[This article is part of the documentation preview for the Programming Security section of the Developer manual. You can view the temporary TOC here]
In Sitefinity terms, Programming Security does not mean building a web application that is immune to hackers. Here, rather, we mean that some users can be have limited rights about what they can do for a given module.For starters, you should refresh your memory about Security in Sitefinity. In a nutshell: users belong to groups (roles), and roles are granted or denied permissions to do basic operations.
What should the end result of a secured module look like? Well, it depends on you, the developer. You could do either of the following
- Hide parts of the user interface if a user is not granted certain permissions
For example of this approach, try the following: create a new user that has only CmsAccess permission and log in with his/her credentials. - Apply different style to commands in UI that a user is not granted permission to execute
- Display error messages
- First and foremost, it needs SecurityRoot
- One or more permission classes
- Use custom permission classes in module to tell if a user is granted permission to perform a task
- Register security root(s) in the module class