Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • jake williamson 205 posts 850 karma points
    Jan 20, 2022 @ 04:41
    jake williamson

    is it possible to lock down a 'UmbracoPageController' for backoffice use?

    hey out there,

    gotta an interesting one for ya: we need to return an mvc view in the backoffice. in v8, the UmbracoAuthorizedController allowed you to do this...

    ...but in v9 this is no longer available!

    for the moment, we're using a UmbracoPageController and we're wondering if there's a way to lock it down so it's only accessible in the backoffice?

    looking at the UmbracoAuthorizedController in the core, it has the following attributes:

    [AngularJsonOnlyConfiguration] // TODO: This could be applied with our Application Model conventions
    [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]

    we've tried adding these (and various combinations of attributes as the IsBackOffice and Authorize attributes would seem the only ones we really need) but no joy.

    appreciate this is a bit of a niche requirement but has anyone hit this and has a work around?!

    as ever, any suggestions are greatly received ;)

  • jake williamson 205 posts 850 karma points
    Jan 27, 2022 @ 01:19
    jake williamson

    yes yes yes! blardy found out how to lock any controller down for backoffice use ;)

    after a lot of searching and reading i randomly found this:

    In order for Umbraco to authenticate a request for the backoffice, the routing needs to be specific. Any URL that routes to:


    will be authenticated. If you have a controller that is not routed within the prefix, it will not be authenticated for backoffice use.

    so i changed my controller route and then decorated the class with:

    [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]

    and like magic, it works!

    based on what i'm seeing around. the /umbraco/backoffice/* part of the route has caused a bit of confusion with other people too...

    but got there in the end, happy days.

  • J 440 posts 847 karma points
    Jan 27, 2022 @ 11:23

    Hi Jake

    Im curious to know how you managed to get an MVC view working with the backoffice as from my understanding this was only possible with HTML, AngularJS for the backoffice pages? Or are you hiding it inside an iFrame?


  • jake williamson 205 posts 850 karma points
    Jan 27, 2022 @ 22:05
    jake williamson

    in bento, we load backoffice previews using angular/html.

    this is the controller code:

    this is the angular:

    and the html:

    we return the html generated by the view and then display it in the backoffice:

    bento backoffice previews

    the cool thing being you can use very simple mvc views for the backoffice or (with additional set up in bento) actually load the views used in the site meaning the 'preview' you get in the backoffice represents the frontend.

  • Kozey 3 posts 73 karma points
    Jan 27, 2022 @ 05:19

    urfaceController is an MVC controller that interacts with the front-end rendering of an UmbracoPage. They can be used for rendering view components and for handling Form data submissions. SurfaceControllers are auto-routed which means you don't have to add/create your own routes for these controllers to work.


Please Sign in or register to post replies

Write your reply to: