Role-based toolbox filtering using item parameter

Sitefinity CMS enables you to hide any number of widgets from the toolbox on backend pages from specific users, based on their user roles. Thus, these users do not see the widgets in the toolbox and cannot use them.

You hide widgets by creating a new toolbox item parameter, called DisallowedRoles, for any widget and setting a list of roles that do not have permission to use the specific widget.

In this example, you restrict users with roles Author and Editors to use the Image widget. As a result, if a user with an Author or Editors role is editing a page in the backend, the image widget is not visible in the toolbox and that user cannot use it on the page.

Create a toolbox item parameter

To set the user roles that do not see the Image widget in the toolbox:

Navigate to Administration » Settings » Advanced » Toolboxes » Toolboxes » PageControls » Sections » ContentToolboxSection » Tools » ImageControl » Toolbox item parameters.
Click Create new button and enter the following:
- In the Key input field, enter DisallowedRoles
- In the Value input field, enter the roles, separated by a comma: Authors, Editors
Save your changes.

Add the DisallowedRoles item in your project

In Visual Studio, add the following code in the Global.asax file of your Sitefinity CMS project and then, build your project:

using System;
using System.Collections.Generic;
using Telerik.Microsoft.Practices.Unity;
using Telerik.Sitefinity.Abstractions;
using Telerik.Sitefinity.Modules.Pages.Configuration;
using Telerik.Sitefinity.Security;
using Telerik.Sitefinity.Security.Model;
using Telerik.Sitefinity.Web;
using Telerik.Sitefinity.Web.UI;

namespace SitefinityWebApp
{
   public class Global : System.Web.HttpApplication
   {
       protected void Application_Start(object sender, EventArgs e)
       {
           Bootstrapper.Bootstrapped += Bootstrapper_Bootstrapped;
       }

       private void Bootstrapper_Bootstrapped(object sender, EventArgs e)
       {
           ObjectFactory.Container.RegisterType<PageEditorRouteHandler, CustomPageEditorRouteHandler>();
       }

       public class CustomPageEditorRouteHandler : PageEditorRouteHandler
       {
           protected override void ApplyLayoutsAndControls(System.Web.UI.Page page, System.Web.Routing.RequestContext requestContext)
           {
               base.ApplyLayoutsAndControls(page, requestContext);
               var zoneEditor = page.Form.FindControl("ZoneEditor") as ZoneEditor;

               // ZoneEditor is not available in some cases (for example, when the page is locked)

               if (zoneEditor == null)
               {
                   return;
               }

               Guid userId = SecurityManager.GetCurrentUserId();
               User user = UserManager.GetManager().GetUser(userId);

               var tools = new Dictionary<string, ToolboxItem>();

               foreach (var section in zoneEditor.ControlToolbox.Sections)
               {
                   foreach (ToolboxItem tool in section.Tools)
                   {
                       if (!tools.ContainsKey(tool.Name))
                       {
                           tools.Add(tool.Name, tool);
                       }
                   }
               }

               foreach (var toolboxItem in tools)
               {
                   toolboxItem.Value.Enabled = true;

                   var disallowedRoles = toolboxItem.Value.Parameters["DisallowedRoles"];

                   if (!string.IsNullOrEmpty(disallowedRoles)) // means that there are role based limitations set for the specific widget
                   {
                       var roleNames = disallowedRoles.Split(CustomPageEditorRouteHandler.RoleSeparator, StringSplitOptions.RemoveEmptyEntries);

                       foreach (var roleName in roleNames)
                       {
                           if (IsUserInRole(userId, roleName.Trim()))
                           {
                               toolboxItem.Value.Enabled = false;
                           }
                       }
                   }
               }
           }

           private bool IsUserInRole(Guid userId, string roleName)
           {
               bool isUserInRole = false;

               RoleManager roleManager = RoleManager.GetManager("AppRoles");

               bool roleExists = roleManager.RoleExists(roleName);

               if (roleExists)
               {
                   isUserInRole = roleManager.IsUserInRole(userId, roleName);
               }

               return isUserInRole;
           }

           private static readonly char[] RoleSeparator = new[] { ',' };
       }       
   }
}

In the code above, you get the role of the current user, then go through all widgets and check whether they have a DisallowedRoles property. If the role of the current user is the same as the role specified in the DisallowedRoles property, the user cannot see and use the Image widget.

NOTE: Users with roles different than the one specified in the DisallowedRoles property are able to see the widget on the page.

Want to learn more?

Enhance your Sitefinity skills by enrolling in free training sessions. Become Sitefinity certified through Progress Education Community to strengthen your professional credentials.

Get started with Integration Hub | Sitefinity Cloud

This free lesson teaches administrators, marketers, and other business professionals how to use Sitefinity Integration Hub to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting your Sitefinity instance and your sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity ASP.NET Core and take advantage of its decoupled architecture and modern development model.