Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDevelopment and...Development and...Building ExtensionsBuilding ExtensionsModulesModulesCustom Module Security Permissions - Best PracticeCustom Module Security Permissions - Best Practice
Previous
 
Next
New Post
5/28/2012 12:23 PM
 
Colm Ryan


www.3rdi.ie
Joined: 1/5/2006
Posts: 160

I'm sure this has come up before but maybe not exactly with this requirement.

I have a module which consists of many controls. One view control and a number of edit controls. With the default module security permissions the edit controls can only be accessed by an administrator and if for example you attempt to access the edit control with an none administrator, DNN kicks it out as it should be.

What I want to do is create a set of custom permissions for the module. I extent the security class and setup the permissions for the module successfully (following the great examples out there - as per Vicenç Masanas et al.) This works great and I now have a set of testable permissions I can use within the module to activate/deactive certain features.

However now I have the issue that I only have two options in the module definition for the set of controls within the module...VIEW and EDIT. If I set it to EDIT, DNN kicks non administrators so the permissions need to be changed to VIEW in order to allow the select roles accessed to it.

So my question is then...is it best practice to take the control you want to give a role permission too, change the control definition to VIEW and then enforce the permissions inside the control page events...or is there a better way to do this?

Regards

Colm

Colm Ryan Director
3rd i IT and Business Services Limited

www.actravia.com
Registration and Booking Solutions for Dotnetnuke
www.3rdi.ie
IMCA Registered Management Consulting Practice. Business and IT Strategy, IT Project Management and Product Development
 
New Post
5/28/2012 10:07 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

if your module control is not restricted to users with edit permissions (or applies IsAdmin) then it should be a view control. To be secure all of the "additional" options should be disabled (or ideally not even injected) - and in addition you should re-do the permissions check in the event handler e.g.

if my module has an "add user" permission, then I would have a server control such as a linkbutton called "adduserbtn" and would have it set to visble=false - this ensures that it will not be rendered by asp.net (i.e. is not a part of the control tree once the render event is hit). During page init/load (or other approriate event) I would check for the "add user" permission and if found change the visibility to true (doing it this way is safer than disabling the control as a disabled control can still be invoked under certain conditions & if users have disabled some of our default protections). I would then check for the "add user" permission in the click eventhandler of the "adduserbtn".

BTW Vicenc's articles are excellent, but AFAIR predate the changes to allow custom permissions to be added via the manifest - heres a link to the wiki page http://www.dotnetnuke.com/Resources/W... in case you werent aware of it.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
5/29/2012 7:09 AM
 
Colm Ryan


www.3rdi.ie
Joined: 1/5/2006
Posts: 160

Thanks Cathal

Appreciate the clarity. Wasn't aware I could do this in the manifest either so you learn something new every day!

Regards

Colm

Colm Ryan Director
3rd i IT and Business Services Limited

www.actravia.com
Registration and Booking Solutions for Dotnetnuke
www.3rdi.ie
IMCA Registered Management Consulting Practice. Business and IT Strategy, IT Project Management and Product Development
 
 Page 1 of 1
Previous
 
Next
HomeHomeDevelopment and...Development and...Building ExtensionsBuilding ExtensionsModulesModulesCustom Module Security Permissions - Best PracticeCustom Module Security Permissions - Best Practice


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out