Sitefinity File Manager Part 2: Permissions

By in
No comments

After reading part 1 of this SiteFinity File Manager series, you should now have the file manager in Sitefinity’s RadEditor dialog set to load in a default folder. The only thing left is to restrict access to other folders. Additionally, we need to set the default upload folder for incoming files.

FileManager Permissions

By default, the RadEditor provides full access to the entire file system for your website. This means that users can navigate outside of their folder and wreak havoc on your site. So although we have already set the editor to open in their folder by default, we have to make sure that they aren’t allowed to leave it. Fortunately, the fix is very simple.

The file you need to edit is located here:
/Sitefinity/Admin/ControlTemplates/Generic_Content/EditorTemplate.ascx. Once again, we need to replace this file with a full UserControl, that includes code-behind. This is done by copying the code from the file, deleteing it, creating a new UserControl (be sure to use the exact same file name!) then pasting the code into the new file.

Permissions for the Editor are saved as a group of three string arrays that hold the list of folders that are accessible. One array is for View permissions, the second for Upload permissions, and the last one is for Delete permissions. Using this you can grant read-only access to the full site (or for example, a separate global images folder) while giving the user write and delete permissions only to their own folder. You can even disable delete permissions to ensure that while users can upload files, they can’t mistakenly erase something.

So all we need to do is open up the codebehind file (EditorTemplate.ascx.cs) and add the following code (modified, of course, to fit the roles and file structure of your own website) to the Page_Load method: 

string[] paths = new string[] { };

if (Page.User.IsInRole("departmentA"))
    paths = new string[] { "~/images/departmentA" };

else if (Page.User.IsInRole("departmentA"))
    paths = new string[] { "~/images/departmentB" };

else if (Page.User.IsInRole("manager"))
    paths = new string[] { "~/images/deparmentA", "~/images/departmentB", "~/images/manager" };

In my case, all users should have full access to their own department folders, so I set the permissions to be the same across the board.

RadEditor1.ImageManager.ViewPaths = paths;
RadEditor1.ImageManager.DeletePaths = paths;
RadEditor1.ImageManager.UploadPaths = paths;

However, user images should be uploaded and stored to an images subfolder, while files (such as PDF documents) should be saved instead to a subfolder in the docs folder. For me the fix was simple:

for (int i = 0; i < paths.Length; i++)
    paths[i] = paths[i].Replace("/images/", "/docs/");

RadEditor1.DocumentManager.ViewPaths = paths;
RadEditor1.DocumentManager.DeletePaths = paths;
RadEditor1.DocumentManager.UploadPaths = paths;

However if your strucure is different you may need to create an additional set of arrays based on the permissions you need set.

And that’s all there is to securing your File Manager! Now, all we need to do is set the default upload folder for incoming files. This too, is very simple.

Default Upload Folder – *EditorDialog

When you first open the image/document selector button in rad editor, the first option you’re given is the ability to upload a new file from your computer. By default this goes into the root of the site, which isn’t helpful at all. What’s more is that there is no option to change it in the editor! Fortunately, we only need to modify two files:

/Sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx
/Sitefinity/UserControls/Dialogs/DocumentEditorDialog.aspx

First, open both files and locate the ImageEditorDialog user control and give them an ID so we can access it from codebehind: 

<lib:ImageEditorDialog ID="imgpicker" runat="server" DisplayMode="Images" />

Now all you have to do is go into the codebehind for each page and set the DefaultUploadFolder property of the control that was just identified. 

protected void Page_Load(object sender, EventArgs e)
{
    if (User.IsInRole("departmentA"))
        imgpicker.DefaultUploadFolder = "~/images/departmentA";
    else if (User.IsInRole("departmentB"))
        imgpicker.DefaultUploadFolder = "~/images/departmentB";
}

And once again, that’s all there is to it. Since the editors are separated (documents and images) you can set a different folder for each based on whether the user is uploading images or documents. This is going to save me a TON of work and significantly ease the amount of training I need to do. I hope you find it helpful as well. As always, your comments are welcome and appreciated!

The following two tabs change content below.
My Twitter profileMy LinkedIn profileMy Instagram profileMy Tumblr blog

selaromdotnet

Senior Developer at iD Tech
Josh loves all things Microsoft and Windows, and develops solutions for Web, Desktop and Mobile using the .NET Framework, Azure, UWP and everything else in the Microsoft Stack. His other passion is music, and in his spare time Josh spins and produces electronic music under the name DJ SelArom. His other passion is music, and in his spare time Josh spins and produces electronic music under the name DJ SelArom.