So, long story short, I need to allow a CMS user to access nodes (from a MNTP for example) outside of that logged in user's start node. So, something like this:
Hopefully that makes sense, but basically User 1 will have a start node under Global Site. They need to be able to select nodes, using MNTP, from Global Content Elements which exists above their allowed level.
I thought I might be able to just intercept the request, replace the user (with admin) and it would all work, but this doesn't seem to have made any difference:
This has stumped me, and I'm happy to look at alternative solutions, but this is what I've got so far:
public class CustomTreeApiHandler : DelegatingHandler
{
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
IUser user = UmbracoContext.Current.Security.CurrentUser;
// If current user is not admin
if (user != null && user.Name != "admin")
{
// Catch content tree load events
switch (request.RequestUri.AbsolutePath.ToLower())
{
case "/umbraco/backoffice/umbracotrees/applicationtree/getapplicationtrees":
return FilterAllowedContentNodes(request, cancellationToken);
default:
return base.SendAsync(request, cancellationToken);
}
}
return base.SendAsync(request, cancellationToken);
}
private Task<HttpResponseMessage> FilterAllowedContentNodes(HttpRequestMessage request, CancellationToken cancellationToken)
{
IUserService userService = ApplicationContext.Current.Services.UserService;
IPrincipal principal =
new ClaimsPrincipal(new UmbracoBackOfficeIdentity(new ClaimsIdentity(),
Mapper.Map<UserData>(userService.GetUserById(0))));
request.SetUserPrincipal(principal);
return base.SendAsync(request, cancellationToken);
}
}
And this:
public class UmbracoEvents : ApplicationEventHandler
{
protected override void ApplicationStarting(UmbracoApplicationBase umbracoApplication,
ApplicationContext applicationContext)
{
//Add a web api handler. Here we can change the values from each web api call.
GlobalConfiguration.Configuration.MessageHandlers.Add(new CustomTreeApiHandler());
}
}
Does anyone have any bright ideas as to what I can do here? I know this is a problem that comes up a few times every year, but I've yet to see a solution for it (to be honest it would be great if this was built in to the core, I know we have permissions but this is different).
I've had a similar problem before, and resolved using User Permissions instead, so set the user's start node to be the root of the content tree, then for each part of the site that the user shouldn't be able to see - remove their browse node permissions....
But do allow them to browse and update the 'shared global elements' part of the tree.
The multi node tree pickers respect these permissions, but the downside is you have to set the permissions per user. So it depends on how many you have and how often they are created as to how much of a pain this is.
The other option would be to install the NuPickers package and use one of these pickers to select the nodes, , as these do not all use the 'content tree' and so therefore are not limited by the Users Start Node...
I think you might be right. I did actually look into this, but we have 30+ sites with multiple users for each - all managed by the client - so I deemed it too difficult to manage/maintain.
Having a think about it last night though, I know what the global nodes are (they won't ever change, and if they do they'll always be in the same global parent folder), so I can actually catch the on-user-created/updated event and sort out the permissions programmatically.
That coupled with my CustomApiTreeHandler that can hide nodes they don't have permission to browse will meet our requirements.
Once I've done this, and it works, I'll post the code up for others to use.
Override user / IPrincipal on Umbraco request
So, long story short, I need to allow a CMS user to access nodes (from a MNTP for example) outside of that logged in user's start node. So, something like this:
Hopefully that makes sense, but basically User 1 will have a start node under Global Site. They need to be able to select nodes, using MNTP, from Global Content Elements which exists above their allowed level.
I thought I might be able to just intercept the request, replace the user (with admin) and it would all work, but this doesn't seem to have made any difference:
This has stumped me, and I'm happy to look at alternative solutions, but this is what I've got so far:
And this:
Does anyone have any bright ideas as to what I can do here? I know this is a problem that comes up a few times every year, but I've yet to see a solution for it (to be honest it would be great if this was built in to the core, I know we have permissions but this is different).
Hi gfyans
I've had a similar problem before, and resolved using User Permissions instead, so set the user's start node to be the root of the content tree, then for each part of the site that the user shouldn't be able to see - remove their browse node permissions....
But do allow them to browse and update the 'shared global elements' part of the tree.
The multi node tree pickers respect these permissions, but the downside is you have to set the permissions per user. So it depends on how many you have and how often they are created as to how much of a pain this is.
The other option would be to install the NuPickers package and use one of these pickers to select the nodes, , as these do not all use the 'content tree' and so therefore are not limited by the Users Start Node...
https://our.umbraco.org/projects/backoffice-extensions/nupickers/
If you're trying to code around the issue, then to me, the problem is here:
https://github.com/umbraco/Umbraco-CMS/blob/e51ef64b6672b1884f5cf5a6ad23334aaaeccc76/src/Umbraco.Web.UI.Client/src/common/directives/components/tree/umbtree.directive.js
in the umbtree.directive.js, line 142 - 163
regards
Marc
Hey Marc,
I think you might be right. I did actually look into this, but we have 30+ sites with multiple users for each - all managed by the client - so I deemed it too difficult to manage/maintain.
Having a think about it last night though, I know what the global nodes are (they won't ever change, and if they do they'll always be in the same global parent folder), so I can actually catch the on-user-created/updated event and sort out the permissions programmatically.
That coupled with my CustomApiTreeHandler that can hide nodes they don't have permission to browse will meet our requirements.
Once I've done this, and it works, I'll post the code up for others to use.
Thanks.
G.
is working on a reply...