Sitefinity Security
Hi,
I'm looking to implement some very basic security in Sitefinity 4. Now I have some actions that I want to perform that I want to grant or deny based on roles. Now these actions aren't mapped to a secured object and I don't wish them to be and I don't want them as part of a module because they are not; in essence they are like the Application permissions (http://www.sitefinity.com/40/help/developers-guide/deep-dive-security-permissions-application-permissions.html) whereby they represent application wide security permissions. Now it appears (I may be wrong) that the application permission actions can't be extended to add additional actions. Therefore I was wondering how best to implement what I've described? I simply want to add a few rights/permissions that aren't linked to a module and be able to check these in user controls etc.
Any guidance or code samples would be great.
Thanks,
Shane
Shane,
I am not 100% sure whether I understand your question, but I will try to contribute if I can. Whilst I was developing custom controls for my own Sitefinity project, I have come across the need to check the role of the current user before allowing the user to use that control in one way or another.
The code below, is the way in which I went about it:
var user = SecurityManager.GetCurrentUser();
if (!user.IsInRole("Administrators"))
// TODO: Implement code required.
Andrei,
Thanks for your reply but I my question was more about the permissions/rights rather than roles. Now there are standard permissions in Sitefinity for CRUD operations but all examples I've seen require you to have a module to implement permissions. I want to add a few new permissions that aren't linked to a module e.g. CanContactUsers, CanEmailUsers etc.
Thanks,
Shane
Ok, so if you create a new role called "CanContactUsers" and assign some backend users to that role, and then in code check if the current user belongs to that role, then you let them do it, won't work then?
I agree, it would be good to be able to define custom (bespoke) permissions for default controls, but implementing it might be quite a job.
Sorry Shane,
Andrei
Hi Shane and Andrei,
There are a few options here depending on the goal you are trying to achieve.
As Andrei suggested, the easiest way to customize granted and denied actions in the system is to define a custom role which you can assign any permissions, customized per module and on the backend Global Permissions list (Administration -> Permissions).
From what I understand form Shane's original question, you're looking for an option to extend the list of permissions under Administration -> Permissions, with more "global" actions which are not related to specific modules or certain actions which are already defined.
This can be achieved by extending the security configuration.
The easy way is via the UI. Navigate to Administration -> Settings -> Advanced, then navigate in the tree to Security -> Permissions -> Backend -> ActionsCollection, and create a new action, you may give it any name, and may customize its display title text via resources.
Another option is to extend the actions through code. Here's how:
private
void
ExtendGlobalPermissios()
ConfigManager cfgMgr = ConfigManager.GetManager();
SecurityConfig secConfig = cfgMgr.GetSection<SecurityConfig>();
ConfigElementDictionary<
string
, SecurityAction> actions = secConfig.Permissions[SecurityConstants.Sets.Backend.SetName].Actions;
actions.Add(
new
SecurityAction(actions) Name =
"CustomAction"
);
cfgMgr.SaveSection(secConfig);
private
void
CheckPermissions()
if
(AppPermission.Root.IsGranted(SecurityConstants.Sets.Backend.SetName,
"CustomAction"
))
//Action is allowed (granted)
else
//Action is denied (throw an exception?)
Hi Alon,
Thanks very much for the reply that was what I was looking for.
Sorry Andrei but creating invidual roles for what should be permission is a workaround and isn't how they should be used in my opinion; that said thanks for your assistance.
Thanks,
Shane