IMPORTANT: This version of Sitefinity CMS is out of support and the respective product documentation is no longer maintained and can be outdated. Use the version selector to view a supported product version.

Tutorial: Use role-based permissions for widgets

Sitefinity CMS enables you to hide any number of widgets from the toolbox on backend pages from specific users, based on their user roles. Thus, these users do not see the widgets in the toolbox and do not use them.

You hide widgets by creating a new toolbox item parameter, called DisallowedRoles, for any widget and setting a list of roles that do not have permission to use the specific widget.

In this example, you restrict users with roles Author and Editors to use the Image widget. That is, if a user with an Author or Editors role is editing a page in the backend, the image widget is not visible in the toolbox and the user cannot use it on the page.

Create a toolbox item parameter

To set the user roles that do not see the Image widget in the toolbox:

Navigate to Administration » Settings » Advanced » Toolboxes » Toolboxes » PageControls » Sections » ContentToolboxSection » Tools » ImageControl » Toolbox item parameters.
Click Create new button and enter the following:

In the Key input field, enter DisallowedRoles
In the Value input field, enter the roles, separated by a comma: Authors, Editors

Save your changes.

Add the DisallowedRoles item in your project

In Visual Studio, add the following code in the Global.asax file of your Sitefinity CMS project:

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.Security;

using System.Web.SessionState;

using Telerik.Sitefinity.Abstractions;

using Telerik.Microsoft.Practices.Unity;

using Telerik.Sitefinity.Web;

using Telerik.Sitefinity.Web.UI;

using Telerik.Sitefinity.Security.Claims;

using Telerik.Sitefinity.Security;

using Telerik.Sitefinity.Modules.Pages.Configuration;

using Telerik.Sitefinity.Security.Model;

namespace SitefinityWebApp

{

    public class Global : System.Web.HttpApplication

    {

        protected void Application_Start(object sender, EventArgs e)

        {

            Bootstrapper.Initialized += new EventHandler<Telerik.Sitefinity.Data.ExecutedEventArgs>(Bootstrapper_Initialized);

        }

        void Bootstrapper_Initialized(object sender, Telerik.Sitefinity.Data.ExecutedEventArgs e)

        {

            ObjectFactory.Container.RegisterType<PageEditorRouteHandler, CustomPageEditorRouteHandler>();

        }

        public class CustomPageEditorRouteHandler : PageEditorRouteHandler

        {

            protected override void ApplyLayoutsAndControls(System.Web.UI.Page page, System.Web.Routing.RequestContext requestContext)

            {

                base.ApplyLayoutsAndControls(page, requestContext);

                var zoneEditor = page.Form.FindControl("ZoneEditor") as ZoneEditor;

                // ZoneEditor is not available in some cases (for example, when the page is locked)

                if (zoneEditor == null)

                {

                    return;

                }

                Guid userId = SecurityManager.GetCurrentUserId();

                User user = UserManager.GetManager().GetUser(userId);

                var tools = new Dictionary<string, ToolboxItem>();

                foreach (var section in zoneEditor.ControlToolbox.Sections)

                {

                    foreach (ToolboxItem tool in section.Tools)

                    {

                        if (!tools.ContainsKey(tool.Name))

                        {

                            tools.Add(tool.Name, tool);

                        }

                    }

                }

                foreach (var toolboxItem in tools)

                {

                    var disallowedRoles = toolboxItem.Value.Parameters["DisallowedRoles"];

                    if (!string.IsNullOrEmpty(disallowedRoles)) // means that there are role based limitations set for the specific widget

                    {

                        var roleNames = disallowedRoles.Split(CustomPageEditorRouteHandler.RoleSeparator, StringSplitOptions.RemoveEmptyEntries);

                        foreach (var roleName in roleNames)

                        {

                            if (IsUserInRole(userId, roleName.Trim()))

                            {

                                toolboxItem.Value.Enabled = false;

                            }

                        }

                    }

                }

            }

            private bool IsUserInRole(Guid userId, string roleName)

            {

                bool isUserInRole = false;

                RoleManager roleManager = RoleManager.GetManager("AppRoles");

                bool roleExists = roleManager.RoleExists(roleName);

                if (roleExists)

                {

                    isUserInRole = roleManager.IsUserInRole(userId, roleName);

                }

                return isUserInRole;

            }

            private static readonly char[] RoleSeparator = new[] { ',' };

        }

    }

}

In the code above, you get the role of the current user, then go through all widgets and check whether they have a DisallowedRoles property. If the role of the current user is the same as the role specified in DisallowedRoles property, the user cannot see and use the Image widget.
Build your project.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel