Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Micha Somers 134 posts 597 karma points
    Jul 12, 2017 @ 19:33
    Micha Somers
    0

    How to prevent one specific template being accessible as alternative template

    Is there a way to prevent a specific template (meant for admin purposes) being accessible as alternative template?

    I could set @disableAlternativeTemplates to true, but that's a bit to restrictive since some other templates still need to be accessible via the altTemplate querystring (or by appending the templatename to the current URL).

    Is this possible?

  • Marc Goodson 2155 posts 14408 karma points MVP 9x c-trib
    Jul 13, 2017 @ 12:56
    Marc Goodson
    0

    Hi Micha

    There isn't a way to turn some alt templates off and some on, but could you put a check at the top of the one used for admin purposes - so that it was perhaps only accessible to people if they were also logged into the Umbraco backoffice at the same time?

    eg there are some extension methods on HttpContext here:

    https://github.com/umbraco/Umbraco-CMS/blob/9badb35c054ecc91630b69b1b6753c78427cb4a6/src/Umbraco.Core/Security/AuthenticationExtensions.cs

    that first line of your template you could check whether the person accessing was logged into Umbraco and had their UmbracoAuthTicket set:

    eg

    var ticket = HttpContext.Current.GetUmbracoAuthTicket();
    

    then deny them access, redirect away from the alt template if they are not logged in...

    or build the functionality as part of the Umbaco backoffice with a custom dashboard or menu item, so it's not available via the front end anyway?

    regards

    Marc

  • Micha Somers 134 posts 597 karma points
    Jul 13, 2017 @ 13:52
    Micha Somers
    0

    Thanks Marc,

    I now realise that I wasn't clear about "admin purposes"...

    The template is meant for some (admin)members on the front-end that are allowed to see some specific pages that actually should be hidden for people who are not adminmembers.

    If people could just add an alternative template to the url they potentially could see things that they should not see ( although this probably sounds more exciting than it really is)

    Although not meant for the back-end users, your answer could still work in a somewhat different way for front-end members.

    I have to investigate this further, but I think I can use some details about the member to show or hide the rest of the code in the template.

    Thanks for the hints so far!

  • Marc Goodson 2155 posts 14408 karma points MVP 9x c-trib
    Jul 13, 2017 @ 20:50
    Marc Goodson
    100

    Hi Micha

    Yes I was guessing one way or the other, but yes same principle for Members, put the members with special admin access to the exciting page into a 'ExcitingPageAccess' Member group.

    Then you should be able to see which roles the currently logged in user is in using:

    System.Web.Security.Roles.GetRolesForUser()
    

    Failing that you could use the MemberService:

    https://our.umbraco.org/documentation/reference/management/services/memberservice

    which has a FindMembersInRole method.

    that you could use to see if the current logged in member is in a certain role or not.

    regards

    Marc

Please Sign in or register to post replies

Write your reply to:

Draft