I have set up Umbraco so that I have this controller -
[RestrictAccessToSite]
public class TeamController : RenderMvcController
{
public ActionResult Team(RenderModel model)
{
var custModel = new TeamList(model.Content);
return CurrentTemplate(custModel);
}
}
And I have this class setting up the Attribute
public class RestrictAccessToSite : AuthorizeAttribute
{
public void OnAuthorization(AuthenticationContext filterContext)
{
Console.WriteLine("Hello from Auth"); //Just for testing
}
}
I had to set the path for the loginUrl in web.config, set to :
forms name="yourAuthCookie" loginUrl="~/Umbraco/#/login" protection="All" path="/"
So if I try to browse to content that uses this controller, I am presented with a login page.
The problem is that after I have logged in, instead of getting to the content I was trying to get to -- it brings me to the Umbraco Editor.
I don't ever get to the content, even if logged in. If I remove the attribute, the content is displayed properly.
I have tested this same thing with a regular, plain MVC application, and it works properly. I have been working/searching on this for a while and would appreciate any ideas.
Depending on the version of Umbraco the backoffice login hasn't always redirected to the ?returnUrl=originallyrequestedurl which I think is why what you are putting together is failing.
Yes 'Members' is designed to be the method to secure published content on the public website; and Users are for logging into the back office to edit content.
And so there are Member Helpers: (https://our.umbraco.org/documentation/Reference/Querying/UmbracoHelper/)
in Umbraco 7 to protect an area of the published website.
If I'm understanding correctly though the twist you appear to want to put on this is that instead of using the built in Members store for authenticating, you'd like to limit access to backoffice Users of Umbraco.
Since Umbraco Membership is based on the ASP.NET Membership provider, you could create your own Custom Membership provider to authenticate to your Users or any other source that you want to protect areas of the site by, and replace the default UmbracoMembershipProvider in the web.config. Then you could take advantage of the built in Membership functionality for protecting areas of your site, but not have the people who need to access the site created as Members.
or
you could use Events, on the UserService, to sync Users and Members so when you have a backoffice user, you always have a corresponding member...
If people are looking for the link that Marc mentioned, on Siempresolutions, I think the software did something to the link, there are underscores in the URL. Just go to the blog part of the URL, and the posts are pretty obvious from there.
From what I can understand though, these solutions seem to be overrides, to the original Umbraco member model / class.
I just found Shawazza/UmbracoIdentity -- and I wonder if that is a better way to go??
Yes out of the box you can create the Members in the Umbraco backoffice, and it should all work.
For custom data sources, you can just create a custom membership provider and plumb that into the config, and it will play nicely with the built in Umbraco Members protection (eg Public Access protection)
If your custom source of authentication would be easier to work with ASP.Net Identity / OWIN then Shannon's Umbraco Identity enables that.
Hybrid MVC Controller and Custom Authorization
I have set up Umbraco so that I have this controller -
And I have this class setting up the Attribute
I had to set the path for the loginUrl in web.config, set to : forms name="yourAuthCookie" loginUrl="~/Umbraco/#/login" protection="All" path="/"
So if I try to browse to content that uses this controller, I am presented with a login page.
The problem is that after I have logged in, instead of getting to the content I was trying to get to -- it brings me to the Umbraco Editor.
I don't ever get to the content, even if logged in. If I remove the attribute, the content is displayed properly.
I have tested this same thing with a regular, plain MVC application, and it works properly. I have been working/searching on this for a while and would appreciate any ideas.
Hi Bill
Are you trying to use the Umbraco Backoffice login to secure an MVC route ?
If so you can create a controller that inherits from
Umbraco.Web.Mvc.UmbracoAuthorizedController
and map a route to it like so:
https://our.umbraco.org/documentation/Implementation/Controllers/
or are you trying to secure a section of your published website ? if so I'd probably use Members to protect the pages,
https://our.umbraco.org/documentation/getting-started/data/members/
Depending on the version of Umbraco the backoffice login hasn't always redirected to the ?returnUrl=originallyrequestedurl which I think is why what you are putting together is failing.
regards
Marc
Marc, I am using 7.4.2. I am trying to secure published content.
Using Members does not allow me to use logic to do a lookup, based on the user and the requested url.
Any additional tips around debugging this would be most appreciated. Thanks, Bill
Hi Bill
Yes 'Members' is designed to be the method to secure published content on the public website; and Users are for logging into the back office to edit content.
And so there are Member Helpers: (https://our.umbraco.org/documentation/Reference/Querying/UmbracoHelper/)
eg:
that can be used to determine if the current Member has access to a content page.
And the 'Public Access' menu item would allow you to tie down access to an area of the site by Members.
There is a good article here about setting up Membership
http://siempresolutions.co.uk/blog/Umbraco%5FMembers%5FPart%5F3%5FA%5FFull%5FSolution
in Umbraco 7 to protect an area of the published website.
If I'm understanding correctly though the twist you appear to want to put on this is that instead of using the built in Members store for authenticating, you'd like to limit access to backoffice Users of Umbraco.
Since Umbraco Membership is based on the ASP.NET Membership provider, you could create your own Custom Membership provider to authenticate to your Users or any other source that you want to protect areas of the site by, and replace the default UmbracoMembershipProvider in the web.config. Then you could take advantage of the built in Membership functionality for protecting areas of your site, but not have the people who need to access the site created as Members.
or
you could use Events, on the UserService, to sync Users and Members so when you have a backoffice user, you always have a corresponding member...
Marc, Thanks for your reply...
What I am looking for is custom members. I need to authenticate and authorize custom members against a custom authorization/authentication service.
I used the web config to set up a custom membership provider.
These links were pretty helpful --
https://our.umbraco.org/forum/developers/extending-umbraco/74219-custom-membership-provider
http://24days.in/umbraco/2015/extending-membership/
If people are looking for the link that Marc mentioned, on Siempresolutions, I think the software did something to the link, there are underscores in the URL. Just go to the blog part of the URL, and the posts are pretty obvious from there.
From what I can understand though, these solutions seem to be overrides, to the original Umbraco member model / class.
I just found Shawazza/UmbracoIdentity -- and I wonder if that is a better way to go??
Hi Bill
Pesky Underscores!
Yes out of the box you can create the Members in the Umbraco backoffice, and it should all work.
For custom data sources, you can just create a custom membership provider and plumb that into the config, and it will play nicely with the built in Umbraco Members protection (eg Public Access protection)
If your custom source of authentication would be easier to work with ASP.Net Identity / OWIN then Shannon's Umbraco Identity enables that.
regards
Marc
is working on a reply...