Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Magnus Rahl
Jan 14, 2011
(3 votes)

More custom Visitor Group criteria: Role

I have previously posted on custom Visitor Group criteria. That post covers the basics and is probably a better guide if you are looking to create your own custom criteria.

The goal of this post

So, the basics are covered, but I want to share a specific implementation of Visitor Group criteria that I actually think should be in there from the beginning: A criteria based on role membership.

Why do we need this? In my case it’s simple. I only want to display some information to authenticated users. But I could imagine other examples where you want to discriminate on the basis of role without adding different pages with different access levels.


Both the model (RoleModel, haha) and the criteria are very straight-forward. I use a custom enum to define the compare condition (you might want to check that a user is not in a specific role as well as checking that the user is in the role). The model and the enum look like this:

/// <summary>
/// Model class for use by the RoleCriterion criterion for
/// Visitor Groups. Stores a role name and a compare condition.
/// </summary>
public class RoleModel : IDynamicData, ICloneable
    public EPiServer.Data.Identity Id { get; set; }
    public object Clone()
        var model = (RoleModel)base.MemberwiseClone();
        model.Id = Identity.NewIdentity();
        return model;
        SelectionFactoryType = typeof(EnumSelectionFactory),
        LabelTranslationKey = "/shell/cms/visitorgroups/criteria/role/comparecondition",
        AdditionalOptions = "{ selectOnClick: true }"),
    public RoleCompareCondition Condition { get; set; }
        LabelTranslationKey = "/shell/cms/visitorgroups/criteria/role/rolename",
        AdditionalOptions = "{ selectOnClick: true }"),
    public string RoleName { get; set; }
/// <summary>
/// Enum representing compare conditions for booleans
/// </summary>
public enum RoleCompareCondition
Note that this, as well as the model in my old post, is built by the pattern used in CMS 6 R2 Beta. The pattern is propossed to change in the RTM of CMS 6 R2.

The code of the criterion looks like this:

/// <summary>
/// Implementation of a EPiServer.Personalization.VisitorGroups.CriterionBase
/// which checks if a user is in a named role.
/// </summary>
    Category = "User Criteria",
    DisplayName = "Role",
    Description = "Criterion that matches the user's roles",
    LanguagePath = "/shell/cms/visitorgroups/criteria/role"/*,
    ScriptUrl = "ClientResources/Criteria/usercriteria.js"*/)]
public class RoleCriterion : CriterionBase<RoleModel>
    public override bool IsMatch(System.Security.Principal.IPrincipal principal,
                                 HttpContextBase httpContext)
        bool isInRole = principal.IsInRole(Model.RoleName);
        bool shouldBeInRole = Model.Condition == RoleCompareCondition.Equal;
        return isInRole == shouldBeInRole;

Again I use no custom script. And as you can see there are some language strings used:

  <language name="English" id="en">
                <equal>In role</equal>
                <notequal>Not in role</notequal>
              <comparecondition>User is</comparecondition>
              <rolename>With name</rolename>

Using the criterion

So I create a new Visitor Group based on this criterion, requiring the user to NOT be in the Anonymous role (a built-in Virtual Role matching unauthenticated users):


And then I use content groups to add content for both users who are in the Visitor Group and not, i.e. authenticated and anonymous users:


You can all imagine the results rendered.

Source code

The source code is available in the EPiServer World Code Section.

Jan 14, 2011


Jan 16, 2011 07:29 PM

Magus I agree that this functionality should come out of the box (RC maybe?). We've got customers that currently use virtual roles to personalise content. Using this criteria would allow us to put all personalisation under visitor groups which I feel is the right place for it. Not to mention the added flexibility that Visitor Groups adds.

Please login to comment.
Latest blogs
Google Read Aloud Reload Problems

Inclusive web experiences greatly benefit from accessibility features such as Google Read Aloud. This tool, which converts text into speech, enable...

Luc Gosso (MVP) | Dec 4, 2023 | Syndicated blog

Google Read Aloud Reload Problems

Inclusive web experiences greatly benefit from accessibility features such as Google Read Aloud. This tool, which converts text into speech, enable...

Luc Gosso (MVP) | Dec 4, 2023 | Syndicated blog

Import Blobs and Databases to Integration Environments

In this blog, we are going to explore some new extensions to the Deployment API in DXP Cloud Services, specifically the ability to import databases...

Elias Lundmark | Dec 4, 2023

Join the Work Smarter Webinar: Working with the Power of Configured Commerce (B2B) Customer Segmentation December 7th

Join this webinar and learn about customer segmentation – how to best utilize it, how to use personalization to differentiate segmentation and how...

Karen McDougall | Dec 1, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Creating Content Pages

The blog post discusses the creation of additional page types with Next.js and Optimizely SaaS Core. It provides a step-by-step guide on how to...

Francisco Quintanilla | Dec 1, 2023 | Syndicated blog

Stop Managing Humans in Your CMS

Too many times, a content management system becomes a people management system. Meaning, an organization uses the CMS to manage all the information...

Deane Barker | Nov 30, 2023