Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nemes1sX 6 posts 26 karma points
    Feb 22, 2022 @ 15:32
    Nemes1sX
    0

    UmbracoAuthorizedJsonController doesn't work with using MemberAuthorizeAttribute

    Hello, I have issue. UmbracoAuthorizedJsonController doesn't work with using MemberAuthorizeAttribute with AllowGroup.

    public class TestApiController : UmbracoAuthorizedJsonController
    {
       [MemberAuthorize(AllowGroup = "SuperAdmin,Admin")]
       [HttpGet]
       public async Task<string> Test()
       {
             return "Test"
      }
    }
    
  • Dennis 63 posts 313 karma points
    Feb 22, 2022 @ 18:51
    Dennis
    0

    Hi Nemes1sX,

    Could you elaborate further? What did you expect to happen? What is the behaviour that you see? What have you tried so far?

    Answers to these questions may help us to provide you with a helpful answer.

  • Nemes1sX 6 posts 26 karma points
    Feb 22, 2022 @ 19:24
    Nemes1sX
    0

    Ok. Users who assigned to mentioned groups in Umbraco back-office should access to this endpoint. Now, when user try to access endpoint, he redirects to Umbraco back-office login page. I'm using endpoints in umbraco back-office.

  • Dennis 63 posts 313 karma points
    Feb 22, 2022 @ 19:36
    Dennis
    0

    Ok, I see what you mean.

    I think the issue is with the attribute that you're using. See, you're using the MemberAuthorize attribute here, while you're attempting to access an endpoint in the backoffice. This attribute is not for backoffice users, but for frontend members.

    To limit access to api endpoints in the backoffice, you can use the UmbracoAuthorize attribute (see documentation). You should carefully look at the instructions there, because it says there are multiple UmbracoAuthorize attributes and you need to use one from a specific namespace. The documentation doesn't say anything about limiting access to specific user groups, but perhaps you can figure that out yourself.

  • Nemes1sX 6 posts 26 karma points
    Feb 22, 2022 @ 22:06
    Nemes1sX
    0

    Sorry man, it doesn't allow me to use on groups, as example in doc show.

  • Kevin Jump 2195 posts 14010 karma points MVP 6x c-trib
    Feb 22, 2022 @ 23:01
    Kevin Jump
    1

    HI

    in the backoffice things aren't secured by the groups rather the permissions people get by being in the groups.

    within a group there are a number of points where permissions can be granted.

    1. Sections

    If a certain group has access to a section you can test for this.

    e.g if you want something only available to people who have access to the settings section:

    [Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
    

    2. Tree access

    this is simliar but when you consider that the tree elements can (with a little effort) be moved between sections, you can say, only people who can see a certain tree.

    e.g access to people who can only see the LanguagesTree

    [Authorize(Policy = AuthorizationPolicies.TreeAccessLanguages)]
    

    3. Permissions.

    in a group you can also assign permissions (such as publish, save, empty recycle bin) you can restrict on this

    [Authorize(Policy = AuthorizationPolicies.ContentPermissionEmptyRecycleBin)]
    

    4. Custom permissions

    Note: I haven't actually done this to this level, but i think it works like below!

    So slightly more involved you can add your own permissions to the list of things a group/user can be given permission to.

    firstly you need to create your own IAction, which defines the permission:

    /// <summary>
    ///  My Super high level permission
    /// </summary>
    public class MySuperPermission: IAction
    {
        public char Letter => "W";   // you need to confirm this isn't already in use*
        public bool ShowInNotifier => false;
        public bool CanBePermissionAssigned => true;
        public string Icon => "icon-arrow-left";
        public string Alias => "superHigh";
        public string Category => "My Permissions";
    }
    

    then within a composer you need to add your own Custom Policy.

    options.AddPolicy("MySuperHighPermission", policy =>
    {
        policy.AuthenticationSchemes.Add(backOfficeAuthenticationScheme);
        policy.Requirements.Add(new ContentPermissionsQueryStringRequirement("W"));
     });
    

    then on your controller you can use

    [Authorize(Policy = "MySuperHighPermission")]
    

    you would probibly want to replace all these strings with constant values to stop typos

    this last one is a bit more involved but in the end your permissions will be fully controllable at a user and group level from within the back office.

  • Thomas 290 posts 573 karma points c-trib
    Nov 29, 2022 @ 14:29
    Thomas
    0

    Cant get the custom one to work.. Have added it and I shows as a options under users permission.

    enter image description here

    But it's not applying the rule.

    [Tree("tools", "dashboards", TreeGroup = "workStationAdminTreeAlias", SortOrder = 0)]
    [Authorize(Policy = "InternalDashboard")]
    [PluginController("platformWorkStation")]
    

    public class PlatformSectionsComposer : IComposer
    {
        public void Compose(IUmbracoBuilder builder)
        {
            builder.Sections().Insert<WorkstationSection>(0);
            builder.Services.AddAuthorization(options 
                => AddSecurityPolicies(options, Constants.Security.BackOfficeAuthenticationType));
    
        }
        private void AddSecurityPolicies(AuthorizationOptions options, string backOfficeAuthenticationScheme)
        {
            options.AddPolicy("InternalDashboard", policy =>
            {
                policy.AuthenticationSchemes.Add(backOfficeAuthenticationScheme);
                policy.Requirements.Add(new ContentPermissionsQueryStringRequirement('Å'));
            });
        }
    }
    

    public class MySuperPermission : IAction
    {
        public char Letter => 'Å';   // you need to confirm this isn't already in use*
        public bool ShowInNotifier => false;
        public bool CanBePermissionAssigned => true;
        public string Icon => "icon-axis-rotation-2";
        public string Alias => "customDashboardAccess";
        public string Category => "customDashboardAdmin";
    }
    
  • Nemes1sX 6 posts 26 karma points
    Feb 23, 2022 @ 13:17
    Nemes1sX
    0

    I can grant permissions for groups at BO section on the umbraco back-office. Alternative case for endpoint using for certain groups is to hide section tree root nodes via authorization. Now, I visually hide them with extra css class.

Please Sign in or register to post replies

Write your reply to:

Draft