How to prevent one specific template being accessible as alternative template
Is there a way to prevent a specific template (meant for admin purposes) being accessible as alternative template?
I could set @disableAlternativeTemplates to true, but that's a bit to restrictive since some other templates still need to be accessible via the altTemplate querystring (or by appending the templatename to the current URL).
There isn't a way to turn some alt templates off and some on, but could you put a check at the top of the one used for admin purposes - so that it was perhaps only accessible to people if they were also logged into the Umbraco backoffice at the same time?
eg there are some extension methods on HttpContext here:
I now realise that I wasn't clear about "admin purposes"...
The template is meant for some (admin)members on the front-end that are allowed to see some specific pages that actually should be hidden for people who are not adminmembers.
If people could just add an alternative template to the url they potentially could see things that they should not see ( although this probably sounds more exciting than it really is)
Although not meant for the back-end users, your answer could still work in a somewhat different way for front-end members.
I have to investigate this further, but I think I can use some details about the member to show or hide the rest of the code in the template.
Yes I was guessing one way or the other, but yes same principle for Members, put the members with special admin access to the exciting page into a 'ExcitingPageAccess' Member group.
Then you should be able to see which roles the currently logged in user is in using:
How to prevent one specific template being accessible as alternative template
Is there a way to prevent a specific template (meant for admin purposes) being accessible as alternative template?
I could set @disableAlternativeTemplates to true, but that's a bit to restrictive since some other templates still need to be accessible via the altTemplate querystring (or by appending the templatename to the current URL).
Is this possible?
Hi Micha
There isn't a way to turn some alt templates off and some on, but could you put a check at the top of the one used for admin purposes - so that it was perhaps only accessible to people if they were also logged into the Umbraco backoffice at the same time?
eg there are some extension methods on HttpContext here:
https://github.com/umbraco/Umbraco-CMS/blob/9badb35c054ecc91630b69b1b6753c78427cb4a6/src/Umbraco.Core/Security/AuthenticationExtensions.cs
that first line of your template you could check whether the person accessing was logged into Umbraco and had their UmbracoAuthTicket set:
eg
then deny them access, redirect away from the alt template if they are not logged in...
or build the functionality as part of the Umbaco backoffice with a custom dashboard or menu item, so it's not available via the front end anyway?
regards
Marc
Thanks Marc,
I now realise that I wasn't clear about "admin purposes"...
The template is meant for some (admin)members on the front-end that are allowed to see some specific pages that actually should be hidden for people who are not adminmembers.
If people could just add an alternative template to the url they potentially could see things that they should not see ( although this probably sounds more exciting than it really is)
Although not meant for the back-end users, your answer could still work in a somewhat different way for front-end members.
I have to investigate this further, but I think I can use some details about the member to show or hide the rest of the code in the template.
Thanks for the hints so far!
Hi Micha
Yes I was guessing one way or the other, but yes same principle for Members, put the members with special admin access to the exciting page into a 'ExcitingPageAccess' Member group.
Then you should be able to see which roles the currently logged in user is in using:
Failing that you could use the MemberService:
https://our.umbraco.org/documentation/reference/management/services/memberservice
which has a FindMembersInRole method.
that you could use to see if the current logged in member is in a certain role or not.
regards
Marc
is working on a reply...