Programming Security: Using permissions

Programming Security: Using permissions

April 24, 2009 0 Comments

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

[This article is part of the documentation preview for the Programming Security section of the Developer manual. You can view the temporary TOC here]

 

We have seen what is the association between a security root and a permission, and how secured modules implement this association.

Here we will get to know how permissions are actually used in code.

Basic usage

At some point in your code, you will want to check if the currently logged user can do something. You do this by initiating a permission and using its CheckDemand method.

Permission perm = manager.GetPermission(CrudRights.Create); 
if (perm.CheckDemand()) 
    // do something if the user can create 
else 
    // do something else if the user can't create 

 

The other time you will want to use a permission would be just before you do a security-requiring task:

 


manager.GetPermission(CrudRights.Delete).Demand();
manager.DeleteBlogPost(blogToDeleteId); 

 

Hiding the module if the user doesn't have the appropriate permission to view it

Actually, there is nothing you have to do. Sitefinity does this for you when it loads your module.

Hiding/styling UI commands

The UI commands you want to disable/hide if a user is not currently permitted to do a task are most probably in the View that displays all items. Very often this will be in a data-bound grid, so you will apply your custom logic on ItemDataBound, RowDataBound or similar events. Here is an example on how to do this (taken from the Lists module):

 

void Grid_RowDataBound(object sender, GridViewRowEventArgs e) 
    if (e.Row.Cells.Count >= 4 && e.Row.Cells[0].Controls.Count > 0) 
        foreach (Control ctrl in e.Row.Cells[0].Controls) 
        { 
            if (ctrl is IButtonControl && ctrl is WebControl) 
                (ctrl as WebControl).Attributes["onclick"] = "return confirm('" + Messages.AreYouSure + "');"
             
        } 
    if (e.Row.RowType == DataControlRowType.DataRow) 
    { 
        Guid listId = new Guid(this.Grid.DataKeys[e.Row.RowIndex].Value.ToString()); 
        e.Row.Cells[0].Enabled = this.Host.Manager.GetPermission(CrudRights.Delete).CheckDemand() || this.Host.Manager.GetPermission(listId, CrudRights.Create).CheckDemand(); 
        HyperLink listName = e.Row.FindControl("listName"as HyperLink; 
        if (listName != null && e.Row.DataItem != null
        { 
            if (this.Host.Manager.GetPermission(CrudRights.View).CheckDemand()) 
            { 
                listName.NavigateUrl = this.CreateHostViewCommand<ListItemsAll<AllListsView>>(listId.ToString()); 
            } 
        } 
    } 

Here, the Hyperlink has no NavigateUrl if the user does not have CrudRights.View.

Inevitably, a question arises: since I have to Demand a permission before every CRUD operation, shouldn't I implement this in directly in the manager for this module? This depends, but the quick answer is: yes. If you implement it in the manager, you are sure that an operation can never be performed if a user doesn't have permission. That way, the less things you have to remember, the less chance for making mistakes.

progress-logo

The Progress Guys

View all posts from The Progress Guys on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments
Comments are disabled in preview mode.
Topics
 
 
Latest Stories in
Your Inbox
Subscribe
More From Progress
d12fcc0bdb669b804e7f71198c9619a7
5 Questions Automakers Should Ask to Improve Asset Uptime
Download Whitepaper
 
SF_MQ_WCM
2018 Gartner Magic Quadrant Web Content Management (WCM)
Download Whitepaper
 
What-Serverless-Means-For-Enterprice-Apps-Kinvey
What Serverless Means for Enterprise Apps
Watch Webinar