0

On Kentico 12, the property Security inside the Page doesn't have Access field like the previous version Kentico 11 - Interface Access.

I need to provide this feature, so I was thinking about using overriding the OnAuthentication method like this:

protected override void OnAuthentication(AuthenticationContext filterContext)
    {
        var isAuthenticated = filterContext.Principal.Identity.IsAuthenticated;
        var routePath = filterContext.HttpContext.Request.Path;
        var page = DocumentHelper.GetDocuments().Path(routePath).FirstOrDefault();
        var allowAccess = (page.HasSecureProperty && isAuthenticated) || !page.HasSecureProperty;
        if (allowAccess)
        {
            base.OnAuthentication(filterContext);
        }
        else
        {
            filterContext.Result = new RedirectToRouteResult(
                  new RouteValueDictionary(new { controller = "Account", action = "Signin" })
            );
        }
    }

HasSecureProperty would be the property from the kentico page that admins or editors users can set on the administration panel. I was planning to create this property using custom table and make a interface on the page for the users.

The field IsSecureNode on CMS_Tree seems to be the property that I need and was been used on previous versions, but I couldn't find a way to set on the new admin panel.

Is there another solution to allow users to set authentication on pages? I was concerned about performance since this method will be called on every action. Thank you.

Luan Caius
  • 33
  • 9

3 Answers3

0

I have done something similar so maybe it will help point you in the right direction.

My entire MVC site requires authentication, so that might be where this differs. In the MVC when I want to get files and check permissions I do something like this:

var files = subcat.Children.WithAllData.WithPermissionsCheck;

On the CMS side, I have a field on the page type that allows a user to select roles and another one for selecting users. I then have a custom event on the document update or insert to update the settings.

Here is the code I use for updating the ACLs:

private void UpdateSettings(TreeNode node)
    {
        ObjectQuery<RoleInfo> roles = null;
        ObjectQuery<UserInfo> users = null;
        var columnRoles = node.GetStringValue("Roles", "");
        if (columnRoles != "")
        {
            var rolesConcat = columnRoles.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);

            var where = "RoleName IN " + "('" + string.Join("','", rolesConcat) + "')";
            EventLogProvider.LogInformation("Document Event", "Roles", where);
            roles = RoleInfoProvider.GetRoles()
                .Where(where);
        }

        var columnUsers = node.GetStringValue("Users", "");
        if (columnUsers != "")
        {
            var usersConcat = columnUsers.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);

            var where = "UserName IN " + "('" + string.Join("','", usersConcat) + "')";
            EventLogProvider.LogInformation("Document Event", "Users", where);
            users = UserInfoProvider.GetUsers()
                .Where(where);
        }

        if (node != null)
        {
            // Gets the ID of the ACL item that stores the page's permission settings
            int nodeACLID = ValidationHelper.GetInteger(node.GetValue("NodeACLID"), 0);

            // Deletes the page's ACL item
            // Removes the page's permission settings for all users and roles
            AclItemInfoProvider.DeleteAclItems(nodeACLID);

            node.IsSecuredNode = true;
            int allowed = DocumentSecurityHelper.GetNodePermissionFlags(NodePermissionsEnum.Read);

            // Prepares a value indicating that no page permissions are denied
            int denied = 0;

            if (users != null)
                foreach (var user in users)
                {
                    // Sets the page's permission for the user (allows the 'Modify' permission)
                    AclItemInfoProvider.SetUserPermissions(node, allowed, denied, user);
                }

            if (roles != null)
                foreach (var role in roles)
                {
                    // Sets the page's permission for the user (allows the 'Modify' permission)
                    AclItemInfoProvider.SetRolePermissions(node, allowed, denied, role);
                }
        }

    }
Zach Perry
  • 746
  • 3
  • 12
  • Thanks for sharing, but I guess my problem is before the permissions. I need to let the user decide which pages will require authentication, like in kentico 11, without new deployments. – Luan Caius Apr 05 '19 at 14:26
0

You can use the approach mentioned in the documentation on authorizing live site actions.

jurajo
  • 937
  • 5
  • 5
  • Unfortunately, this approach is too static because if you change a page to authorized you need to deploy that. I need something like in kentico 11, that the final user can make changes without deployment. Thanks for your help. – Luan Caius Apr 05 '19 at 14:22
  • Well, you need to keep in mind that when using MVC, Kentico is just a content storage - all the logic is done by your front end MVC app. But you can add some custom field to the content only page type which will be used as a flag and you will be checking this flag in the MVC code and apply the restrictions. – jurajo Apr 08 '19 at 05:24
  • Yes, that's the idea. I'm trying to see how to implement the authentication and authorization for that. – Luan Caius Apr 08 '19 at 15:01
0

I ended up using a custom table with an interface for the user to set if the page requires authentication or not. Since this is an override of OnAuthentication, every page calls this method. I hope there is a better solution using built-in Kentico features. Here is the final code:

protected override void OnAuthentication(AuthenticationContext filterContext)
    {
        base.OnAuthentication(filterContext);

        var routePath = filterContext.HttpContext.Request.Path;
        var allowAccess = Authentication.CanEnterPage(filterContext.Principal.Identity.IsAuthenticated, routePath);
        if (!allowAccess)
        {
            filterContext.Result = new RedirectToRouteResult(
                    new RouteValueDictionary(new { controller = "Account", action = "Signin", returnUrl = routePath })
            );
        }
    }

The static method below contains the logic to access the page:

public static bool CanEnterPage(bool isAuthenticated, string routePath)
    {
        var page = DocumentHelper.GetDocuments().Path(routePath).FirstOrDefault();

        if (page == null)
            return false;

        var pageAccess = PageAccessInfoProvider.GetPageAccesses()
            .WhereEquals("PageAccessNodeID", page.NodeID).FirstOrDefault();

        // Create a record if pageAccess is null
        if (pageAccess == null)
        {
            pageAccess = CreateRecordsPageAccess(page);
        }

        var isSecure = pageAccess.PageAccessHasAuthentication;
        var allowAccess = isSecure && isAuthenticated || !isSecure;
        return allowAccess;
    }
Luan Caius
  • 33
  • 9