User Rights/Roles not working correctly

Topics: ASP.NET 2.0, Controls
Jan 3, 2013 at 9:17 AM

Hi,

I am very new to BlogEngine and not a developer so please forgive me if this post sounds a bit dumb. I am having an issues where I set the roles to allow users to create and delete thier own pages, problem is when testing the role (before I issue to users) I can see that the user set is able to delete/edit any page from any user even though the role does not allow it.

Also it there a way to remove the option "Is front page" from all users apart from Administrator and Editors?

Kind regards

CJWinty

Jan 3, 2013 at 3:47 PM

Hi CJWinty.

  1. Log into Blogengine as an administrator.
  2. Select Users from the tabs.
  3. In the right column, select Roles.
  4. When you see Anonymous as one of the roles, hover over the tools drop-down box and select Rights.
  5. These are just random visitors who haven't registered or logged in.  Adjust the settings here as needed (uncheck able to delete/edit any page, etc.)

I'm unsure as to how to have a different "is front page" for guests (anonymous) than for admins and editors, etc. ... and I'm unsure as to why you'd want that.  Wouldn't you want them to see your blog to entice 'em to login or register?

Good luck!

~ Jason

Jan 3, 2013 at 7:39 PM
Edited Jan 3, 2013 at 7:47 PM

Hi, 

In answer to the second part of your question you could try this.

In admin/Pages find the file EditPage.aspx and look for the following lines of code

<li> 
                                <label class="lbl"><%=Resources.labels.options %></label>
                                <asp:CheckBox runat="Server" ID="cbFrontPage" Text="<%$ Resources:labels, isFrontPage %>" /><br />
                            </li>

Change it to this:

 <li style="height:1px;<% if(Security.IsAdministrator || User.IsInRole("Editors")) {%> height:auto;<%}%>">                            
                                <label class="lbl"><%=Resources.labels.options %></label>
                                <asp:CheckBox runat="Server" ID="cbFrontPage" Text="<%$ Resources:labels, isFrontPage %>" /><br />
                            </li>

The li tag part changes.

It's a bit hacky, if upgrading you would have to remember to alter the file again, but might do the trick for now.

Jan 5, 2013 at 1:21 AM

Hi Andy

Thank you for the code change suggestion,, the following did not work for me as it kept causing an error.

<li style="height:1px;<% if(Security.IsAdministrator || User.IsInRole("Editors")) {%> height:auto;<%}%>">                            
                                <label class="lbl"><%=Resources.labels.options %></label>
                                <asp:CheckBox runat="Server" ID="cbFrontPage" Text="<%$ Resources:labels, isFrontPage %>" /><br />
                            </li>

So after playing around with it (pure guesswork lol) I changed it to this

<li style="height:1px;<% if(User.IsInRole("Administrators")) {%> height:auto;<%}%>">
                                <label class="lbl"><%=Resources.labels.options %></label>
                                <asp:CheckBox runat="Server" ID="cbFrontPage" Text="<%$ Resources:labels, isFrontPage %>" /><br />
                            </li>

This has made it so that only administrators can change the front page and works exactly how I need it to work.

Colin

Jan 5, 2013 at 11:18 AM

Hi Colin, 

Glad it's working, just for reference the "Security.IsAdministrator" should have been fully qualified "BlogEngine.Core.Security.IsAdministrator".

That was careless of me, but what you have looks good.

Cheers

Jan 13, 2013 at 4:23 AM

Hi, I am still having issues where I set the Rights so that a user cannot delete other users pages but when I test any user can delete any other users pages.

I log in as an admin, go to users, select "Roles", I then select the "Tools" button and select "Rights"

In the "Pages" section I have checked "View Public Pages", "Create New Pages", "Edit Own Pages", "Delete Own Pages" and "Publish Own Pages", all of the other options are unchecked. When testing I can delete any pages created by any user including the admin accounts pages.

Bit stuck as I do not want users to be able to delete other users pages or my own.

Colin