Permissions & Content Retrieval

Posted by Community Admin on 10-Sep-2010 00:00

Greetings,

I was wonder if there's a better way of retrieve items based on the current logged in user's permissions than I'm currently doing.

Basically, I have this scenario:

A Custom Control which displays images on a RadRotator and a link which points to page.

The RadRotator is configured to display every single imagem on a given Album Id with Lifecycle status as Live.

The link points to a page defined by a Page Id.

If I ain't logged-in and the Album's permissions are set for ie Administrators Only, then Sitefinity will throw a "You are not authorized to 'View album' ('Album')." exception. The same applies for the link, when fetching the PageNode it may also throw this exception.

What I've currently done:

- I've encapsulated the 'var album = LibrariesManager.GetManager().GetAlbum(AlbumId);' on a try catch block and if no exception is thrown then the user has access to it, so I just fetch the available images and display it.

- Same as above for the link, although if an exception is thrown the link won't appear since I can't access the URL.

This is what I'm trying to achieve:

- Check if the User has access to the album, fetch the images he has access to (if permissions are also defined on a per-image rule) and display those, otherwise skip the binding.

- Grab the PageNode despite any permissions it might have, in order to display the link to it, but of course not showing the page when the user browses it since he doesn't have access to it.

Is there a way to perform these checks without using a try catch block in order to catch the unauthorized exception? Like first checking the user permissions against the View permission of the album, then retrieve the images which he has permissions to access? And retrieving a PageNode while totally ignoring the permissions ?

Thanks in advance.

Regards,

Daniel

Posted by Community Admin on 17-Sep-2010 00:00

Hi Daniel,

You can check the permissions for a library and then image as the code sample below illustrates.

var manager = LibrariesManager.GetManager(LibrariesManager.GetDefaultProviderName());

var alb = manager.GetAlbums().Where(a => a.Title == "Default Album").SingleOrDefault();

var permVew = alb.IsGranted(SecurityConstants.Sets.Album.SetName, SecurityConstants.Sets.Album.View);

if(permVew)

var items = alb.Items;

var img = items[0] as MediaContent;

var imgPerm = img.IsGranted(SecurityConstants.Sets.Image.SetName, SecurityConstants.Sets.Image.View, SecurityConstants.Sets.Image.Manage);

if (imgPerm)

var alertText = "<script type=\"text/javascript\">" + "alert('allowed');</" + "script>";

Page.ClientScript.RegisterClientScriptBlock(this.Page.GetType(), "found", alertText);

then create a datasource for your Repeater and bind it. If you do not use Try/Catch block during the evolution you might directly receive a permission error.
You can use manager.Provider.SuppressSecurityChecks in case you want to skip the permission check for View ( this cannot be used for create/delete operations)

Greetings,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 20-Sep-2010 00:00

Hello Ivan,

That code worked like a charm. I just have one more quick question, is there a way to check if a page with a specified Guid exists? Such as a manager.Exists(guid) option?

Also, when a user opens a page which he doesn't have permission to access a 404 error is thrown, is there a way to redirect them to the Login page instead of giving out that 404 error?

Thanks in advance,

Daniel

Posted by Community Admin on 20-Sep-2010 00:00

Hi Daniel,

You can crate a helper method or class to do this

public Boolean CheckID(string ID)

var pm = PageManager.GetManager();

var pageData = pm.GetPageData(new Guid(ID));

if (pageData != null)

return true;

return false;

Regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 20-Sep-2010 00:00

Thank you Ivan, that solved my first issue. Was trying to do the exact same thing but while using the GetPageNode and using that method it would throw an exception, but GetPageData instead worked as it will return null.

Is there any way to achieve the functionality I asked for on the second point of my post?

"Also, when a user opens a page which he doesn't have permission to access a 404 error is thrown, is there a way to redirect them to the Login page instead of giving out that 404 error?"

Thanks in advance.

Daniel

Posted by Community Admin on 20-Sep-2010 00:00

Hello Daniel,

In the BETA it is not possible to handle 403 status code of the error. By default the ASP.NET SiteMapProvider also does not return information whether the page is not accessible or it is not presented in the current sitemap. Since we follow the default implementation of ASP.NET SiteMapProvider we are also affected from this issue and we are working on a solution about this issue.

Greetings,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 24-Sep-2010 00:00

I also have the problem that when I click on a page that requires the user to be authenticated I get a 404 error.

It seems this is a fundamental functionality of a CMS, to allow permissions to be set on a page, and redirect the user to the login page if they do not have permissions. (I am honestly not sure how you even take a product to Beta without THAT core functionality being implemented.)

Anyway, Is there a workaround to this?

Posted by Community Admin on 24-Sep-2010 00:00

Hello Joe,

This is also the default behavior of the ASP.NET SiteMapProvider which we have wrapped. It does not return information whether the page is not accessible or it is not presented in the current sitemap. As you might have noticed from my previous post we are working on this. For the time being there is no workaround to this issue. You cannot get a correct response whether the page is not found or you do not have permissions, because ASP.NET SiteMapProvider always returns that this page does not exists.

All the best,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 29-Sep-2010 00:00

Thanks Ivan,

I appreciate your response. It is difficult to evaluate a CMS when a primary mandatory functionality, such as securing a page, doesn't work. I was hoping this would have been pretty high on the priority list for Beta 2, but, sadly I see it is still a problem even after the beta 2 release. I am hoping that this fundamental issue will be working correctly with the release candidate.

Joe

Posted by Community Admin on 05-Jan-2011 00:00

It don't work even in RC2, which is a real pain...

Posted by Community Admin on 05-Jan-2011 00:00

Hello ,

The issue has been escalated. The "issue" is logged with ID #73553: Error Handling + Custom error pages.
We will try to implement the error handling next week. I am sorry for the troubles that this might have caused.

Regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

This thread is closed

All Replies