Need to add some extra checking when umbraco is checking page access permission
Hi
When a user accesses a page, as well as the default stuff umbraco does to see if they have permission to view it I also want it to check some of my custom permissions against the userID.
I have been delving into the source and have found that "umbraco.RequestHandler" does this checking and it uses a function called "Access.HasAccces".
I'd rather not go messing with the source so does anyone know of a way that I can add in this custom checking in my own class? HasAccces isn't overrideable and I'm not quite sure how to go about doing anything with umbraco.RequestHandler.
I'm not sure this will do what I want... reading back on my post I'm not sure I explained my self correctly! Sorry I have been going round in cicles with this all day and have kind of latched onto this "has access" which may or may not be correct! :)
What I want to happen is that umbraco checks if the user has access to a page via the roles or anything else that has been set up in umbraco. (in the way it usually does) Then if the user hasn't got access it needs to check my custom permissions because they may have been given access under my custom permissions, even if their role doesn't allow it.
As far as I know there it's a way to hook into the Access (HasAccess) API.
The example I showed for "UmbracoDefault.BeforeRequestInit" happens after the call to "umbraco.requestHandler", so if the user doesn't have access to the page, then the nodeId should be the "Access Denied" one (which you can find out from the "Access.GetErrorPage" method). Then if they pass your checks, then switch them back to the original nodeId/URL?
Thanks for your help here. This is sounding promising! :)
Although I'm not completely sure I understand what I need to do.
Would I call the Access.GetErrorPage method from within the "UmbracoDefault.BeforeRequestInit"? If not where would I do this?
Then assuming the error page is the access denied page will the PageID in the RequestInitEventArgs be the one they have just been denied? or will that now be the access denied page? If that is the case I assume that e.Url (in RequestInitEventArgs) will also be the page they have just been denied, so what would I set to send them back to it without making them go through all the validation again?
Oh Doh! Re-read what you said a few times, I've got a bit confused haven't I! Access.GetError page gives me the error page!
So the question should have been.. How do I know what the original page was and how do I send them back without making them go through all the checks again?
Sorry to confuse you Bex, you're right - just given this a quick test and once the page is re-set to the ErrorPage, then it loses the reference to the original page.
The only way that I know of to get the original nodeId is to do a reverse lookup of the URL against the XML cache ... if you are using uComponents, we've got a library method for it called "uComponents.Core.XsltExtensions.Nodes.GetNodeIdByUrl". (If you aren't using uComponents, then feel free to grab the source-code - if needed?)
I'll see if I can figure out some code to help you out.
Had a look at writing a code snippet... but it didn't go well. The 'RequestInitEventArgs' object is read-only in the event, so there is no way to revert back to the original nodeId.
Might be worth raising a new workitem on Umbraco's CodePlex, to see if there is a way a hook can be added to the Access.HasAccess method(s)?
Thanks for your help and sorry for the delay in reply!
Think I may have to and hack around with the source in this particular case as it's not something I can hang around with and I really want to use Umbraco as it's got too many things I don't want to do without. Before I started looking at other ways I was just going to change the have access function to make it overridable, but it's static so I can't. Oh well! Let the hacking begin!
Need to add some extra checking when umbraco is checking page access permission
Hi
When a user accesses a page, as well as the default stuff umbraco does to see if they have permission to view it I also want it to check some of my custom permissions against the userID.
I have been delving into the source and have found that "umbraco.RequestHandler" does this checking and it uses a function called "Access.HasAccces".
I'd rather not go messing with the source so does anyone know of a way that I can add in this custom checking in my own class?
HasAccces isn't overrideable and I'm not quite sure how to go about doing anything with umbraco.RequestHandler.
Thanks
Hi Bex,
If you are using v4.7.1+ then you can hook into the "umbraco.UmbracoDefault.BeforeRequestInit" event. Quick example:
public class EventsHandler : ApplicationBase { public EventsHandler() { UmbracoDefault.BeforeRequestInit += new UmbracoDefault.RequestInitEventHandler(this.UmbracoDefault_BeforeRequestInit); } private void UmbracoDefault_BeforeRequestInit(object sender, RequestInitEventArgs e) { // do whatever security checks in here. // The 'RequestInitEventArgs' references anything you'll need. } }Cheers, Lee.
I'm not sure this will do what I want... reading back on my post I'm not sure I explained my self correctly!
Sorry I have been going round in cicles with this all day and have kind of latched onto this "has access" which may or may not be correct! :)
What I want to happen is that umbraco checks if the user has access to a page via the roles or anything else that has been set up in umbraco. (in the way it usually does)
Then if the user hasn't got access it needs to check my custom permissions because they may have been given access under my custom permissions, even if their role doesn't allow it.
Is that something entirely different?
Hi Bex,
As far as I know there it's a way to hook into the Access (HasAccess) API.
The example I showed for "UmbracoDefault.BeforeRequestInit" happens after the call to "umbraco.requestHandler", so if the user doesn't have access to the page, then the nodeId should be the "Access Denied" one (which you can find out from the "Access.GetErrorPage" method). Then if they pass your checks, then switch them back to the original nodeId/URL?
Cheers, Lee.
Hi Lee
Thanks for your help here.
This is sounding promising! :)
Although I'm not completely sure I understand what I need to do.
Would I call the Access.GetErrorPage method from within the "UmbracoDefault.BeforeRequestInit"? If not where would I do this?
Then assuming the error page is the access denied page will the PageID in the RequestInitEventArgs be the one they have just been denied? or will that now be the access denied page?
If that is the case I assume that e.Url (in RequestInitEventArgs) will also be the page they have just been denied, so what would I set to send them back to it without making them go through all the validation again?
Argh Confused! Sorry!
Oh Doh! Re-read what you said a few times, I've got a bit confused haven't I!
Access.GetError page gives me the error page!
So the question should have been.. How do I know what the original page was and how do I send them back without making them go through all the checks again?
:) Bex
Sorry to confuse you Bex, you're right - just given this a quick test and once the page is re-set to the ErrorPage, then it loses the reference to the original page.
The only way that I know of to get the original nodeId is to do a reverse lookup of the URL against the XML cache ... if you are using uComponents, we've got a library method for it called "uComponents.Core.XsltExtensions.Nodes.GetNodeIdByUrl". (If you aren't using uComponents, then feel free to grab the source-code - if needed?)
I'll see if I can figure out some code to help you out.
Cheers, Lee.
Hi Bex,
Had a look at writing a code snippet... but it didn't go well. The 'RequestInitEventArgs' object is read-only in the event, so there is no way to revert back to the original nodeId.
Might be worth raising a new workitem on Umbraco's CodePlex, to see if there is a way a hook can be added to the Access.HasAccess method(s)?
http://umbraco.codeplex.com/WorkItem/Create
Sorry I couldn't help come up with a solution! :-(
Cheers, Lee.
Hi Lee
Thanks for your help and sorry for the delay in reply!
Think I may have to and hack around with the source in this particular case as it's not something I can hang around with and I really want to use Umbraco as it's got too many things I don't want to do without.
Before I started looking at other ways I was just going to change the have access function to make it overridable, but it's static so I can't.
Oh well! Let the hacking begin!
Bex
is working on a reply...