URL Authorization

Topics: Administration, Customizing Orchard
Sep 28, 2012 at 8:45 PM

I'm looking for an easy way to implement a URL authorization like scheme for Orchard. 

For example, imagine most content will live under one of three paths (/foo, /bar, /baz), I'd like an easy way to restrict the viewing of any content type in /foo to users with in a role with permission for foo, and /bar to users with effective permission for /bar.

Any hints? I've looked at a few authorization modules in the gallery, but none of them seem to make them as easy as it should be. 


Sep 28, 2012 at 8:58 PM

This should be really easy. The most straightforward way is to make an ActionFilter which will return a not authorized result. You can get the current user by injecting the WorkContext object into your contructor.

If you want to handle things based on content items, then you need to implement IAuthorizationEventHandler. Several examples in the code.

Sep 29, 2012 at 3:15 AM

Ah, very good. Looks like this will be the right starting point, thanks. 


public class NoNameYetFilter : FilterProvider, IAuthorizationFilter
    private readonly WorkContext _workContext;

    public NoNameYetFilter(WorkContext workContext)
        _workContext = workContext;

    public void OnAuthorization(AuthorizationContext filterContext)
        var url = filterContext.HttpContext.Request.Url;
        var user = _workContext.CurrentUser;
        var userroles = user == null ? null : user.As<IUserRoles>();
        var role = userroles == null ? DefaultRoles : userroles.Roles;

        // ...

    private static readonly IEnumerable<string> DefaultRoles = Enumerable.Empty<string>();