BlogEngine.NET 2.5 - Private Blogs

Aug 5, 2011 at 11:30 AM

HI All,

Before I resort to code changes I was wondering if there was a way that I could restrict a particular blog from being seen unless the person is logged in and part of the editors/admins group.  

Anyone who simply navigates to the site should be dropped to the login page and if they authenticate I still only want them to see posts if they are in one of the roles.  

Thanks in advance,
Andy

Coordinator
Aug 5, 2011 at 12:38 PM

If you go into the control panel, Users tab, Roles sub-tab (right side), for "Anonymous" on the right-side Tools area, hover over that and select "Rights".

You are now on the Rights page for the Anonymous role.  Uncheck everything, in particular "View Public Posts".  HOWEVER, you do need to keep at least one item checked, otherwise everything reverts back to the default.  For example, you could keep "View Ratings on Posts" checked.  Then Save.

Then anyone who is not logged in should automatically be redirected to the Login page no matter where what page they try to enter the site at.

Aug 5, 2011 at 1:02 PM

Hi Ben,

Thanks for the prompt reply,  this has now secured the blog against anonymous users so that you have to log in, which is great.  The next challenge is that I want to secure the blog to ONLY those that appear in the editors or administrators list (or at least a list of users somewhere).  

I was thinking of having a custom widget that I add to a blog which would redirect to the logoff page if the user was not part of a role and just drop this widget on each blog that i wanted to secure but if there is a way to do this using customisation that would be far neater.

Cheers,

Andy

Coordinator
Aug 6, 2011 at 12:13 AM

This should be possible w/ the existing Roles/Rights system.  If you remove the "View Public Posts" right from all of the roles except for the "good" roles, then a person will automatically be redirected to the login page if they are not in one of the "good" roles.  So you could leave the "View Public Posts" right checked for Administrators, Editors, Favorite People (a role I made up), and leave it unchecked for other roles.  Anyone who is not in one of those 3 roles, would be redirected to the login page.

The "View Public Posts" right is looked for specifically on each page load (in BlogBasePage).  This is the key right that can be used to privatize the blog.

You can create new Roles (e.g. Favorite People) and assign each user to one or more roles by editing their Profile from the Users tab.  In the middle of the Profile page is the list of checkboxes for the rights you can assign.  As an admin you will see this list of checkboxes, but a normal user will not see these checkboxes if they "edit my profile", so you don't need to worry about them changing their own roles.  This is actually based on another right "Edit Own Roles" that determines whether a person can edit their own roles.

This should all be possible, but if it doesn't work as you'd like it to, then the widget idea you have would work as well.