Ok. Users who assigned to mentioned groups in Umbraco back-office should access to this endpoint. Now, when user try to access endpoint, he redirects to Umbraco back-office login page. I'm using endpoints in umbraco back-office.
I think the issue is with the attribute that you're using. See, you're using the MemberAuthorize attribute here, while you're attempting to access an endpoint in the backoffice. This attribute is not for backoffice users, but for frontend members.
To limit access to api endpoints in the backoffice, you can use the UmbracoAuthorize attribute (see documentation). You should carefully look at the instructions there, because it says there are multiple UmbracoAuthorize attributes and you need to use one from a specific namespace. The documentation doesn't say anything about limiting access to specific user groups, but perhaps you can figure that out yourself.
this is simliar but when you consider that the tree elements can (with a little effort) be moved between sections, you can say, only people who can see a certain tree.
e.g access to people who can only see the LanguagesTree
Note: I haven't actually done this to this level, but i think it works like below!
So slightly more involved you can add your own permissions to the list of things a group/user can be given permission to.
firstly you need to create your own IAction, which defines the permission:
/// <summary>
/// My Super high level permission
/// </summary>
public class MySuperPermission: IAction
{
public char Letter => "W"; // you need to confirm this isn't already in use*
public bool ShowInNotifier => false;
public bool CanBePermissionAssigned => true;
public string Icon => "icon-arrow-left";
public string Alias => "superHigh";
public string Category => "My Permissions";
}
then within a composer you need to add your own Custom Policy.
public class MySuperPermission : IAction
{
public char Letter => 'Å'; // you need to confirm this isn't already in use*
public bool ShowInNotifier => false;
public bool CanBePermissionAssigned => true;
public string Icon => "icon-axis-rotation-2";
public string Alias => "customDashboardAccess";
public string Category => "customDashboardAdmin";
}
I can grant permissions for groups at BO section on the umbraco back-office. Alternative case for endpoint using for certain groups is to hide section tree root nodes via authorization. Now, I visually hide them with extra css class.
UmbracoAuthorizedJsonController doesn't work with using MemberAuthorizeAttribute
Hello, I have issue. UmbracoAuthorizedJsonController doesn't work with using MemberAuthorizeAttribute with AllowGroup.
Hi Nemes1sX,
Could you elaborate further? What did you expect to happen? What is the behaviour that you see? What have you tried so far?
Answers to these questions may help us to provide you with a helpful answer.
Ok. Users who assigned to mentioned groups in Umbraco back-office should access to this endpoint. Now, when user try to access endpoint, he redirects to Umbraco back-office login page. I'm using endpoints in umbraco back-office.
Ok, I see what you mean.
I think the issue is with the attribute that you're using. See, you're using the
MemberAuthorizeattribute here, while you're attempting to access an endpoint in the backoffice. This attribute is not for backoffice users, but for frontend members.To limit access to api endpoints in the backoffice, you can use the
UmbracoAuthorizeattribute (see documentation). You should carefully look at the instructions there, because it says there are multipleUmbracoAuthorizeattributes and you need to use one from a specific namespace. The documentation doesn't say anything about limiting access to specific user groups, but perhaps you can figure that out yourself.Sorry man, it doesn't allow me to use on groups, as example in doc show.
HI
in the backoffice things aren't secured by the groups rather the permissions people get by being in the groups.
within a group there are a number of points where permissions can be granted.
1. Sections
If a certain group has access to a section you can test for this.
e.g if you want something only available to people who have access to the settings section:
2. Tree access
this is simliar but when you consider that the tree elements can (with a little effort) be moved between sections, you can say, only people who can see a certain tree.
e.g access to people who can only see the LanguagesTree
3. Permissions.
in a group you can also assign permissions (such as publish, save, empty recycle bin) you can restrict on this
4. Custom permissions
So slightly more involved you can add your own permissions to the list of things a group/user can be given permission to.
firstly you need to create your own IAction, which defines the permission:
then within a composer you need to add your own Custom Policy.
then on your controller you can use
you would probibly want to replace all these strings with constant values to stop typos
this last one is a bit more involved but in the end your permissions will be fully controllable at a user and group level from within the back office.
Cant get the custom one to work.. Have added it and I shows as a options under users permission.
But it's not applying the rule.
I can grant permissions for groups at BO section on the umbraco back-office. Alternative case for endpoint using for certain groups is to hide section tree root nodes via authorization. Now, I visually hide them with extra css class.
is working on a reply...