Hi,

I developed 3 custom features and integrated them into mojoPortal using the "inline" method as described in the documentation in the "Hello World - Developer Quick Start" page.  They are all working great on my staging site, including as regarding security.  My problem is that I don't understand WHY one of them actually works regarding security, so I was hoping someone could explain the reason it works...just so I know I have it set up correctly!

For security regarding users, I only have 3 types of users on the site: The Administrator, Authenticated Users, and of-course Anonymous Users (who have no User account).  The Custom Feature in question is accessible only to Authenticated Users and Administrators.  However, I have a menu item in the main menu that links to this feature and I wanted the menu item to appear for ALL Users.  This way if an Authenticated User or Administrator goes on the site and is not yet logged in, they can click on the menu item for the new feature and they are presented with a Signin Module screen.  Then they can log in and the system will automatically take them to the custom feature.  If the User that clicks the new custom feature menu item is just Anonymous (with no account on the system) they cannot login to the Signin Module and therefore cannot access the new feature.  This is exactly the way I want this to work and it indeed works this way, but I don't really understand what is telling mojoPortal that the feature is restricted to  Authenticated Users or above.  Here are the details regarding why I say this:

1.  The security setting for the page that has the custom feature is set to All Users.  This insures that the menu item that links to this page appears to All (including Anonymous) Users.  So far so good.

2.  In Feature Installation and Configuration, I have the permissions for the feature itself set to Administrators.

3.  On the page that the feature is deployed on, I also have a Signin Module right above the new feature instance (both are in the center column).

4.  In my .ascx file for the feature, I only have a redirect to my first helper .aspx page for the feature in the Page_Load event.

5.  In my first helper .aspx page for the feature, I have an authentication check in the code behind.  If it finds that the User is not Authenticated it makes visible a label control on the same page with error text, and disables the links in my menu on this page so the User cannot proceed.  However, the User would still receive this helper page that is part of my custom feature.

4.  I originally suspected that maybe either the permissions for the feature, or the Signin Module was what might be telling mojoPortal that the feature was restricted to Authenticated Users.  However, when I change the permissions for the feature to All Users (in Feature Installation and Configuration) and leaving everything else the same, the site acts exactly the same way as I described above!

5.  If I also remove the Signin Module from the page (leaving only the instance of the feature on the page), then click the new feature menu item as an Anonymous User (not signed in yet), nothing appears in the variable middle part of the page at all!  (I still get the top and bottom parts of the template for the site).  However if I then click the Sign In link at the bottom of the page (which of course makes a Signin Module appear) and signin as an Authenticated User, I go directly to the 1st helper page of my new feature, with all links enabled and no error message!  In other words the site acts exactly as it does before making these 2 changes, except that it cannot display the Signin Module when the Anonymous User clicks the New Feature menu item because there is no Signin Module instance on the page anymore.  However, just as before the system does not allow any User into the new feature unless they have signed in as an Authenticated User or above (and when they do, it automatically redirects to my new feature)!

6.  I also believe that the Authentication check in my code in the 1st helper page is not what is telling the system to restrict the feature to Authenticated Users and above.  If that were the case, Anonymous Users that click the menu item for the feature would actually go to this 1st helper page and what would be sent back would the 1st helper page itself (completely different layout) with an error message and my internal menu links disabled.  This is not what is happening as described above.

It is not often that people question why something works instead of why something does not work!, but here you have such a question:  Why is mojoPortal restricting this custom feature to Authenticated Users and above only?

One other related question...in one of the developer videos it is stated that there is security permissions at the page and the module level.  At first I thought for the module level the security permission was set from the Feature Installation and Configuration>Permissions link.  However at the top of this page it explains this permission relates only to adding and editing the feature onto a page.  Is this true?  And if so, how do you set a permission on a Module/Feature to restrict it being seen/used by certain User roles?

I hope someone can answer these questions.  Thank you for your time in advance.

Dan

Hi Joe,

Thanks for your comments.  Based on what you said I made some changes.  2 of my features initially lead to menus that link to other supporting pages.  I originally had a redirect in both .ascx files which redirected to each menu which was in a supporting page.  I moved the menus into the .ascx files and added the ModuleTitleControl as well.  Now I can see the Module Instance settings for each Custom Module.  For the one that I was asking about above and couldn't understand why it was working, now if finally makes sense.  So now I have just a couple more questions regarding whether my setup sounds reasonable to you:

1.  One of the Custom Features is setup like this:

The setting for Viewing the Page is set to All Users, the setting for Viewing the Module Instance is set to Authenticated Users and Administrators; the settings to Edit the Page and Module is set to Administrators.  (This is all I'm doing for security for the .ascx file itself - nothing in code).  I have 2 feature instances on the page: A SignIn Module, and under that, my Custom Module. (both in same column).

It behaves like this: When the home page is viewed by an anonymous user, the menu item for this Custom feature shows.  After clicking it, the Signin Modules shows only.  Once the User signs in as an Authenticated User (or Administrator), the Custom feature shows only (the menu).  If the User is already signed in (as Authen User or Admin) and clicks the link, the Custom Feature shows only.  MojoPortal is apparently smart enough to know when to show the SignIn Module (and not the Custom Feature) and when the show the Custom Feature (and not the SignIn Module).  In addition, by setting the Page View setting to All Users, the Menu Item for the Custom Features shows to All Users.  This is how I want everything to work.  Do you see any problem with this setup?

(The other one is similar, except I have the Page View and Module View both set to Administrators only.  For this one the menu item only appears if logged in as an administrator and the SignIn Module never shows, since the Admin is already logged in.  Again, this is how I want it to work).

2.  For security for the supporting pages I took a shortcut to save some time.  Instead of passing Module and Page Id to supporting pages and setting up the Guid for the features, I do the following in my code at the top of each supporting page:

a.  For the feature viewable by Authenticated Users and above, I use this code to make sure the User is at least an Authenticated User:

if (!Request.IsAuthenticated)

and then if true put out an error and deny the page, otherwise allow the page view to proceed.

b.  For the feature viewable only by Administrators,  I use this code:

if ((!Request.IsAuthenticated) || (!User.IsInRole("Admins")))

and then if true put out an error and deny the page, otherwise allow the page view to proceed.

(I noticed that your WebUser.IsAdmin property (called from UserCanViewPage()) more or less does the same thing).

This approach allows me to keep my custom development simple and "inline" and avoid all the setup described in the developer videos.

Also, I don't have any Custom Pages that do editing for these features...the only editing that would be done would be by mojoPortal Administration pages, and the security for that seems to be covered by the Settings for the page and the module.

Same question here, does this sound reasonable to you?

Thanks, Dan