Hello! I want to login in as another episerver user with EPiServer.Util.LoginBase.HandleFormsLogin() and then directly, without doing a redirect, using Global.EPDataFactory.GetPage() to fetch properties from pages which the user I just logged in as has access to. Is that possible? I have tried doing it like this, but unfortunately I get an "EPiServer.Core.AccessDeniedException: Access was denied to page 3". EPiServer.Util.LoginBase.HandleFormsLogin(user, pass, false); PageData data=Global.EPDataFactory.GetPage(new PageReference(3)); Kind Regards, Håkan Parting
Nov 15, 2005 19:35
Hi, using HandleFormsLogin will authenticate the user, but not impersonate that user. The user will not be available until the next request, as the method only authenticate the user and then writes the neccessary forms cookies to the response. The GetPage method uses the HttpContext.Current.User property (in some way or another) to do access checks against, and that user is still the old one. You can use the overloaded DataFactory GetPage method to specify that no access checks should be done, or impersonate the user in a similar way to the one described in this FAQ article: http://www.episerver.com/templates/faq____943.aspx /Steve
Nov 15, 2005 23:38
Thanks, that solved the problem. I changed my code to the following and it works well (my page is not an EpiServer-template): IPrincipal principal, oldprincipal; oldprincipal=HttpContext.Current.User; principal=AuthenticationProvider.Authenticate(this, user, pass); HttpContext.Current.User=principal; PageData data=Global.EPDataFactory.GetPage(new PageReference(3)); // using page data object ..... HttpContext.Current.User=oldprincipal; /Håkan
Nov 16, 2005 12:21
Just to make sure you do this in the most optimal way. Are you doing the impersonation because you are not logged in? If you always log in with a system user in order to do this, you could just ask for the page like this: PageData data = Global.EPDataFactory.GetPage(pageref, AccessControlList.NoAccess); It will perform much faster, and you do not have to authenticate first, which is a rather performance expensive task. I know, the NoAccess name is not exactly meaningful in this context. Think of it as "NoAccessCheck" :-) /Steve
Nov 16, 2005 20:53
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.