDesignSectionDenied(id) || this.IsTaxonomySectionDenied(id) || this.IsFrontentPageManagementDenied(pageNode) ) return true; else return false; private bool IsFrontentPageManagementDenied(PageNode node) bool isDenied = false; // insert custom logic here if needed return isDenied; // logic by default: // bool nodeIsFrontendRoot = node.Id == SiteInitializer.PagesNodeId; //bool nodeIsFrontEnd = (nodeIsFrontendRoot || ((node.RootNode != null) && (node.RootNode.Id == SiteInitializer.FrontendRootNodeId))); //if (!nodeIsFrontEnd) // return false; //bool denied = false; //if (nodeIsFrontendRoot // || SystemManager.IsDesignMode // || SystemManager.IsPreviewMode) // // var providers = Config.Get<PagesConfig>().Providers; // List<ISecuredObject> roots = new List<ISecuredObject>(); // var rootNodeID = SiteInitializer.FrontendRootNodeId; // foreach (DataProviderSettings provSettings in providers) // // var rootNode = PageManager.GetManager(provSettings.Name).GetPageNodes().Where(n => n.Id == rootNodeID).SingleOrDefault(); // if (rootNode != null) // roots.Add(rootNode); // // string[] orActions = // // SecurityConstants.Sets.Pages.ChangeOwner, // SecurityConstants.Sets.Pages.ChangePermissions, // SecurityConstants.Sets.Pages.Create, // SecurityConstants.Sets.Pages.CreateChildControls, // SecurityConstants.Sets.Pages.Delete, // SecurityConstants.Sets.Pages.EditContent, // SecurityConstants.Sets.Pages.Modify // ; // denied = !orActions.Any(action => roots.Any(r => r.IsGranted(SecurityConstants.Sets.Pages.SetName, action))); // //return denied; private bool IsUserManagementSectionDenied(Guid id) bool denied = false; if (id == SiteInitializer.UsersPageId) denied = !AppPermission.IsGranted(AppAction.ManageUsers); if (id == SiteInitializer.RolesPageId) denied = !AppPermission.IsGranted(AppAction.ManageRoles); if (id == SiteInitializer.PermissionsPageId) denied = !AppPermission.IsGranted(AppAction.ChangePermissions); if (id == SiteInitializer.ProfileTypesPageId) denied = !AppPermission.IsGranted(AppAction.ManageUserProfiles); return denied; private bool IsSettignsAndConfigurationSectionDenied(Guid id) // search page filtering is in SearchModule bool denied = false; if (id == SiteInitializer.SettingsNodeId || id == SiteInitializer.BasicSettingsNodeId || id == SiteInitializer.AdvancedSettingsNodeId) denied = !AppPermission.IsGranted(AppAction.ChangeConfigurations); if (id == SiteInitializer.WorkflowPageId) var securityRoots = SecuredModuleBase.GetSecurityRoots(typeof(WorkflowManager)); string[] orActions = SecurityConstants.Sets.WorkflowDefinition.ChangeOwner, SecurityConstants.Sets.WorkflowDefinition.ChangePermissions, SecurityConstants.Sets.WorkflowDefinition.Create, SecurityConstants.Sets.WorkflowDefinition.Delete, SecurityConstants.Sets.WorkflowDefinition.Modify ; denied = !orActions.Any(action => securityRoots.Any(r => r.IsGranted(SecurityConstants.Sets.WorkflowDefinition.SetName, action))); return denied; private bool IsSystemSectionDenied(Guid id) bool denied = false; if (id == SiteInitializer.LabelsPageId) denied = !AppPermission.IsGranted(AppAction.ManageLabels); if (id == SiteInitializer.FilesPageId) denied = !AppPermission.IsGranted(AppAction.ManageFiles); if (id == SiteInitializer.LicensePageId) denied = !AppPermission.IsGranted(AppAction.ManageLicenses); if (id == SiteInitializer.BackendPagesWarningPageId || id == SiteInitializer.BackendPagesActualNodeId || id == SiteInitializer.BackendPagesNodeId) denied = !AppPermission.IsGranted(AppAction.ManageBackendPages); if (id == SiteInitializer.SystemNodeId) denied = !AppPermission.IsGranted(AppAction.ManageLabels) && !AppPermission.IsGranted(AppAction.ManageFiles) && !AppPermission.IsGranted(AppAction.ManageLicenses) && !AppPermission.IsGranted(AppAction.ManageBackendPages); return denied; private bool IsDesignSectionDenied(Guid id) bool denied = false; var securityRoots = Telerik.Sitefinity.Services.SecuredModuleBase.GetSecurityRoots(typeof(Telerik.Sitefinity.Modules.Pages.PageManager)); string[] orActions = SecurityConstants.Sets.PageTemplates.ChangeOwner, SecurityConstants.Sets.PageTemplates.ChangePermissions, SecurityConstants.Sets.PageTemplates.Create, SecurityConstants.Sets.PageTemplates.Delete, SecurityConstants.Sets.PageTemplates.Modify ; if (id == SiteInitializer.PageTemplatesNodeId) denied = !orActions.Any(action => securityRoots.Any(r => r.IsGranted(SecurityConstants.Sets.PageTemplates.SetName, action))); return denied; private bool IsTaxonomySectionDenied(Guid id) bool denied = false; if (id == SiteInitializer.FlatTaxonomyPageId || id == SiteInitializer.HierarchicalTaxonomyPageId || id == SiteInitializer.NetworkTaxonomyPageId || id == SiteInitializer.FacetTaxonomyPageId || id == SiteInitializer.TaxonomiesNodeId || id == SiteInitializer.MarkedItemsPageId) var roots = Telerik.Sitefinity.Services.SecuredModuleBase.GetSecurityRoots(typeof(Telerik.Sitefinity.Taxonomies.TaxonomyManager)); string[] orActions = SecurityConstants.Sets.Taxonomies.ChangeOwner, SecurityConstants.Sets.Taxonomies.ChangePermissions, SecurityConstants.Sets.Taxonomies.Create, SecurityConstants.Sets.Taxonomies.Delete, SecurityConstants.Sets.Taxonomies.Modify ; denied = !orActions.Any(action => roots.Any(r => r.IsGranted(SecurityConstants.Sets.Taxonomies.SetName, action))); return denied; Dear Stanislav
Thanks for the feedback and the code example. I will wait for the fix in SP2 (hope there will be one soon) since I want to keep SF as core as possible with as little as possible hacks, workarounds and amendents.
Markus
In case anyone is interested in this solution, we implemented this change back on May 19th 2011, and it has been working wonderfully for us. It does solve the inline editing issue Marcus was inquiring about, but even more important, this modification fixes the issue with users not being able to see the "Pages" menu unless granted edit/modify permissions to "All Pages". With this fix, it is possible to create a user who can edit their own pages ONLY.
There is still one other bug, that I reported, that requires a workaround, and that is the fact that page owners cannot create child pages under the pages they own even when ganted create permissions (unless they have special permissions to the backend such as admins). The first time they try, they will get an error message "You are not allowed to modify this page." Subsequent attempts will yield a different error message complaining that the URL already exists. (PITS Item http://www.telerik.com/support/pits.aspx#/public/sitefinity/6182 - please vote for it!) As strange as it may sound, the reason for this is that when a new page is created, it is created as a backend page and then moved to the front end. If the user does not have modify permisions to all backend pages, then the page is created in the backend, but page move fails. Because the page DOES exist, (as a backend page), after the first attempt, the URL really does exist, so the second error message is, in fact, true. Login as an admin, and go to Administration/BackendPages and you will see a Draft page with no name. You will need to delete this page to remove it from the backend.
To work around this issue, while logged in as Administrator, go to Administration/BackendPages and click on "Permissions for All Pages" and add the implicit "Owner" role to the roles who can "Modify a Page". This in essence give owners permissions to modify their backend page, (created in the intermediate step), so that it can be moved to a front end page.
Tom