Is this the right way to secure content?

Nov 3, 2010 at 2:38 AM

After exploring a few different options I have come to the conclusion that the most seamless way to allow securing of viewing content is to create a new part that either inherits or extends the Body part. I basically want everything the Body part has, plus the ability to attach (for now) a single Role ID (defaulting to "Authenticated") to control who can and can't view the content.

The plan is to then change the Driver.Display() method to return some "Access denied" HTML content instead of the requested HTML if the current user doesn't meet the role restriction.

My question to the developers: is this the best approach?

Please note that I initially tried to create a "content filter" part that could be added to existing content types, but could find no way to cancel/override the display of the page. All I could do was stop the display of my own part (where I was showing the Role ID for debug purposes).

I also explored the AuthorizationServiceEventHandler (prior to 0.8 release) but the IAuthorizationService.TryCheckAccess() method only seems to be used by Admin pages.

Nov 3, 2010 at 4:19 PM

Pretty much, except that you don't need to extend Body: just create your own part and attach it to the content types you want to protect. You might want to search the forum for a thread on this, I think other foks have started working on that as well.