User Rights: Giving user only rights to post pages.

Dec 14, 2010 at 6:55 AM
Edited Oct 24, 2011 at 5:23 PM

Hello All,

I created a role that gives the user rights to the pages.  But, when I login with that user pages are not showing

up in the admin section for the user.

 

I am using: BlogEngine.NET 2.0.0.10

 

Website: http://www.demo07.somee.com/

 

It only gives the user access to the pages if you give assign the user as an admin.

If you give the role the user is in full admin rights still not able to access pages.

Only way to do it is to assign the user role of admin.

Java Blog

Coordinator
Dec 14, 2010 at 5:37 PM

Thanks ... a few changes need to be made for this to work.  I think we can safely make these changes for the final 2.0.  I'll keep this thread posted on any changes for this.

Dec 14, 2010 at 6:14 PM

Hello Ben,

 

So this means that the current Build of BlogEngine does not have it where you can have a user have access to the Pages in the admin section?

 

The roles for pages is not actually working right now?

Also another question for you:

When is BlogEngine accepting new forks? I have been working on my Fork PageLinkMenu just wanted to know when to submit a pull request.

 

Thanks for your help,

 

Brian Davis

Coordinator
Dec 14, 2010 at 6:41 PM

Yes, you're right.  A few changes need to be made so a role that is not admin or editor can access the Pages section in the control panel.  It's actually not many changes needed ... the biggest one is modifying the menu system so it is aware of the BE Rights system -- currently it's only aware of static roles, like Administrators, Editors.

In general, we're trying to avoid adding new code until after BE 2.0 is released.  We're making fixes now, but are trying to minimize the chance of breaking something between the RC and the final 2.0.

Dec 14, 2010 at 8:15 PM

Ben,

In general, we're trying to avoid adding new code until after BE 2.0 is released.  We're making fixes now, but are trying to minimize the chance of breaking something between the RC and the final 2.0.

Ok, just let me know when I can do a pull request.

 

Thanks,

 

Brian Davis

Coordinator
Dec 15, 2010 at 6:54 AM

This is now possible in BE 2.0.0.20.  Being in the Administrators or Editors role is no longer important.  The Rights are now what is important.

For reference, while testing this, I created a role and gave it the following rights:

  • View Public Posts (unrelated to this)
  • Edit Own User (unrelated to this)
  • View Public Pages
  • Created New Pages
  • Edit Own Pages
  • Publish Own Pages

(only the last 4 are relevant).

Then, when logged in under the user assigned to this new role, on the Administration widget, I see 3 menu items:

  • Pages
  • My Profile
  • Change Password

I can go into Pages, view the Pages, create new Pages, and edit Pages.

The same thing works if you setup a role that is for "Posts" (rather than Pages).  In this case, "Posts" appears in the menu and can be accessed.  Lastly, I also tested the same thing for a role that is given the right to "Moderate Comments".  In this case, "Comments" appears in the menu and can be accessed for viewing, approving, rejecting comments.

Dec 15, 2010 at 2:57 PM

Thanks Ben,

 

Going to test it out later on today. 

 

 

Thanks,

 

Brian Davis

Dec 16, 2010 at 10:45 PM

Sorry for tagging onto this post, but I think it is relevant.

I installed the .21 RC build today.  I added a new role, and configured the 'Edit own User' option in the User rights section.

I then added a user to that role, and logged in to the blog as that user.

I saw the correct options in the Administration widget (Page, My Profile, Change Password).  However, when I click 'My Profile', I get taken to the 'Profile : <username>' admin page - on this page there is a save button and a cancel link, but no options to change!

(I am using SQL Server for membership provider)

Coordinator
Dec 17, 2010 at 3:09 AM

majikjohnson:  Good feedback, however I wasn't able to reproduce this ... even when using the SQL server membership provider.  If you log in under your normal Admin account, and click on My Profile, do the fields appear in that case?

The form/fields are retrieving client side via JavaScript, when the page is loading.  There could be some problem there.  I tested with IE, Firefox & Chrome with success.

I did find one potential issue, but not sure if it's related.  In the admin/Users folder is Profile.aspx.  In that file, around line 83 is:

LoadProfile();

If you have a minute, you could try changing that to the following to see if there's any difference.

        $(document).ready(function () {
            LoadProfile();
        });

If that doesn't work, does the control panel Comments page work ?  If you have any comments on your posts and pull up the Comments page in the control panel, do you see Comments there?  What browser & version are you using?  Is it running on IIS 6, IIS 7, or within the Visual Studio development server?

Dec 17, 2010 at 8:07 AM

Hi Ben,

I think this is a problem with encoding the space character in the username. My user name is 'Matt Johnson'.

If I click 'My Profile' from the admin widget on the main blog page, then the resulting path/query string looks like: Profile.aspx?id=Matt+Johnson

If I click 'My Profile' from the link within the admin pages, then the path/query string looks like: Profile.aspx?id=Matt%20Johnson

Also, I think I have found a problem with comments using my user in a custom role (has permissions to view public comments and post comments). I added a comment using this user. I then logged out and logged in as administrator and went to the comments admin panel. Neither of the comments tabs (approved/spam) listed my comment, so I could not approve it (spam did have a (1) next to it on the tab, but the actual content pane still said 'Hooray, no spam here'). If you can't reproduce, I will test further and provide more details later today.

I am using Chrome as my primary browser:

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10

I am used the Visual Web Developer 2010 dev Server for all testing in this post.

Thanks again,

Matt

Coordinator
Dec 18, 2010 at 3:35 AM

Matt, thanks.  You're right on about the space in the username.  That's now fixed in BE 2.0.0.22.

For the comments, I made a change in 2.0.0.22, but am not sure if it addresses the issue you found.  It's possible you had a 0 value setting for "comments per page".  In this case, when it would retrieve the comments, the page size would be 0 and zero comments would be returned.  The only time it shows "hooray, no spam here" is if zero comments come back from the server.

You can try 2.0.0.22 out.  Or even with the version you're using now, if you click on a different tab such as "Pending" or "Approved", do you see comments there?  If there should be comments there and you're not seeing them on those tabs too, then that could be because of "comments per page" being at 0.  But if you do see comments on Pending and Approved, and are not seeing them only on the Spam tab, then that could be a separate issue.  In the control panel, if you go to Settings -> Comments, there's a "Comments per Page" dropdown list.  The default value is 10, so even if your setting is at 0, it'll still show 10 in the dropdown list.  If you just click "Save" at the bottom, it'll save the value in the dropdown list (e.g. 10) to your settings ... and then you can try viewing the Spam comments.

2.0.0.22 also fixes the issue where you login under an account that has limited privileges, then it redirects you to a page you don't have access to.  In this case, as of 2.0.0.22, it'll then redirect you to the homepage, rather than back to the login page.

Dec 19, 2010 at 10:53 PM

Ben,

All the items mentioned in your previous post appear to be resolved in .22

  • 'My Profile' Link now works correctly when using user with a space in the username
  • Comment posted by my user in a role with limited privileges which got caught by the spam filter now correctly shows up under 'spam' tab on comments admin page when logging in as administrator
  • When I log in with an account that has limited privileges to a page that I don't have access to, I get redirected back to the homepage

Thanks for your help.  Will let you know if I find anything else.

Matt 

Dec 21, 2010 at 5:45 AM

Hi.  I am on 2.0 RC and I think this is related.  I have a role that has the ability to publish their own post turned OFF.  The user can still publish their own post.

When is 2.0 expected to be released?

Thanks. Great product. 

Doug

 

Coordinator
Dec 21, 2010 at 5:51 AM

Hi Doug, thanks.  Thinking about it, you're probably right since when editing a Post or Page, we are probably just saving the state of the "published" checkbox.  I'll look at this to make sure that the "publish right" is actually honored.

If no big problems turns up, then next Tuesday of Wednesday (last week of the year), we will probably release the final 2.0.

Dec 21, 2010 at 5:59 AM
Edited Dec 21, 2010 at 6:35 AM

Thanks.

 

Will we be able to update the 2.0 RC to the final release?

 

I was going to install 1.6 because of the issue but since 2.0 is soon and if I can upgrade t, I will wait.

 

 

Description: Description: cid:image001.png@01C9ABED.7F93C7C0

Doug

 

From: BenAmada [email removed]
Sent: Monday, December 20, 2010 10:52 PM
To: Doug Behl
Subject: Re: User Rights: Giving user only rights to post pages. [blogengine:238267]

 

From: BenAmada

Hi Doug, thanks. Thinking about it, you're probably right since when editing a Post or Page, we are probably just saving the state of the "published" checkbox. I'll look at this to make sure that the "publish right" is actually honored.

If no big problems turns up, then next Tuesday of Wednesday (last week of the year), we will probably release the final 2.0.

Coordinator
Dec 21, 2010 at 6:20 AM

Doug, this is now fixed in BE 2.0.0.27.  For both Posts and Pages, you can now only publish if you have the right to publish.

One thing to watch out for is if the person can create a Post/Page, but cannot publish it and also does not have the rights to "view unpublished posts" or "view unpublished pages", then when saving the unpublished post/page, you'll be redirected to the unpublished page/post, but see a 404 "not found" error since you don't have the rights to view the unpublished post/page on the front end of the website.  In this scenario (where you cannot view unpublished posts/pages), that is only enforced on the front end ... you can still go to the control panel and see the unpublished post/page there to continue editing it, etc.

Yes, you'll be able to upgrade from either BE 1.6 or BE 2.0 RC to the final BE 2.0.  In both scenarios, these Upgrade Instructions is what is recommended to follow.

Dec 21, 2010 at 6:28 AM
Edited Dec 21, 2010 at 6:35 AM

Great – how do I download 2.0.0.27?

 

 

Description: Description: cid:image001.png@01C9ABED.7F93C7C0

Doug Behl

 

From: BenAmada [email removed]
Sent: Monday, December 20, 2010 11:21 PM
To: Doug Behl
Subject: Re: User Rights: Giving user only rights to post pages. [blogengine:238267]

 

From: BenAmada

Doug, this is now fixed in BE 2.0.0.27. For both Posts and Pages, you can now only publish if you have the right to publish.

One thing to watch out for is if the person can create a Post/Page, but cannot publish it and also does not have the rights to "view unpublished posts" or "view unpublished pages", then when saving the unpublished post/page, you'll be redirected to the unpublished page/post, but see a 404 "not found" error since you don't have the rights to view the unpublished post/page on the front end of the website. In this scenario (where you cannot view unpublished posts/pages), that is only enforced on the front end ... you can still go to the control panel and see the unpublished post/page there to continue editing it, etc.

Yes, you'll be able to upgrade from either BE 1.6 or BE 2.0 RC to the final BE 2.0. In both scenarios, these Upgrade Instructions is what is recommended to follow.

Coordinator
Dec 21, 2010 at 6:30 AM

All these latest builds, including BE 2.0.0.27 are available on the Source Code tab at CodePlex.  But they are not compiled ... specifically, the BE core project is not compiled, and needs to be compiled.  So having Visual Studio is required to build the BE core project to produce a BlogEngine.Core.dll file that goes into your /bin directory.  The RC and final version of 2.0 will of course include the compiled BlogEngine.Core.dll file.  So if you are not setup to compile, then waiting for the final version might be easiest.

Dec 21, 2010 at 7:39 AM

Hi Ben,

I was able to compile the new version and the problem was resolved. I did get the following error when I tried to add a post that I didn’t publish because of the restriction. Was this what you meant about the unpublished rule? It seems like since it isn’t published when it is added it shouldn’t try to load it. A message saying it is awaiting approval is needed. It would be good to have a role rule that would allow view of own unpublished posts and pages.

Also there is the Publish check box that defaults with the box checked. I will change this in the page but that might be something to change.

BTW I was the person trying to do nested masterpages so I could imbed the blog into my site. I was able to get some things to work but started to run into issues related to Java. I think this would be a great enhancement and would be willing to test and help if this was something that you thought was valuable to the product.

Thanks again for the fix.

Description: Description: cid:image001.png@01C9ABED.7F93C7C0

Doug

From: BenAmada [email removed]
Sent: Monday, December 20, 2010 11:31 PM
To: Doug Behl
Subject: Re: User Rights: Giving user only rights to post pages. [blogengine:238267]

From: BenAmada

All these latest builds, including BE 2.0.0.27 are available on the Source Code tab at CodePlex. But they are not compiled ... specifically, the BE core project is not compiled, and needs to be compiled. So having Visual Studio is required to build the BE core project to produce a BlogEngine.Core.dll file that goes into your /bin directory. The RC and final version of 2.0 will of course include the compiled BlogEngine.Core.dll file. So if you are not setup to compile, then waiting for the final version might be easiest.

Coordinator
Dec 22, 2010 at 7:01 AM

Good suggestion Doug.   That was what I meant by getting an error page after saving an unpublished post/page when the user does not have rights to view unpublished posts/pages.

I just checked in BE 2.0.0.29 that does 2 things differently.  (a) If the user doesn't have the rights to publish posts, then by default, the "Publish" checkbox will be unchecked when creating new posts, and (b) when saving the unpublished post, the user will be redirected to the Posts lists (the control panel page that lists all the posts), instead of being redirected to the front end where he cannot see the post and gets a 404 error.