Permissions to functions
Describes how to assign users and roles to a permission in the administrative interface
Optimizely Content Management System (CMS) has a built-in system for assigning permissions to individual functions. You can assign users and roles to permission in the administrative interface under Config > Permissions to functions. Built-in permissions include accessing web services and viewing detailed exception messages.
Use permissions to functions
The API for querying whether a user is permitted to perform a function is available with EPiServer.Security.PermissionService or with PrincipalInfo as a simplified API.
//Alt 1
bool hasPermission = ServiceLocator.Current.GetInstance<PermissionService>().IsPermitted(HttpContext.Current.User, SystemPermissions.DetailedErrorMessage);
//Alt 2
bool hasPermission = PrincipalInfo.Current.IsPermitted(SystemPermissions.DetailedErrorMessage);
Define permissions to functions in code
As shown in the following example, you can define custom permissions to functions by defining a class. Classes with the PermissionTypes attribute are automatically picked up by Optimizely and display in the administrative interface. Permission names must be unique within a group, so pick a group name that is unique to your solution. You also can register permission types with EPiServer.DataAbstraction.PermissionTypeRepository to support dynamic creation of permissions.
[PermissionTypes]
public static class MyCustomPermissions {
public
const string GroupName = "MyCustomPermissions";
static MyCustomPermissions() {
EditSettings = new PermissionType(GroupName, "EditSettings");
ViewSettings = new PermissionType(GroupName, "ViewSettings");
}
public static PermissionType EditSettings {
get;
private set;
}
public static PermissionType ViewSettings {
get;
private set;
}
}
You can define readable descriptions for the group and the permissions shown in the user interface by adding an entry to a language resource file. Under <groups>, name the GroupName (such as <MyCustomPermissions>) in which you place a <description> and node permission names (such as <EditSettings> and <ViewSettings>) as shown in the following example:
<languages>
<language name="English" id="en">
<admin>
<permissiontype>
<groups>
<MyCustomPermissions>
<description>Custom settings functions</description>
<permissions>
<EditSettings>Allows users to access edit settings</EditSettings>
<ViewSettings>Allows users to access view settings</ViewSettings>
</permissions>
</MyCustomPermissions>
</groups>
</permissiontype>
</admin>
</language>
</languages>
Protect a controller with a permission
Use the AuthorizePermission attribute to authorize an MVC controller with permissions to functions:
[AuthorizePermission("MyCustomPermissions", "EditSettings")]
public class EditSettingsController: Controller {
public ActionResult Index() {
return View();
}
}
Expose permissions to other systems with virtual roles
Some systems cannot validate permissions but can validate roles. In these cases, you can expose a permission as a role:
[InitializableModule]
[ModuleDependency((typeof (EPiServer.Web.InitializationModule)))]
public class VirtualRoleInitializer: IInitializableModule {
public void Initialize(InitializationEngine context) {
var virtualRoleRepository = context.Locate.Advanced.GetInstance<IVirtualRoleRepository>();
virtualRoleRepository.Register("EditSettingsVirtualRole", new PermissionRole {
Permission = MyCustomPermissions.EditSettings
});
}
public void Uninitialize(InitializationEngine context) {}
public void Preload(string[] parameters) {}
}
Updated 10 months ago