Login Page

Topics: Administration, Customizing Orchard, General
Mar 28, 2011 at 9:25 PM

What would it take to require authentication to the site and make the login page the first thing a user sees on the home page? A good example of this would be a corp portal.

Thanks

Matt

Coordinator
Mar 28, 2011 at 9:36 PM

In principle you should be able to remove the content item permissions for the anonymous role and get that result.

Mar 29, 2011 at 9:33 PM

Thanks for the reply.

When I went into the roles page, it says both of the Anonymous elements they are assigned to are effective (Access site front-end, Add comment). Is there a way to override these base permissions? Also I didn't see an element for content item. I'm running version 1.0.20

Coordinator
Mar 29, 2011 at 10:02 PM

This looks like this issue: http://orchard.codeplex.com/workitem/17057 that is fixed in the upcoming Orchard 1.1.

Mar 29, 2011 at 10:18 PM

Yeah thats the same thing, thanks.  When is 1.1 going to be released?

Coordinator
Mar 29, 2011 at 10:18 PM

April 12.

Apr 12, 2011 at 8:53 PM

Still getting the same behavior, that effective check mark is still there and allowing anyone to view the site without authenticating.

Is it possible to fix this with either a controller factor or handler?

Coordinator
Apr 12, 2011 at 10:23 PM

Sorry about that, please re-open if it still reproduces.

For now, I think your best bet would be a handler or an MVC filter.

Apr 13, 2011 at 1:53 AM

This would be this issue:

http://orchard.codeplex.com/workitem/17667

There isn't currently any way to block view access to any content type, except on your own controllers, and for some reason for Blog Posts...

Apr 13, 2011 at 4:52 PM

I'm checking to see if the user is not logged in, and if not then redirecting them to the login page. I've stepped though the filter and its setting the redirect variable into the Result, but its ignoring it once orchard sucks it up.  If someone could look
over what I'm doing and point me in the right direction it would be appreciated.



public class LoginRequiredFilter : FilterProvider, IResultFilter {

        private readonly IOrchardServices _orchardServices;

        public LoginRequiredFilter(IOrchardServices orchardServices)
        {
            _orchardServices = orchardServices;
        }


public void OnResultExecuting(ResultExecutingContext filterContext)
{
	if (IsGuest())
	{
		RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary(); 
		redirectTargetDictionary.Add("action", "LogOn"); 
		redirectTargetDictionary.Add("controller", "Action");
		redirectTargetDictionary.Add("area", "Orchard.Users");
		
		var redirect = new RedirectToRouteResult(redirectTargetDictionary);

		filterContext.Result = redirect;
	}
}

Apr 13, 2011 at 5:15 PM

Instead of return a RedirectToRouteResult, return a HttpUnauthorizedResult. This will have the effect of redirecting to the Login page anyway.

Take a look at Orchard.UI.Admin.AdminFilter (that's in Orchard.Framework) - it performs this task for Admin pages. You can see it also implements IAuthorizationFilter instead of IResultFilter. I don't know how much difference that makes, but its a good example to follow in general.

Apr 15, 2011 at 4:14 PM

A slight change to your code worked for me.

Adding ExecuteResult got it to execute, and then telling it to ignore ChildActions and to not try to redirect the LogOn action were the kickers. I'm sure this can be improved upon, but it's a start!

            if (IsGuest()
                && !filterContext.IsChildAction
                && !filterContext.RouteData.Values.Contains(new KeyValuePair<string,object>("action""LogOn")))
            {
                RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary();
                redirectTargetDictionary.Add("action""LogOn");
                redirectTargetDictionary.Add("controller""Account");
                redirectTargetDictionary.Add("area""Orchard.Users");
 
                var redirect = new RedirectToRouteResult(redirectTargetDictionary);
                filterContext.Result = redirect;
                filterContext.Result.ExecuteResult(filterContext);
            }
Apr 15, 2011 at 4:29 PM

You missed the bit where I said use HttpUnauthorizedResult ;)  This will automatically produce a redirect to logon and is the best way to do this.

Apr 15, 2011 at 5:31 PM
Edited May 10, 2011 at 2:46 PM

If I switch it to HttpUnauthorizedResult it asks me for server login credentials, eventually giving me:

Server Error 401 unauthorized

<input name="content" type="hidden" value="<p>Revisiting this, I've been able to get the HttpUnauthorizedResult to work but I still don't know the best way to filter out requests for account login stuff. I've got it filtering out any request on the AccountController currently but is there a better way to distinguish these requests?</p> <pre style="font-family: Consolas; font-size: 13; color: white; background: black;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #cc7832;">if</span>&nbsp;(IsGuest() &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp;&amp;&nbsp;!filterContext.RouteData.Values.Contains(<span style="color: #cc7832;">new</span>&nbsp;<span style="color: #ffc66d;">KeyValuePair</span>&lt;<span style="color: #cc7832;">string</span>,<span style="color: #cc7832;">object</span>&gt;(<span style="color: #a5c25c;">"Controller"</span>,&nbsp;<span style="color: #a5c25c;">"Account"</span>))) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filterContext.Result&nbsp;=&nbsp;<span style="color: #cc7832;">new</span>&nbsp;<span style="color: #ffc66d;">HttpUnauthorizedResult</span>(); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filterContext.Result.ExecuteResult(filterContext); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}</pre>" /><input name="content" type="hidden" value="<p>Revisiting this, I've been able to get the HttpUnauthorizedResult to work but I still don't know the best way to filter out requests for account login stuff. I've got it filtering out any request on the AccountController currently but is there a better way to distinguish these requests?</p> <pre style="font-family: Consolas; font-size: 13; color: white; background: black;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #cc7832;">if</span>&nbsp;(IsGuest() &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp;&amp;&nbsp;!filterContext.RouteData.Values.Contains(<span style="color: #cc7832;">new</span>&nbsp;<span style="color: #ffc66d;">KeyValuePair</span>&lt;<span style="color: #cc7832;">string</span>,<span style="color: #cc7832;">object</span>&gt;(<span style="color: #a5c25c;">"Controller"</span>,&nbsp;<span style="color: #a5c25c;">"Account"</span>))) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filterContext.Result&nbsp;=&nbsp;<span style="color: #cc7832;">new</span>&nbsp;<span style="color: #ffc66d;">HttpUnauthorizedResult</span>(); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filterContext.Result.ExecuteResult(filterContext); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}</pre>" />

For reference:

            if (IsGuest()
                && !filterContext.IsChildAction
                && !(filterContext.Result.GetType() is HttpUnauthorizedResult))
            {
                filterContext.Result = new HttpUnauthorizedResult();
                filterContext.Result.ExecuteResult(filterContext);
            }
May 10, 2011 at 2:46 PM
Edited May 11, 2011 at 11:27 AM

Revisiting this, I've been able to get the HttpUnauthorizedResult to work but I still don't know the best way to filter out requests for account login stuff. I've got it filtering out any request on the AccountController currently but is there a better way to distinguish these requests.

            if (IsGuest()
                && !filterContext.RouteData.Values.Contains(new KeyValuePair<string,object>("Controller""Account")))
            {
                filterContext.Result = new HttpUnauthorizedResult();
                filterContext.Result.ExecuteResult(filterContext);
            }
May 11, 2011 at 10:34 AM

Revisiting this, I've been able to get the HttpUnauthorizedResult to work but I still don't know the best way to filter out requests for account login stuff. I've got it filtering out any request on the AccountController currently but is there a better way to distinguish these requests?

            if (IsGuest()                 && !filterContext.RouteData.Values.Contains(new KeyValuePair<string,object>("Controller""Account")))             {                 filterContext.Result = new HttpUnauthorizedResult();                 filterContext.Result.ExecuteResult(filterContext);             }