I have a project where I'm integrating some existing MVC pages into the v7 back office. I have some MVC controllers that I want to ONLY be accessible to Umbraco back office users.
According to the intellisense documentation (as well, as this article by Tim G), the class "UmbracoAuthorizedController" is for ensuring that an MVC controller is only accessed by logged in back office users. There are several tutorials on the web that use the base class as well.
So I have my controller, and it works fine in that the routes for the custom controller are all working fine, they're all routed through an "umbraco" URL with some custom mapping (e.g. /umbraco/areaname/controller/action), however, as soon as you log into the front end at the same time as being logged into the back end, it breaks, as the Authentication attribute ALWAYS returns false, even if you're logged in to both the front and the back end. As soon as you log out with the front end user, it correctly works out that you're authenticated again.
This looks like a bug to me, and it was logged as such here. Seb states that it's only meant for the front end. If that's the case, why is the base class used in several back office controllers, and why does the documentation state that it's for the back office. Seb suggests using a WebApiController, but that's of no use for an MVC page, as it can't return a view.
So is this a bug or not? Is the documentation wrong? Any pointers would be appreciated. I'm looking at rolling my own authentication attribute that actually works at the moment, but if there's a "right" way to do this, I'd like to know.
I've not tried this in 7.2.2 (my project was running 7.1.7), so it may have changed, but if you decorate your backoffice controller with the "IsBackOffice" attribute, it should stop the controller from breaking when users are logged in.
One other thing I found was that if you were using a custom principal for your front end, you need to add some code to make sure it doesn't set the custom principal when the users is in the backoffice (I did this by checking the URL, there's probably a better way though), otherwise the back office breaks.
Talked to shannon about this and the issue is that the route doesn't live in /umbraco/backoffce and thus umbraco doesn't recognise it as a backoffice part and think it is for the frontend
Securing a back office MVC controller
I have a project where I'm integrating some existing MVC pages into the v7 back office. I have some MVC controllers that I want to ONLY be accessible to Umbraco back office users.
According to the intellisense documentation (as well, as this article by Tim G), the class "UmbracoAuthorizedController" is for ensuring that an MVC controller is only accessed by logged in back office users. There are several tutorials on the web that use the base class as well.
So I have my controller, and it works fine in that the routes for the custom controller are all working fine, they're all routed through an "umbraco" URL with some custom mapping (e.g. /umbraco/areaname/controller/action), however, as soon as you log into the front end at the same time as being logged into the back end, it breaks, as the Authentication attribute ALWAYS returns false, even if you're logged in to both the front and the back end. As soon as you log out with the front end user, it correctly works out that you're authenticated again.
This looks like a bug to me, and it was logged as such here. Seb states that it's only meant for the front end. If that's the case, why is the base class used in several back office controllers, and why does the documentation state that it's for the back office. Seb suggests using a WebApiController, but that's of no use for an MVC page, as it can't return a view.
So is this a bug or not? Is the documentation wrong? Any pointers would be appreciated. I'm looking at rolling my own authentication attribute that actually works at the moment, but if there's a "right" way to do this, I'd like to know.
Comment author was deleted
Hey Tim,
So did you find how to prevent this behaviour, seems in 7.2.2 you always get the 401 even when there isn't a member logged in
Hiya,
I've not tried this in 7.2.2 (my project was running 7.1.7), so it may have changed, but if you decorate your backoffice controller with the "IsBackOffice" attribute, it should stop the controller from breaking when users are logged in.
One other thing I found was that if you were using a custom principal for your front end, you need to add some code to make sure it doesn't set the custom principal when the users is in the backoffice (I did this by checking the URL, there's probably a better way though), otherwise the back office breaks.
Hope that helps!
Comment author was deleted
Talked to shannon about this and the issue is that the route doesn't live in /umbraco/backoffce and thus umbraco doesn't recognise it as a backoffice part and think it is for the frontend
is working on a reply...