Role Permissions on Custom Pages

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
5/27/2009 6:13:45 PM
michael.jew
Gravatar
Total Posts 26
View Posts

Role Permissions on Custom Pages

 

Question: How do I properly restrict access to custom pages hard coded pages?

SubQuestion: While I see the code below can restrict both view and edit rights, I'm not sure if I know how to assign the User view/edit rights to this custom page. Would you explain?


Yes, I saw the following lines of code in your CodeSmith template: "mp_UI-starter-PageGenerator.cst".

===BEGIN CODE SNIPPET========================
private int pageId = -1;
private int moduleId = -1;

protected void Page_Load(object sender, EventArgs e)
{
     LoadParams();

     // one of these may be useful
     if (!UserCanViewPage(moduleId))
     {
         SiteUtils.RedirectToAccessDeniedPage();
        return;
     }

    if (!UserCanEditModule(moduleId))
    {
    SiteUtils.RedirectToAccessDeniedPage();
    return;
    }

}


private void LoadParams()
{
    pageId = WebUtils.ParseInt32FromQueryString("pageid", pageId);
    moduleId = WebUtils.ParseInt32FromQueryString("mid", moduleId);

}
===END CODE SNIPPET==========================


Would you share your thoughts please?

thanks,
Michael

5/27/2009 6:27:59 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Role Permissions on Custom Pages

Hi Michael,

I'll follow up on this one tomorrow, I'm done for the day. You ask some good penetrating questions, I need to harvest some of the answers from the forums and beef up the documentation.

Best,

Joe 

5/28/2009 10:36:22 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Role Permissions on Custom Pages

That code is example code for use in pages that extend a site module. A module will pass the page id and module id to any supporting pages like an edit page and these are helper methods that check that in fact the module exsits on the page and the user has permissions to view or edit depending on the page needs. Like in the blog module we would check that the user has view rights on the ViewPost.aspx page (you never see this in the url because of the friendly url mapping), but on the EditPost.aspx page we would check for edit permissions.

On a free standing .aspx page that is just linked into the menu as a fully qualified url, these helper methods are of no use.

You would have to know from within your page code what roles are allowed to do things and do your own checks

psuedo example:

using mojoPortal.Business.WebHelpers;

if(!WebUser.IsInRoles(smeicolonseparatedstringofallowedroles)) { redirect to access denied;} 

Hope it helps,

Joe

5/28/2009 11:32:53 AM
michael.jew
Gravatar
Total Posts 26
View Posts

Re: Role Permissions on Custom Pages

Hello Joe,

I think I understand.

I'm really glad that you clarified for me that, "On a free standing .aspx page that is just linked into the menu as a fully qualified url, these helper methods are of no use." :)

 - - - - - - - -

But, let me see if I understand the first half of your explanation.  Please tell me if the following is correct:

  1. While both UserCanViewPage() & UserCanEditModule() are handling authorization for a physical ASPX page, they both depend on a module ID.
  2. Thus, (by design) we expect to arrive on this physical ASPX page ONLY from a SiteModuleControl.
  3. Furthermore, it's the View/Edit permissions of the SiteModuleControl, that determine the View/Edit permissions of the corresponding physical page.

Is this all correct?

 

 

 

5/28/2009 11:57:48 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Role Permissions on Custom Pages

Hi Michael,

Basically those are helpers functions that live in mojoBasePage and those functions are useful for enforcing security in the supporting pages of a module. Supporting pages of a module do expect both a page id and a module id to be passed in.

The helper functions check both the permissions of the page and the module. If the user has edit permssion on the page and the module is contained on the page then the user can edit. Edit permissions on the module are supplemental in that its a way to give edit permissions on a module without giving edit permissions on the whole page. So if the user has either edit permission he can edit.

ViewRoles on the module are also supplemental in that they are a way to prevent a user who has view permissions on a page from seeing a particular module.

From mojoBasePage there is always a PageSettings object named CurrentPage based on the pageid in the request. If the page id is not present it just returns the default page, ie the home page or first page in the site hierarchy. This CurrentPage object is lazy loaded the first time it is access by code and then cached in the httpcontext for the duration of the request processing. But its no use for a hacker to manipulate the params because we do check that the module exists on the page not just if the user has permissions on the page. So all the pages in the menu have a page id and are served from Default.aspx?pageid=x but you don't see this because of the friendly url mappings.

So the reason we only need to pass in the moduleid to those helper functions is because mojoBasePage already knows what the page id is. So that might lead you to think its only checking module permissions but it is always checking both page permissions and module permissions and verifying that the module exist on the page so it can't be manipulated by the url params.

Hope it helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.