Solution for only allowing authenticated users to view blog

Topics: ASP.NET 2.0, Business Logic Layer, Controls
Nov 20, 2007 at 9:20 PM
I have read several posts from people trying to get an answer to this nagging question: How can I restrict access to view the blog. If you want to secure your blog so that only authenticated users (subscribers, for example) can view it, here's how:

(version 1.2)
Open the source solution file and open the \BlogEngine.Core\Providers\XmlProvider\XmlRoleProvider.cs file.
Go to line 33 and change it to read: readonly string[] _DefaultRolesToAdd = new string[] { "Administrators", "Editors", "Subscribers" };

Build blogengine.Core and copy the resulting DLL file from {drive:path}\BlogEngine.NET 1.2 (source)\BlogEngine.Core\bin\Debug and paste it into the bin folder on your web project.

Now, in your web project, open the /app_data/roles.xml file and add the following:

For all the pages you want to restrict access to (default, archive, etc.), open it's CS file and add the following line just inside the Page_Load method:
if (!User.Identity.IsAuthenticated)
Response.Redirect("login.aspx"); // can change page to another other page, like a registration page.

Hope this helps. If I've left anything out, please let me know.
Nov 22, 2007 at 1:20 AM
Edited Nov 22, 2007 at 1:21 AM
Ok I see what you are saying and can do that just fine. However, this doesn't solve the problem I am seeing over and over. Folks want a group of users (role) to be able to post new stuff (and perhaps edit their own stuff) but not edit or delete someone elses stuff.

The method you give, you would have to restict access the the addentry.aspx in order to restict editing other's posts. If you resticy access to addentry.aspx then they cannot post at all.

I would very much like to use BlogEngine.NET as an add to an existing site. The problem is the folks who use the site are very un-computer-savy. If I gave them unlimited edit and delete capabilities the bolg would be messed up within one or two days.

I would apprecitate any help/ideas you have.

Nov 25, 2007 at 1:57 AM
Edited Nov 25, 2007 at 2:00 AM
i have fixed this issue... it took some figuring, but it wasn't too hard. first, what i did is limit the population of the author dropdown in the addpost page to only the user who is logged in, unless the user is an admin. then i went into the PostViewBase.cs and changed the AdminLinks to only show up if the user is logged in, or the user is an admin, meaning the links won't show up for posts that aren't theirs. it works like a charm, and it was maybe 5 total lines of code, just some if statements.

i am still having problems with the permalink, though. i have no idea how that works, but the permalink via the url rewriting just simply does not work
Nov 29, 2007 at 10:00 PM
Edited Nov 29, 2007 at 10:00 PM
level7solutions & edelman:

This is intriguing to me... what do you think about restricting access only to certain categories of posts (for instance, having a generally public blog, but having the ability to add posts to the category "Private", which only logged in family members (or paid subscribers, etc) could view...)? I guess part of the issue would be preventing those "private" posts from showing up on the homepage, etc... might be more complicated than the solution you are outlining...
Feb 7, 2008 at 6:19 PM
What if a post/page was limited to editing only by an admin or the author.

You could then hide the edit link to all but the Admins and the author.