Permissions for functions with code
Define custom permissions, query access at runtime, and expose permissions as virtual roles for fine-grained access control in CMS 13.
CMS 13 includes a permissions-to-functions system that controls access to individual operations. Restrict sensitive functionality to authorized users and roles without custom authorization logic.
Assign users and roles to permissions in the administrative interface under Config > Permissions to functions. Built-in permissions include web service access and detailed exception message display. For UI-based management, see manage permissions for functions in the user interface.
Use permissions to functions
Query whether a user has permission to perform a function with EPiServer.Security.PermissionService or the simplified PrincipalInfo API:
//Alt 1
bool hasPermission = ServiceLocator.Current.GetInstance<PermissionService>().IsPermitted(HttpContext.Current.User, SystemPermissions.DetailedErrorMessage);
//Alt 2
bool hasPermission = PrincipalInfo.Current.IsPermitted(SystemPermissions.DetailedErrorMessage);Define permissions to functions in code
Create a class with the PermissionTypes attribute to define custom permissions. Optimizely discovers these classes automatically and displays them in the administrative interface. Permission names must be unique within a group. Choose a group name unique to the solution. Register permission types with EPiServer.DataAbstraction.PermissionTypeRepository to support dynamic creation of permissions.
[PermissionTypes]
public static class MyCustomPermissions {
public
const string GroupName = "MyCustomPermissions";
static MyCustomPermissions() {
EditSettings = new PermissionType(GroupName, "EditSettings");
ViewSettings = new PermissionType(GroupName, "ViewSettings");
}
public static PermissionType EditSettings {
get;
private set;
}
public static PermissionType ViewSettings {
get;
private set;
}
}Define readable descriptions for the group and permissions in a language resource file. Under <groups>, name the GroupName (such as <MyCustomPermissions>) and place a <description> and permission names (such as <EditSettings> and <ViewSettings>):
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<languages>
<language name="English" id="en">
<admin>
<permissiontype>
<groups>
<MyCustomPermissions>
<description>Custom settings functions</description>
<permissions>
<EditSettings>Allows users to access edit settings</EditSettings>
<ViewSettings>Allows users to access view settings</ViewSettings>
</permissions>
</MyCustomPermissions>
</groups>
</permissiontype>
</admin>
</language>
</languages>Protect a controller with a permission
Apply the AuthorizePermission attribute to restrict access to an MVC controller based on permissions to functions:
[AuthorizePermission("MyCustomPermissions", "EditSettings")]
public class EditSettingsController: Controller {
public ActionResult Index() {
return View();
}
}Expose permissions to other systems with virtual roles
Some systems validate roles but not permissions. Expose a permission as a virtual role to bridge this gap:
[InitializableModule]
[ModuleDependency((typeof (EPiServer.Web.InitializationModule)))]
public class VirtualRoleInitializer: IInitializableModule {
public void Initialize(InitializationEngine context) {
var virtualRoleRepository = context.Services.GetRequiredService<IVirtualRoleRepository>();
virtualRoleRepository.Register("EditSettingsVirtualRole", new PermissionRole {
Permission = MyCustomPermissions.EditSettings
});
}
public void Uninitialize(InitializationEngine context) {}
}Updated 17 days ago