Customizing widget permissions for users

Topics: ASP.NET 2.0
Apr 18, 2009 at 8:20 PM
I'm wondering if there is any way of allowing Editors to be able to edit the content of the widgets, such as the TextBox or LinkList, but obviously not to have the usual admin permissions of changing the settings etc. At the moment the default is for editors to only add entries into the blogs.
Coordinator
Apr 18, 2009 at 11:36 PM
There's 3 things that look like they need to be changed for this.

1. In the WidgetBase.cs file in the App_Code\Controls folder, there's a Render() method with the following line of code:
if (Thread.CurrentPrincipal.IsInRole(BlogSettings.Instance.AdministratorRole))

Change that to:
if (Thread.CurrentPrincipal.Identity.IsAuthenticated)

2. In the WidgetEditor.aspx.cs file in the admin folder, in the Page_Init() event handler, there's the following line of code:
if (!User.IsInRole(BlogSettings.Instance.AdministratorRole))

Change that to:
if (!User.Identity.IsAuthenticated)

3. In the BlogBasePage.cs file in the Web\Controls folder within the BE core files, in the OnLoad() method, there's this line of code:
if (User.IsInRole(BlogSettings.Instance.AdministratorRole))

Change that to:
if (Thread.CurrentPrincipal.Identity.IsAuthenticated)

Because change # 3 was in the BE core, re-compiling the core is necessary.  That seems to be all the changes needed to allow editors to edit widgets.
Apr 19, 2009 at 12:46 AM
Edited Apr 19, 2009 at 12:46 AM
Thank you v. much for your time, it worked great.

The only other question I have whether it's possible to only allow the editors to "Edit" the widgets, but not "Delete" them... probably not but just thought i'd ask!
Coordinator
Apr 19, 2009 at 1:10 AM
You can remove the Delete link for Editors.  I noticed that at first too, but wasn't sure if you wanted it.

In the same WidgetBase.cs file you edited before is where the Edit and Delete links are.  Depending on your version of BE, right now, your code probably looks similar to:

if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
    sb.Append("<a class=\"delete\" href=\"javascript:void(0)\" onclick=\"removeWidget('" + WidgetID + "');return false\" title=\"" + Resources.labels.delete + " widget\">X</a>");
    sb.Append("<a class=\"edit\" href=\"javascript:void(0)\" onclick=\"editWidget('" + Name + "', '" + WidgetID + "');return false\" title=\"" + Resources.labels.edit + " widget\">" + Resources.labels.edit + "</a>");
}

You can break that up so the Edit link shows up for any logged in person, and the X (remove) link only shows up for Administrators.  So the code below would replace the code above.  I would suggest using your existing sb.Append() code to add the Edit/Remove links below since it might vary from what I have here.

if (Thread.CurrentPrincipal.IsInRole(BlogSettings.Instance.AdministratorRole))
{
    sb.Append("<a class=\"delete\" href=\"javascript:void(0)\" onclick=\"removeWidget('" + WidgetID + "');return false\" title=\"" + Resources.labels.delete + " widget\">X</a>");
}

if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
    sb.Append("<a class=\"edit\" href=\"javascript:void(0)\" onclick=\"editWidget('" + Name + "', '" + WidgetID + "');return false\" title=\"" + Resources.labels.edit + " widget\">" + Resources.labels.edit + "</a>");
}
Apr 19, 2009 at 2:50 AM
Thanks again!
Apr 19, 2009 at 9:53 AM

EditorRole looks more appropriate to me, but this might require greater changes.

> if (Thread.CurrentPrincipal.IsInRole(BlogSettings.Instance.AdministratorRole))
> Change that to:

if (Thread.CurrentPrincipal.IsInRole(BlogSettings.Instance.EditorRole))

instead of

> if (Thread.CurrentPrincipal.Identity.IsAuthenticated)


Coordinator
Apr 19, 2009 at 6:54 PM
mvincic: If you use EditorRole like that, then Administrators won't be able to edit the widgets.  IsAuthenticated includes everyone who is logged in -- which would be both Editors and Administrators.