I might be missing something, but it seems to me that it is not possible to be sure who the executing user is, when attaching to an event.
For example if I attach to the Document.BeforeSave event, then my only option seems to be looking at the UmbracoEnsuredPage.CurrentUser wich depends on a user actually being logged in, and also depends on the http context.
This can be a problem if things are f.ex. published through the API or from a scheduled task.
It would be nice if the executing user was available in the eventargs or something like that.
Or is there another way to do this that I am missing?
What I usually do is check to see if I can get the CurrentUser, if that one is null then I use new User(0) instead. Might not be the best way, but it works for me!
Sebastiaan> That is one option, but what I had in mind was trying to add some security checks on permissions and so on. And in that case I need a way of knowing who is actually trying to do something.
For example if I want to make sure that only admin users can change the name of a certain page. If they do it instantly, I can get the user from the context, but if they set it for scheduled publishing, then I don't know who is actually trying to publish this. I could also do some fallback to the "Writer" of the page, but it seems that "Writer" is not changed until after the publish, so it would be published with the credentials of the previous writer.
All in all, it would just be nice to get the info from the eventargs or similar.
I understand, but this is still possible though. First determine if a user is logged in, then what role they have. If there is no logged in user, it must be some automated process. I'm sure the content creator ("writer") is available after they click "Save", so you should be able to use that information when automated processes start executing.
The Writer is not the saving user in the BeforeSave event. I just checked. And actually, the Writer on the document is not changed during a Save() either. The only time the Writer property is updated is when publishing the document.
It actually is a bit of a pemissions problem. I just tried the following scenario:
1. Login with a user with no publish permissions 2. Create a page 3. Set a "publish at" time 4. Save the document 5. Wait 6. Violá, the document is published
Another scenario
1. Login with a admin user 2. Create a page 3. Save the document 4. Login as a user without publish permissons 5. Edit the page, set a Publish At time, and save 5. Wait 6. Violá, the document is published
In this last scenario, there is no way of knowing who actually set the Publish At time, because the Writer is not updated when saving the document.
Getting executing user in Eventhandler
I might be missing something, but it seems to me that it is not possible to be sure who the executing user is, when attaching to an event.
For example if I attach to the Document.BeforeSave event, then my only option seems to be looking at the UmbracoEnsuredPage.CurrentUser wich depends on a user actually being logged in, and also depends on the http context.
This can be a problem if things are f.ex. published through the API or from a scheduled task.
It would be nice if the executing user was available in the eventargs or something like that.
Or is there another way to do this that I am missing?
What I usually do is check to see if I can get the CurrentUser, if that one is null then I use new User(0) instead. Might not be the best way, but it works for me!
Sebastiaan> That is one option, but what I had in mind was trying to add some security checks on permissions and so on. And in that case I need a way of knowing who is actually trying to do something.
For example if I want to make sure that only admin users can change the name of a certain page. If they do it instantly, I can get the user from the context, but if they set it for scheduled publishing, then I don't know who is actually trying to publish this. I could also do some fallback to the "Writer" of the page, but it seems that "Writer" is not changed until after the publish, so it would be published with the credentials of the previous writer.
All in all, it would just be nice to get the info from the eventargs or similar.
I understand, but this is still possible though. First determine if a user is logged in, then what role they have. If there is no logged in user, it must be some automated process. I'm sure the content creator ("writer") is available after they click "Save", so you should be able to use that information when automated processes start executing.
The Writer is not the saving user in the BeforeSave event. I just checked. And actually, the Writer on the document is not changed during a Save() either. The only time the Writer property is updated is when publishing the document.
It actually is a bit of a pemissions problem. I just tried the following scenario:
1. Login with a user with no publish permissions
2. Create a page
3. Set a "publish at" time
4. Save the document
5. Wait
6. Violá, the document is published
Another scenario
1. Login with a admin user
2. Create a page
3. Save the document
4. Login as a user without publish permissons
5. Edit the page, set a Publish At time, and save
5. Wait
6. Violá, the document is published
In this last scenario, there is no way of knowing who actually set the Publish At time, because the Writer is not updated when saving the document.
is working on a reply...