Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

Restrict backend user to be treated as logged in in front end

Vote:
 

I have two separate login pages for edit mode and front end users for my commerce site. Currently, front end users cannot go to backend CMS by allowing roles to location path as below.

<location path="EPiServer/CMS/admin">
<system.web>
<authorization>
<allow roles="WebAdmins, Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

However, backend users(webadmins, admin and WedEditors) can log in to commerce part. I cannot even use same allow roles as above for frontend as it should be accessible even when not logged in. I am using identity to authenticate and User.Identity.IsAuthenticated to check authentication. IsAuthenticated is true for both backend and frontend users when logged from respective login screen. How to avoid this?

#202934
Apr 04, 2019 6:11
Vote:
 

Hi,

As the pages should be visible to everyone, I'm assuming it's not an issue that the CMS users can see the pages on the site and that the issue is that they're seeing the logged-in state of the pages. What I'd suggest for this is to assign a role to all of the front-end users then, where you're currently checking whether the user is authenticated, check whether they're a member of that role as well.

#202944
Apr 04, 2019 10:36
Vote:
 

You can follow the pattern that is used by Quicksilver, i.e. having a shared login page. If an administrator logged in then he/she can see quick menu and can access to protected path. A normal user can be logged in without seeing the quick menu, and if he or she try to access a protected path then he or she will be asked to login again. IMO that works quite well and it can hide your implementation details from your end users, which is probably a good thing.

#202945
Apr 04, 2019 10:49
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.