Try our conversational search powered by Generative AI!

AI OnAI Off

Handle AccesDeniedException, ACL and roles?

Anders Vestberg
Anders Vestberg
Vote:
 

Hi

I have a situation where I would like to meet the following requirements:

  1. In the main menu and submenu all pages should be listed, no matter access rights the current user has.
  2. When the user tries to enter a specific "restricited page", there should be a security check to see if he has access enough to enter the page, otherwise he should be redirected to different pages depending on what access he lacks.

Right now the menus works just great by fetching the pages with GetChildren method. Also if I setup the ACL for a page to only allow authenticated user, it works fine and redirects the user to a login form (via the webconfig settings).

However, the problem occurs when the user needs to meet additional criteria to access a page, e.g. needs to belong to a certain group of users in the database. I have developed custom role and memberhsip providers and tried to restrict a page (via the ACL) to not only authenticated users, but they must also have a specific role.

But then when a user with lack of proper access tries to access this page, he is only presented with an ugly access denied exception. Where and how is the best way to handle this exception? I would like to try-catch it and then compare what access is missing, and redirect the user to different pages, depending on the result. Of course it works by just checking this manually in every such page type, but that is just ugly!

Any ideas on how to tackle this?

Thanks

 

#33355
Oct 08, 2009 22:10
morten.sorby@capgemini.com
morten.sorby@capgemini.com
Vote:
 

Hi,

 You have to check access rights to the page yourself:

bool canRead = page.GetSecurityDescriptor()
.HasAccess(PrincipalInfo.CurrentPrincipal, AccessLevel.Read);
So you'll have to get the page with AccessLevel.NoAccess first and then perform the access check on the CurrentPrincipal.

See this blogpost:
http://labs.episerver.com/en/Blogs/Enes-Bajramovic/Dates/2008/10/SecurityDescriptor-for-access-rights-checking/

//Morten

#33360
Oct 09, 2009 9:31
Anders Vestberg
Anders Vestberg
Vote:
 

Thank you, very nice blog post there.

So correct me if I'm wrong; I can simply implement the ISecurityDescriptor and perform my own additional security checks, then for every page which needs this extra features, I just perform the access check on the CurrentPrincipal? Sounds good.

Where in the page cycle needs this check to be performed, to prevent EPiServer and the AccessDenied exception to be first!

And by the way, in those implemented methods of the IsecurityDescriptor, can I do whatever I want if user lacks access, like redirecting and so on, without messing up anything else? Would be nice to not have all redirect/error code bloated on every page.

 

 Big thanks /Martin

 

Edit: Miss-read the article at first, now I understand that I need to inherit from PageData to override the GetSecurityDescriptor() method.

#33379
Edited, Oct 09, 2009 16:38
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.