This project is read-only.

Securing parts of a site by route

Topics: Administration
Jun 3, 2013 at 1:01 PM
I'm fairly new to Orchard. So far, I'm really happy with the capabilities of Orchard, but I've been trying to figure out if there's an easy way to secure a site based on the route/path.

What I'd like is to have a portion of the site that's open to the public, but make it so that certain paths require a logged-in user, based on role, perhaps.

As an example, I'd like to specify something like "/Secure/*" requires a user to be authenticated. I've looked through all the menus in the dashboard and also searched for any modules that would support this without any luck.

So, my question is, is there a module that would support this, and if not, what would be the best approach to take in order to develop a module that would support it?

Jun 3, 2013 at 1:04 PM
I forgot to mention, that if possible, I'd prefer not to have to secure each page individually using the content permissions. Content for the site is going to be provided by pre-teens teenagers and I want to make it as simple as possible to maintain security.

Jun 3, 2013 at 2:17 PM
I don't know if there's a module for that, but perhaps you could implement a FilterProvider (implementing the IAuthorizationFilter interface). And, to not have to hardcode protected urls, implement site settings where you can specify a list of url patterns to protect.
Jun 3, 2013 at 6:28 PM
Okay, I can see how that would work. How do I go about getting the new filter injected in the pipeline so that it gets picked up by the FilterResolvingActionInvoker?
Jun 3, 2013 at 7:09 PM
Simply add a class to your module's project file that derives from FilterProvider and implements IAuthorizationFilter. Orchard will automatically register this class with the IoC container.
Jun 3, 2013 at 7:31 PM
That's what I thought, so I created a module called F2B.RouteSecurity. I then added the following class into the project:
using Orchard.Mvc.Filters;
using System.Web.Mvc;

namespace F2B.RouteSecurity
    public class RouteAuthorizationFilter : FilterProvider, IAuthorizationFilter
        public void OnAuthorization(AuthorizationContext filterContext)
            filterContext.Result = new HttpUnauthorizedResult();
(For now, I just want it to do something which is why it resturns the unauthorized result.)

I then put a breakpoint in the constructor for FilterResolvingActionInvoker, but when the program hits it there's not an instance of this class in the list.

I completely restarted the application, including the web server and it still doesn't show up.
Jun 4, 2013 at 1:34 AM
And you did enable the feature?
Jun 4, 2013 at 2:13 AM
I had not. Thank you for pointing that out. It works like a charm now. I will start working on the rest of the implementation now.

Thanks so much for your help.
Jun 8, 2013 at 3:55 AM
Alright, I've now got this working pretty well. However, I'd like to know how I would go about removing menu items that would be inaccessible due to the restricted routes. I'm guessing I need to implement an INavigationFilter to remove those menus. Is this the right approach?

The only thing I'm curious about though, is how do I go about making sure that my INavigationFilter is the last one to be called, so I guarantee that I remove all the menu items that should be removed.