Limit viewing of a blog to signed in users only?

Jul 25, 2009 at 3:08 AM

Might seem like an odd request, but I'd like a way to limit a blog to only users I have authorized.  Any plans for that kind of feature?  (I want anon users to not be able to read the blog).

Coordinator
Jul 25, 2009 at 3:43 AM

Some others have asked about this too.  Here's some instructions on how to do this:

http://rtur.net/blog/page/Privatizing-BlogEngine.aspx

Jul 25, 2009 at 4:56 AM

Thank you.  I followed everything in that list, but I'm not sure where to put the code for the Privatizer in step 2?  I'm a vb.net/asp.net guy, so I'm not sure if that is suppose to be it's own .cs file, how do I hook it in?  Do I dump it in both Post and Page .cs files?  Thanks.

Coordinator
Jul 25, 2009 at 6:53 AM

Oh yeah, step # 2 could be a little more detailed for people not as familiar with BE.

Put the code in step # 2 into a new file named Privatizer.cs and put that file into the App_Code\Extensions folder.  The file name doesn't actually matter, but Privatizer.cs is an intuitive name for it.

Jul 25, 2009 at 12:54 PM
Edited Jul 25, 2009 at 1:21 PM

Awesome, I got it working!  I did have to change "(0)signin.aspx" to "(0)login.aspx" int he code as well, but that much was pretty obvious to me.

Oops spoke too soon.  I have some issues to address, it would be great if you could tell me where to go to fix them

1 - anonymous users can still use "search" and then see portions of the protected blog

2 - i turned off comments in admin, but users still see comments as a link and it takes them to a page where they can't do anything (rather just hide the links)

And thank you for making such an easy to use blog, up and running in no time is pretty awesome.

Coordinator
Jul 25, 2009 at 4:57 PM

Glad you're getting closer.

You can lock out all pages to unauthenticated people by modifying the web.config file in the root of the blog.  Under the existing <authentication> tag, if you add the <authorization> tag shown below, all pages will be locked out to unauthenticated people -- except for login.aspx.

<authentication mode="Forms">
    <forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
</authentication>
<authorization>
    <allow roles="administrators, editors"/>
    <deny users="*" />
</authorization>


However, even though the login.aspx page will come up, the CSS and JS files will be blocked (if you're not logged in).  To allow those pages to come up, after the closing </system.web> tag in the web.config file, add these 2 location tags.

<system.web>
    ..... existing content ......
</system.web>
<location path="themes/Standard/css.axd">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>    
<location path="js.axd">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>  
 

This will allow access to "themes/Standard/css.axd" and "js.axd" -- the CSS and JS handlers BE uses.  You might need to adjust the path to the CSS file -- especially if your blog is in a sub-folder, or if you're using a theme other than the Standard theme.

......

I think the Comments link at the bottom of each post always comes up, even if Comments are turned off.  You can only show the Comments link if Comments are enabled.  In the PostView.ascx file in the folder of the theme you're using (e.g. themes/Standard), you can wrap the Comments link in an IF statement.  Adding the IF block to the Comments link in the Standard theme looks like the following ... (the 1st and 3rd lines are new).

<% if (BlogEngine.Core.BlogSettings.Instance.IsCommentsEnabled) { %>
   | <a rel="nofollow" href="<%=Post.RelativeLink %>#comment"><%=Resources.labels.comments %> (<%=Post.ApprovedComments.Count %>)</a>
<% } %>

Jul 26, 2009 at 3:46 AM

Awesome.  It is doing what I want now, thank you.