I have a project where I'm integrating some existing MVC pages into the v7 back office. I have some MVC controllers that I want to ONLY be accessible to Umbraco back office users.
According to the intellisense documentation (as well, as this article by Tim G), the class "UmbracoAuthorizedController" is for ensuring that an MVC controller is only accessed by logged in back office users. There are several tutorials on the web that use the base class as well.
So I have my controller, and it works fine in that the routes for the custom controller are all working fine, they're all routed through an "umbraco" URL with some custom mapping (e.g. /umbraco/areaname/controller/action), however, as soon as you log into the front end at the same time as being logged into the back end, it breaks, as the Authentication attribute ALWAYS returns false, even if you're logged in to both the front and the back end. As soon as you log out with the front end user, it correctly works out that you're authenticated again.
This looks like a bug to me, and it was logged as such here (albeit for a slightly different issue), although that was canned as a non-issue because the original user was using a Surface Controller rather than an MVC one.
So is this a bug or not? Is the documentation wrong? Any pointers would be appreciated. I'm looking at rolling my own authentication attribute that actually works at the moment, but if there's a "right" way to do this, I'd like to know.
Securing a back office MVC controller
I have a project where I'm integrating some existing MVC pages into the v7 back office. I have some MVC controllers that I want to ONLY be accessible to Umbraco back office users.
According to the intellisense documentation (as well, as this article by Tim G), the class "UmbracoAuthorizedController" is for ensuring that an MVC controller is only accessed by logged in back office users. There are several tutorials on the web that use the base class as well.
So I have my controller, and it works fine in that the routes for the custom controller are all working fine, they're all routed through an "umbraco" URL with some custom mapping (e.g. /umbraco/areaname/controller/action), however, as soon as you log into the front end at the same time as being logged into the back end, it breaks, as the Authentication attribute ALWAYS returns false, even if you're logged in to both the front and the back end. As soon as you log out with the front end user, it correctly works out that you're authenticated again.
This looks like a bug to me, and it was logged as such here (albeit for a slightly different issue), although that was canned as a non-issue because the original user was using a Surface Controller rather than an MVC one.
So is this a bug or not? Is the documentation wrong? Any pointers would be appreciated. I'm looking at rolling my own authentication attribute that actually works at the moment, but if there's a "right" way to do this, I'd like to know.
is working on a reply...