I have a running umbraco, and a custom Surface controller. Everthing works fine except that I need 1 of the endpoints on this controller to be for admins only.
Can we somehow add a decorator? Or maybe add a check in the controller endpoint code?
From the research I understand I can extend Backoffice, but in my case I want only this one endpoint to be admin-only, not all endpoints.
I also understand I can use WebApi, but my endpiont returns a View, so that doesn't work either.
I would be very thankful if someone can guide me in the simplest direction for admin privileges check in a custom Surface controller.
To require the person on the front end to be logged in as a Member in order to access the SurfaceController action - There is an AllowType or AllowGroup property you can use to tie down by MemberType Alias or by Member Group Alias.
Members are different to Backoffice Users, so I'm not sure if you are looking to secure the SurfaceController by a Backoffice Admin User?
The problem here is a SurfaceController is designed to work with front end requests to the site, and although there is an [UmbracoAuthorize] attribute for authorizing controllers by backoffice Users, it only works if Umbraco considers the request to be a Backoffice request, which would mean routing it via the /umbraco/backoffice path:
There is a special base MVC Controller called Umbraco.Web.Mvc.UmbracoAuthorizedController to use instead of a SurfaceController for this kind of thing.
So if you have an Admin Members group you should be ok with the MemberAuthorize attribute - or if your view is displayed in the backoffice then you should be ok to use an UmbracoAuthorizedController and route it via the backoffice - if however you want a front end request to be tied down by a backoffice user, then you'll probably need to look at the UmbracoAuthTicket for the backoffice to see if it's set...
Authorization in Surface Controller
Hello,
I have a running umbraco, and a custom Surface controller. Everthing works fine except that I need 1 of the endpoints on this controller to be for admins only.
Can we somehow add a decorator? Or maybe add a check in the controller endpoint code?
From the research I understand I can extend Backoffice, but in my case I want only this one endpoint to be admin-only, not all endpoints.
I also understand I can use WebApi, but my endpiont returns a View, so that doesn't work either.
I would be very thankful if someone can guide me in the simplest direction for admin privileges check in a custom Surface controller.
Thanks!
Hi Mgpepe
You can use the
[MemberAuthorize]attribute on a SurfaceControllerhttps://our.umbraco.com/Documentation/Implementation/Controllers/#members--front-end-authorization
To require the person on the front end to be logged in as a Member in order to access the SurfaceController action - There is an AllowType or AllowGroup property you can use to tie down by MemberType Alias or by Member Group Alias.
Members are different to Backoffice Users, so I'm not sure if you are looking to secure the SurfaceController by a Backoffice Admin User?
The problem here is a SurfaceController is designed to work with front end requests to the site, and although there is an
[UmbracoAuthorize]attribute for authorizing controllers by backoffice Users, it only works if Umbraco considers the request to be a Backoffice request, which would mean routing it via the /umbraco/backoffice path:https://our.umbraco.com/Documentation/Reference/Routing/Authorized/
There is a special base MVC Controller called
Umbraco.Web.Mvc.UmbracoAuthorizedControllerto use instead of a SurfaceController for this kind of thing.So if you have an Admin Members group you should be ok with the MemberAuthorize attribute - or if your view is displayed in the backoffice then you should be ok to use an UmbracoAuthorizedController and route it via the backoffice - if however you want a front end request to be tied down by a backoffice user, then you'll probably need to look at the UmbracoAuthTicket for the backoffice to see if it's set...
https://github.com/umbraco/Umbraco-CMS/blob/v7/dev/src/Umbraco.Core/Security/AuthenticationExtensions.cs#L135
There is an example of this in a HttpHelper in the EditLink package:
https://github.com/prjseal/BackOfficeExtensions/blob/master/BackOfficeExtensions/HtmlHelpers.cs#L26
regards
Marc
is working on a reply...