Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Greg Fyans 114 posts 273 karma points
    Mar 16, 2016 @ 14:18
    Greg Fyans

    Override user / IPrincipal on Umbraco request

    So, long story short, I need to allow a CMS user to access nodes (from a MNTP for example) outside of that logged in user's start node. So, something like this:

    enter image description here

    Hopefully that makes sense, but basically User 1 will have a start node under Global Site. They need to be able to select nodes, using MNTP, from Global Content Elements which exists above their allowed level.

    I thought I might be able to just intercept the request, replace the user (with admin) and it would all work, but this doesn't seem to have made any difference:

    This has stumped me, and I'm happy to look at alternative solutions, but this is what I've got so far:

    public class CustomTreeApiHandler : DelegatingHandler
        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            IUser user = UmbracoContext.Current.Security.CurrentUser;
            // If current user is not admin
            if (user != null && user.Name != "admin")
                // Catch content tree load events
                switch (request.RequestUri.AbsolutePath.ToLower())
                    case "/umbraco/backoffice/umbracotrees/applicationtree/getapplicationtrees":
                        return FilterAllowedContentNodes(request, cancellationToken);
                        return base.SendAsync(request, cancellationToken);
            return base.SendAsync(request, cancellationToken);
        private Task<HttpResponseMessage> FilterAllowedContentNodes(HttpRequestMessage request, CancellationToken cancellationToken)
            IUserService userService = ApplicationContext.Current.Services.UserService;
            IPrincipal principal =
                new ClaimsPrincipal(new UmbracoBackOfficeIdentity(new ClaimsIdentity(),
            return base.SendAsync(request, cancellationToken);

    And this:

    public class UmbracoEvents : ApplicationEventHandler
        protected override void ApplicationStarting(UmbracoApplicationBase umbracoApplication,
            ApplicationContext applicationContext)
            //Add a web api handler. Here we can change the values from each web api call.
            GlobalConfiguration.Configuration.MessageHandlers.Add(new CustomTreeApiHandler());

    Does anyone have any bright ideas as to what I can do here? I know this is a problem that comes up a few times every year, but I've yet to see a solution for it (to be honest it would be great if this was built in to the core, I know we have permissions but this is different).

  • Marc Goodson 1163 posts 7751 karma points MVP 5x c-trib
    Mar 16, 2016 @ 18:50
    Marc Goodson

    Hi gfyans

    I've had a similar problem before, and resolved using User Permissions instead, so set the user's start node to be the root of the content tree, then for each part of the site that the user shouldn't be able to see - remove their browse node permissions....

    But do allow them to browse and update the 'shared global elements' part of the tree.

    enter image description here

    The multi node tree pickers respect these permissions, but the downside is you have to set the permissions per user. So it depends on how many you have and how often they are created as to how much of a pain this is.

    The other option would be to install the NuPickers package and use one of these pickers to select the nodes, , as these do not all use the 'content tree' and so therefore are not limited by the Users Start Node...

    If you're trying to code around the issue, then to me, the problem is here:

    in the umbtree.directive.js, line 142 - 163



  • Greg Fyans 114 posts 273 karma points
    Mar 17, 2016 @ 09:13
    Greg Fyans

    Hey Marc,

    I think you might be right. I did actually look into this, but we have 30+ sites with multiple users for each - all managed by the client - so I deemed it too difficult to manage/maintain.

    Having a think about it last night though, I know what the global nodes are (they won't ever change, and if they do they'll always be in the same global parent folder), so I can actually catch the on-user-created/updated event and sort out the permissions programmatically.

    That coupled with my CustomApiTreeHandler that can hide nodes they don't have permission to browse will meet our requirements.

    Once I've done this, and it works, I'll post the code up for others to use.



Please Sign in or register to post replies

Write your reply to: