How to check whether a member is logged in AND in the correct role?
In Umbraco I've created a protected page [using User Permissions] that uses role-based permission to only allow access to people in the group "WebsiteMember".
I've then written an MVC surface controller to authenticate the user. This is basically:
public class LoginSurfaceController : Umbraco.Web.Mvc.SurfaceController
{
[HttpPost]
public ActionResult ProcessLogin(LoginModel model)
{
if (!ModelState.IsValid)
{
return CurrentUmbracoPage();
}
if (Membership.ValidateUser(model.Username, model.Password))
{
FormsAuthentication.SetAuthCookie(model.Username, model.StayLoggedIn);
if (!String.IsNullOrEmpty(model.RedirectToUrl))
{
return Redirect(model.RedirectToUrl);
}
return RedirectToCurrentUmbracoPage();
}
else
{
ModelState.AddModelError(String.Empty, "Your username or password was not recognised.");
return CurrentUmbracoPage();
}
}
This all works fine - so long as the person attempting to log in is in the correct role group for the protected page.
The problem I have is when someone attempts to login who has a valid username and password but is not in the correct role group for the protected page.
What basically happens is this:
Membership.ValidateUser(model.Username, model.Password) will return true and the forms authentication cookie gets set. This means that User.Identity.IsAuthenticated is now true. As far as ASP.NET is concerned the person is authorised. However, Umbraco won't let them access the page because they are not in the correct role group.
How can I detect this and inform the user that they are logged in but are not in the correct role group to access the page?
Thanks to both of you. But... how do I know which role to check?
Consider this: There are a number of role groups set up. Let's call them "GroupA", "GroupB" and "GroupC".
An Umbraco editor protects a page - let's call it "Page One" - and protects it using role-based permissions so the authenticated user has to be in "GroupB". But another editor protects "Page Two" and this time sets the role-based permission to "GroupA".
So in my generic login controller how do I know which role group to check the user against? That requires knowledge of what role the page has been protected with. Do you see the problem?
Thanks, never new about the Security class. But... still doesn't seem to get me exactly what I want. It appears that UmbracoContext.Security.IsMemberAuthorized() seems to be the same as User.Identity.IsAuthenticated ie. it returns true if someone is logged in, but doesn't take into account whether they are in the role group required to access the page being viewed.
Good thinking, Charles - I'd forgotten about that. I was really hoping there'd be a nicer way, though, using an existing API. But this will have to do - thanks!
How to check whether a member is logged in AND in the correct role?
In Umbraco I've created a protected page [using User Permissions] that uses role-based permission to only allow access to people in the group "WebsiteMember".
I've then written an MVC surface controller to authenticate the user. This is basically:
public class LoginSurfaceController : Umbraco.Web.Mvc.SurfaceController { [HttpPost] public ActionResult ProcessLogin(LoginModel model) { if (!ModelState.IsValid) { return CurrentUmbracoPage(); } if (Membership.ValidateUser(model.Username, model.Password)) { FormsAuthentication.SetAuthCookie(model.Username, model.StayLoggedIn); if (!String.IsNullOrEmpty(model.RedirectToUrl)) { return Redirect(model.RedirectToUrl); } return RedirectToCurrentUmbracoPage(); } else { ModelState.AddModelError(String.Empty, "Your username or password was not recognised."); return CurrentUmbracoPage(); } }This all works fine - so long as the person attempting to log in is in the correct role group for the protected page.
The problem I have is when someone attempts to login who has a valid username and password but is not in the correct role group for the protected page.
What basically happens is this:
Membership.ValidateUser(model.Username, model.Password) will return true and the forms authentication cookie gets set. This means that User.Identity.IsAuthenticated is now true. As far as ASP.NET is concerned the person is authorised. However, Umbraco won't let them access the page because they are not in the correct role group.
How can I detect this and inform the user that they are logged in but are not in the correct role group to access the page?
I think you want to use:
Hi Dan,
See here: Roles.IsUserInRole will use the role provider to check whether your member is in the correct group, at which point you can either:
Thanks to both of you. But... how do I know which role to check?
Consider this: There are a number of role groups set up. Let's call them "GroupA", "GroupB" and "GroupC".
An Umbraco editor protects a page - let's call it "Page One" - and protects it using role-based permissions so the authenticated user has to be in "GroupB". But another editor protects "Page Two" and this time sets the role-based permission to "GroupA".
So in my generic login controller how do I know which role group to check the user against? That requires knowledge of what role the page has been protected with. Do you see the problem?
Dan,
Did you already try to get the data from the umbracocontext? You can just use this in your action result.
Thanks, never new about the Security class. But... still doesn't seem to get me exactly what I want. It appears that UmbracoContext.Security.IsMemberAuthorized() seems to be the same as User.Identity.IsAuthenticated ie. it returns true if someone is logged in, but doesn't take into account whether they are in the role group required to access the page being viewed.
Maybe there just isn't a way?
In the app data of your solution you will have an access config.
Its an XML file. This will give you the role and permissions on the node.
You can then check the role the member is in and check it against the node id in this access config.
If you find a match they have access if you do not then they dont :). Charlie :)
Good thinking, Charles - I'd forgotten about that. I was really hoping there'd be a nicer way, though, using an existing API. But this will have to do - thanks!
is working on a reply...