Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Thomas Mulder 15 posts 86 karma points
    May 18, 2015 @ 10:30
    Thomas Mulder
    0

    Checking user permissions on backend page load

    Currently in my project, I'm hiding nodes in the content tree that were created by other writers, so a writer only sees his or her own content. 

    Now it seems to still be possible to navigate to the url of a hidden node.

    So if node 2538 is hidden in the content tree for a certain user, he can still surf to  https://www.mysite.com/umbraco#/content/content/edit/2538

    Which page load or other events are there upon surfing to said url and/or how can I verify the user's rights when the page is requested? I've found some answers for older versions of umbraco but they don't seem to apply to Umbraco 7 with the new Angular implementation if I've read them correctly..

     

  • Mehul Gajjar 48 posts 172 karma points
    May 18, 2015 @ 13:48
    Mehul Gajjar
    0

    Hi Thomas,

    with below you can check the logged user of umbraco back end page.

     var ticket = new HttpContextWrapper(HttpContext.Current).GetUmbracoAuthTicket();
                if(ticket != null)
                {
                    var userName = new HttpContextWrapper(HttpContext.Current).GetUmbracoAuthTicket().Name;
                    if(ApplicationContext.Current.Services.UserService.GetByUsername(userName) != null)
                    {
                        //Here you can add Your Logic to get node based on user role.
                    }
                }
    

    Hope this will help you.

    Regards

    Mehul Gajjar.

  • Thomas Mulder 15 posts 86 karma points
    May 18, 2015 @ 14:30
    Thomas Mulder
    0

    Hi Mehul, 

    Thank you for your reply, but it wasn't quite what I was hoping for. My emphasis was more on the "when the page is requested" part of the question. Sorry for not being too clear on that. 
    I've tried to do the userrole-check on the umbracoPage.Load event, but I can't get it to fire when I surf to https://www.mysite.com/umbraco#/content/content/edit/2538, for example.

    So I'm not sure where I can do the User check to prevent the user from surfing to this page.

    I hope you (or anyone else) can help me with this.

    Regards,

    Thomas Mulder

  • Urvish 252 posts 776 karma points
    May 18, 2015 @ 14:53
    Urvish
    0

    Hi Thomas,

    Can I know how you have restricted user to display content pages?

    Because I am not able to restrict particular user to particular content pages from content tree.

    I am just able to set start not of the Content tree.

    Regards,

    Urvish Mandaliya

  • Mehul Gajjar 48 posts 172 karma points
    May 18, 2015 @ 15:06
    Mehul Gajjar
    0

    Hi Thomas,

    when you hit this link in another browser https://www.mysite.com/umbraco#/content/content/edit/2538

    will you get the login prompt ? if yes then can you please check which user name and password you entered

    because once you set the permission for any "node" to one user , the umbraco it self the restrict the access for this node to other user.

    Administer user can access all node so it might be possible that you had enter in umbraco with administer privilege

    and then you had try to access this url and you got the access.

    share your steps if i am getting wrong

    Regards,

    Mehul Gajjar

  • Thomas Mulder 15 posts 86 karma points
    May 18, 2015 @ 15:25
    Thomas Mulder
    0

    @Mehul

    Apart from creator of the node, there are some other things that need to be hidden for certain users. There are some users that ARE allowed to see other writers' content, so hiding it for the current user seemed like a good idea. 
    So I'm not really setting actual permissions for child node, but hiding it from the content tree.  (See my answer to Urvish below)

    I'll definitely take a look at setting the permissions, but for the time being, do you have any idea whether there's an event I can register to that fires when i go to the link?

     

    @Urvish

    I'm just taking everything the user shouldn't see out of the content tree before rendering it.

    TreeControllerBase.TreeNodesRendering += TreeControllerBase_TreeNodesRendering;

    public static void TreeControllerBase_TreeNodesRendering(TreeControllerBase sender, TreeNodesRenderingEventArgs e) { var currentUmbracoUser = sender.UmbracoContext.Security.CurrentUser; var currentUser = UserManager.GetUserBaseByUmbracoUserId(currentUmbracoUser.Id); List nodesToDelete = new List(); var aliasesToCheck = new List()
    aliasesToCheck.Add("Newsitem"); // add whatever content types you want to check var contentIds = e.Nodes.Where( x => x.AdditionalData != null && x.AdditionalData.ContainsKey("contentType") && x.AdditionalData["contentType"] != null && aliasesToCheck.Contains(x.AdditionalData["contentType"].ToString())) .Select(x => Convert.ToInt32(x.Id)) .Distinct(); if (contentIds.Any()) { var itemContents = sender.Services.ContentService.GetByIds(contentIds); foreach (var contentId in contentIds) { var content = itemContents.FirstOrDefault(x => x.Id == contentId); if (content == null) continue; if (content.CreatorId != currentUmbracoUser.Id) { nodesToDelete.Add(contentId); } } } e.Nodes.RemoveAll(x => nodesToDelete.Contains(Convert.ToInt32(x.Id))); }

    (cleaned this code up a bit, hope i didn't take too much out)

     

  • Thomas Mulder 15 posts 86 karma points
    Sep 03, 2015 @ 07:53
    Thomas Mulder
    101

    Okay so since there isn't something like a "OnPageLoadEvent" or something, we solved it by intercepting the node to which a user tries to surf by checking for the following url: "views/content/edit.html" and then checking the permissions of a user for the entered nodeId... if the user in question doesn't have the required permissions, he is being sent back to the backoffice home page.

    Inspiration was acquired here: https://our.umbraco.org/forum/umbraco-7/developing-umbraco-7-packages/53758-Catch-content-page-load-event-in-umbraco-704

    See it in code here:

    angular.module('umbraco.services').config([
        '$httpProvider',
        function ($httpProvider) {
    
        $httpProvider.interceptors.push(function ($q, $injector) {
            return {
                'request': function (config) {
    
                    if (config.url == "views/content/edit.html") {
                        $injector.invoke(function (CustomBackofficeService, $routeParams, $location) {
                            CustomBackofficeService.checkPermissions($routeParams.id)
                                .then(function (result) {
                                    if (!result.hasPermission) {
                                        config.url = '';
                                        $location.path('/umbraco');
                                    }
                                });
                        });
                    }
                    return config || $q.when(config);
                }
            };
        });
    
    }]);
    

    Obviously the Service.CheckPermissions.....goes to check the permissions of the user ;-)

    This works for us, but if anyone would have any suggestions, fire away!

Please Sign in or register to post replies

Write your reply to:

Draft