Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Peter Szabo 8 posts 109 karma points
    Oct 22, 2019 @ 11:33
    Peter Szabo
    0

    Limit UmbracoAuthorizedController to Umbraco Admin Users Only

    Hi,

    I have create a new controller, inherited from the Umbraco.Web.Mvc.UmbracoAuthorizedController and trying to limit it to only logged in Umbraco Administrators.

    My current solution displays the view for only logged in umbraco users, but I cannot filter for only admins.

    Code:

    I have a Composer and I set up the route config:

    public class ApplicationEventComposer : IComposer
    {
        public void Compose(Composition composition)
        {
            RouteTable.Routes.MapRoute(
                name: "ITTest",
                url: "umbraco/backoffice/ITTest/{action}/{id}",
                defaults: new { controller = "ITTest", action = "Index", id = UrlParameter.Optional }
            );
            composition.Register<ITTestController>(Lifetime.Request);
        }
    }
    

    I have a controller:

    public class ITTestController : Umbraco.Web.Mvc.UmbracoAuthorizedController
    {
       public ActionResult Index()
       {
           return View("/Views/ITTest/Index.cshtml");
       }
    }
    

    I have tried to add different attributes to filter for only adminsitrators like:

    [UmbracoAuthorize(Roles = "admin")]
    [UmbracoApplicationAuthorize(Roles = "admin")]
    [AdminUsersAuthorize]
    

    And tried different roles like "admin", "administrator", "administrators", etc. but nothing seems to work.

    Questions:

    • How can I filter the users using Umbraco roles?
    • What are the role names exactly? Are they the user group names or something else?
  • Rasmus John Pedersen 14 posts 485 karma points hq c-trib
    Oct 22, 2019 @ 22:22
    Rasmus John Pedersen
    1

    Hi Peter

    Both UmbracoAuthorizeAttribute and UmbracoApplicationAuthorizeAttribute doesn't check the roles property and AdminUsersAuthorizeAttribute is checking if the user id (by default the id argument) passed into the controller is part of the administrators role.

    I haven't tried it but maybe the AuthorizeAttribute would work, could you try adding [Authorize(Roles = "admin")] to your controller and see if that works?

  • Kevin Jump 2309 posts 14673 karma points MVP 7x c-trib
    Oct 23, 2019 @ 08:25
    Kevin Jump
    0

    Hi,

    For better of worse the UmbracoAuthorizedControllers tend to be secured more based on the tree or section of the website the user can see rather than their role.

    so for example you can limit the controller who can only see the MediaTypes Tree

    [UmbracoTreeAuthorize(Constants.Trees.MediaTypes)]
    

    or you can limit to users who have access to the settings section.

    [UmbracoApplicationAuthorize(Constants.Applications.Settings)]
    

    there is also a AdminUsersAuthorize but it seems to be used exclusively for making sure admin user accounts are only edited by admin users, not 100% sure if its the thing you can just pick up and use.

    for info the Attibute classes all live here in the code https://github.com/umbraco/Umbraco-CMS/tree/v8/dev/src/Umbraco.Web/WebApi/Filters

  • Peter Szabo 8 posts 109 karma points
    Oct 23, 2019 @ 10:25
    Peter Szabo
    0

    Thanks. The [Authorize(Roles = "admin")] one is working! :)

    I was playing around with it. To make it work it still needs to be under "umbraco/backoffice", but it does not have to be a UmbracoAuthorizedController it seems to be working fine when it is (only) RenderMvcController

    Is the role name admin matching the ID of the Administrator user group?

    Or where can I find the list for the other roles?

  • Kevin Jump 2309 posts 14673 karma points MVP 7x c-trib
    Oct 23, 2019 @ 10:32
    Kevin Jump
    1

    the default groups are created at installation time :

    https://github.com/umbraco/Umbraco-CMS/blob/f1e6da9d385812a276b70eed728b80d74332ebd8/src/Umbraco.Core/Migrations/Install/DatabaseDataCreator.cs#L169

    The admin/sensitive data groups have there names defined in the constants. (so you can use these to ensure it stays the same as whatever umbraco call it in the future).

    https://github.com/umbraco/Umbraco-CMS/blob/2f978e96d4fbf84d8786c3245566c8800916a74b/src/Umbraco.Core/Constants-Security.cs#L30

    So That is :

    • "admin"
    • "sensitiveData"
    • "translator"

    and

    • "writer"
    • "editor"
Please Sign in or register to post replies

Write your reply to:

Draft