I modified BlogEngine.Net 1.3 to require authentication (sql server role provider) before having access to the Default.aspx page -- A requirement of the site I'm building for my company. I've noticed now that un-published posts show up in the lists even
for users who are neither a member of the "Editors" or "Adminstrators" roles. So it appears that any authenticated user has access to all posts published or unpublished.
So my questions are:
1) Is there any way to limit access to posts based on role membership in the current version (something I've missed)?
2)Is there a relatively easy way I could modify the code so to enable that kind of functionality. (I haven't had time yet to open up the source and poke around).