Techniques For Securing Pages

In Piranha CMS Tags #Development #Tutorials Published 2019-03-22

Even though Piranha has a very flexible security model there are some easy techniques you can use when you want to restrict access to certain pages. In this short tutorial we'll show two simple ways you can acheive this. Please note that this is not the only way you can implement this, you can do it in any number of ways.

Special Page Types

As most content types will end up with a special route, a very simple solution is to simply add a special Page type for restricted pages and handle the authorization in the controller action.

using Piranha.AttributeBuilder;
using Piranha.Models;

[PageType(Title = "Secure Page")]
[PageTypeRoute(Title = "Default", Route = "/securepage")]
public class SecurePage : Page<SecurePage>
{
// Basic page with block content and no other regions
}

Then you can handle the authorization in the action handling the specified route in any way you want, for example:

using Microsoft.AspNetCore.Mvc;

public class CmsController : Controller
{
...

[Route("securepage")]
[Authorize(Policy = "MyCustomPolicy")]
public IActionResult SecurePage(Guid id)
{
...
}

...
}

The downside of this technique is of course that you need a lot of different page types and making a non-restricted page restricted basically means recreating it with a different page type.

Using Multiple Routes

A neater solution is to provide multiple routes for your page types that handle if the page should be restricted or not. This can be achieved by adding more than one PageTypeRouteAttribute to your content type.

using Piranha.AttributeBuilder;
using Piranha.Models;

[PageType(Title = "Standard Page")]
[PageTypeRoute(Title = "Default", Route = "/standard")]
[PageTypeRoute(Title = "Restricted", Route = "/standardrestricted")]
public class StandardPage : Page<StandardPage>
{
// Basic page with block content and no other regions
}

By providing multiple routes to a page a dropdown will appear in the pages settings where the editor can choose which route should be used.

In the controller action the same technique applies as when using multiple content types.

using Microsoft.AspNetCore.Mvc;

public class CmsController : Controller
{
...

//
// Standard page without authorization
//
[Route("standard")]
public IActionResult Standard(Guid id)
{
...
}

  //
// Standard page with authorization
//
[Route("standardrestricted")]
[Authorize(Policy = "MyCustomPolicy")]
public IActionResult StandardRestricted(Guid id)
{
// We are authorized, let's reuse the logic in
// the standard action.
return Standard(id);
}

...
}

Conlusion

As you can see you can apply authorization to your pages using the built in features of Piranha, and since there's no connection to any special kind of authorization it's very simple to integrate it to whatever method of authentication and authorization you're currently using.

Have you secured your pages in a different way, let us know in the comments so everyone else can see other ways to implement the same functionality.