This project is read-only.

Securing Media Content

Topics: General
Jun 20, 2012 at 12:34 PM

Is there a simple way of securing access to Media content to be accessible by Authenticated users only?

Jun 20, 2012 at 12:41 PM

Perhaps you could modify the web.config file in the root of the Media folder to deny access to anonymous users, something like this:

         <deny users="?" /> 

Jun 20, 2012 at 12:53 PM
Edited Jun 20, 2012 at 12:53 PM

Perfectly simple !

What about restriction to not only authorized but also a member of a specific role?

Jun 20, 2012 at 2:11 PM

although I havent tried this, but that would look like this:

      <allow roles="Admin"/> //Allows users in Admin role
      <deny users="*"/> // deny everyone else


Jun 20, 2012 at 2:14 PM

I just discovered the same.. I will try now at let you know.

Jun 20, 2012 at 2:26 PM

Nope that does not seem to work. 

Even flipped around so allow roles was the last element in the authorization elements list ...

<?xml version="1.0" encoding="UTF-8"?>
      <deny users="*"/>
      <allow roles="Administrator"/>  
Jun 20, 2012 at 3:10 PM

Ok. Maybe this is still work in progress because looking at the Orchard source, the OrchardRoleProvider class is implemented by throwing the NotImplementedException from each inherited method of System.Web.Security.RoleProvider.

I suppose that you could implement RoleProvider yourself and configure it in web.config. Not sure how this would be instantiated and how it works with the DI stuff though. Sounds like a fun experiment though :)

Aug 23, 2012 at 2:38 PM

Just curious if this experiment ever happened.  I am about to do basically exactly this and looking to re-use what i can.



The web.config change was pretty easy but now would like to see what anyone has done with the implementation of the Role Provide class.


<roleManager enabled="true" defaultProvider="OrchardRoleProvider">
              <clear />
              <add name="OrchardRoleProvider" type="Orchard.Security.Providers.OrchardRoleProvider" />