Search code examples
c#authorizationumbracoumbraco8

Limit UmbracoAuthorizedController to Umbraco Admin Users Only

I have create a new controller, inherited from the Umbraco.Web.Mvc.UmbracoAuthorizedController and trying to limit it to only logged in Umbraco Administrators.

My current solution displays the view for only logged in umbraco users, but I cannot filter for only admins.

Code:

I have a Composer and I set up the route config:

public class ApplicationEventComposer : IComposer
{
    public void Compose(Composition composition)
    {
        RouteTable.Routes.MapRoute(
            name: "ITTest",
            url: "umbraco/backoffice/ITTest/{action}/{id}",
            defaults: new { controller = "ITTest", action = "Index", id = UrlParameter.Optional }
        );
        composition.Register<ITTestController>(Lifetime.Request);
    }
}

I have a controller:

public class ITTestController : Umbraco.Web.Mvc.UmbracoAuthorizedController
{
   public ActionResult Index()
   {
       return View("/Views/ITTest/Index.cshtml");
   }
}

I have tried to add different attributes to filter for only adminsitrators like:

[UmbracoAuthorize(Roles = "admin")]
[UmbracoApplicationAuthorize(Roles = "admin")]
[AdminUsersAuthorize]

And tried different roles like "admin", "administrator", "administrators", "Administrators" etc. but nothing seems to work.

(Side note: At the moment I am thinking about a workaround and overwrite the OnAuthorization event, but that would be more of a hack than a proper solution.)

Questions:

  • How can I filter the users using Umbraco roles?
  • What are the role names exactly? Are they the user group names or something else?

Update:

(I tried to improve the answer below, but it was rejected, so I will add my findings here)

The [Authorize(Roles = "admin")] one is working!

I was playing around with it. To make it work it still needs to be under "umbraco/backoffice", but it does not have to be a UmbracoAuthorizedController it seems to be working fine when it is (only) RenderMvcController

The built in role names are:

  • "admin"
  • "sensitiveData"
  • "translator"
  • "writer"
  • "editor"

For more info: https://our.umbraco.com/forum/using-umbraco-and-getting-started/99651-limit-umbracoauthorizedcontroller-to-umbraco-admin-users-only#comment-313527

Solution

  • The UmbracoAuthorizedController controller effectively just adds the UmbracoAuthorize attribute to your controller, but it seems this attribute ignores any roles you pass in, and just checks the visitor is an authenticated back-office user.

    You can see this in detail in the AuthorizeCore method in:

    https://github.com/umbraco/Umbraco-CMS/blob/853087a75044b814df458457dc9a1f778cc89749/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs

    and the ValidateRequestAttempt method in:

    https://github.com/umbraco/Umbraco-CMS/blob/853087a75044b814df458457dc9a1f778cc89749/src/Umbraco.Web/Security/WebSecurity.cs

    This isn't what I would have expected!

    To achieve what you require you could inherit from the Umbraco.Web.Mvc.UmbracoController controller and decorate it with a standard MVC Authorize attribute.

    I've successfully tested the following in Umbraco 8.2.0:

        public class ITTestController : Umbraco.Web.Mvc.UmbracoController
    {
        [Authorize(Roles = "someGroup")]
        public ActionResult Index()
        {
            return View("/Views/ITTest/Index.cshtml");
        }
    }

    where someGroup is the Umbraco group you wish to allow.