Securing Media Content

Topics: General
Jun 20, 2012 at 11:34 AM

Is there a simple way of securing access to Media content to be accessible by Authenticated users only?

Developer
Jun 20, 2012 at 11:41 AM

Perhaps you could modify the web.config file in the root of the Media folder to deny access to anonymous users, something like this:

<configuration>
   <system.web>
      <authorization>
         <deny users="?" /> 
      </authorization>
   </system.web>
</configuration>

Jun 20, 2012 at 11:53 AM
Edited Jun 20, 2012 at 11:53 AM

Perfectly simple !

What about restriction to not only authorized but also a member of a specific role?

Developer
Jun 20, 2012 at 1:11 PM

although I havent tried this, but that would look like this:

<system.web>
   <authorization>
      <allow roles="Admin"/> //Allows users in Admin role
      <deny users="*"/> // deny everyone else
   </authorization>
</system.web>

 

Jun 20, 2012 at 1:14 PM

I just discovered the same.. I will try now at let you know.

Jun 20, 2012 at 1:26 PM

Nope that does not seem to work. 

Even flipped around so allow roles was the last element in the authorization elements list ...

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="*"/>
      <allow roles="Administrator"/>  
    </authorization>
  </system.web>
</configuration>
Developer
Jun 20, 2012 at 2:10 PM

Ok. Maybe this is still work in progress because looking at the Orchard source, the OrchardRoleProvider class is implemented by throwing the NotImplementedException from each inherited method of System.Web.Security.RoleProvider.

I suppose that you could implement RoleProvider yourself and configure it in web.config. Not sure how this would be instantiated and how it works with the DI stuff though. Sounds like a fun experiment though :)


Aug 23, 2012 at 1:38 PM

Just curious if this experiment ever happened.  I am about to do basically exactly this and looking to re-use what i can.

Thanks

 

The web.config change was pretty easy but now would like to see what anyone has done with the implementation of the Role Provide class.

thanks

<roleManager enabled="true" defaultProvider="OrchardRoleProvider">
        <providers>
              <clear />
              <add name="OrchardRoleProvider" type="Orchard.Security.Providers.OrchardRoleProvider" />
          </providers>
      </roleManager>