Feature Page Security

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
10/18/2007 5:36:37 PM
Gravatar
Total Posts 4

Feature Page Security

Hi,

I am creating a custom feature and I have watched the demo and understand how to use an ascx control as my main page then pass control to regular aspx pages but what I don't understand yet is how to do security on those aspx pages.  The control will gets its security from the host page but my aspx page doesn't have that.

Thanks,

Frank

10/19/2007 1:16:21 PM
Gravatar
Total Posts 18439

Re: Feature Page Security

Hi Frank,

There are several approaches depending on the feature. For more complex scenarios like the WebStore project there are various permissions about what roles can do what things so the WebStore has a more complex scenario and maintains its own role lists.

For more general features you typically pass the moduleid and pageid in the query string to your feature pages. Since query string params can be manipulated you need to check that the page represented by the pageid param actually contains the module represented by the moduleid. Then you just check if the user has permission to edit the page or has specific permission to edit the module.

The CurrentPage property of the mojoBasePage will always be determined by the pageid param

I actually just added a helper method for this today to the mojoBasePage. Its not in svn yet but it will be by tonight. Alternatively you can copy it into your local copy of Web\Components\mojoBasePage.cs :

public bool UserCanEditModule(int moduleID)
{
if(!Request.IsAuthenticated)return false;

if (CurrentPage == null) return false;

bool moduleFoundOnPage = false;
foreach (Module m in CurrentPage.Modules)
{
if (m.ModuleID == moduleID) moduleFoundOnPage = true;
}

if (!moduleFoundOnPage) return false;

if (WebUser.IsInRoles(CurrentPage.EditRoles)) return true;

SiteUser currentUser = SiteUtils.GetCurrentSiteUser();
if (currentUser == null) return false;

foreach (Module m in CurrentPage.Modules)
{
if (m.ModuleID == moduleID)
{
if (m.EditUserID == currentUser.UserID) return true;
}
}

return false;

}

 

Hope it helps,

Joe

10/21/2007 2:18:55 PM
Gravatar
Total Posts 4

Re: Feature Page Security

Hi Joe,

The first option for more complex features is what I was considering but I just wanted to check first in case you already found a better way to it.  Also just want to say your portal rocks, I did some projects in Rainbow a while back and they worked but lack of documentation and organization made me search for something better.  That lead me to DNN and at first glance it looked very cool but after I did some custom module development in c# as a private assembly it gave me heart burn.  By far, your portal is the best I have found for c# development.

Thanks for all you effort,

Frank

You must sign in to post in the forums. This thread is closed to new posts.