BlogEngine.net 1.3/1.4 supports user roles.  But we can't seem to be able to make it mandatory for users to sign in to see blog posts.  That's not something you usually want on a public blog, but for a corporate blog, maybe you want to make sure your news only gets to the people you want.  This seemed like a perfect candidate for a BlogEngine extension.

User Filtering

In our scenario, we don’t want any unregistered users to be able to see blog posts.  This can be easily checked by calling Membership.GetUser() and ensuring the returned value is not null.  We could filter out specific users as well, but we didn’t implement this feature in our extension.

Post Filtering

It could be interesting to restrict who can see the posts in a specific blog category.  For example, a blog category “Top Secret” which can only be read by your company's upper management…  Not very likely in a blog, but you get the point.  Our extension does this filtering by associating a blog Category with a membership Role in the extension’s settings.

image

By associating a membership role with a blog category name, the extension ensures the user has this role before displaying a post associated with this blog category name.  If you add two roles for the same category, posts with this category will only be served if the user has both roles.

Adding a setting with an empty category name will ensure that all posts require a particular role.

Code

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using BlogEngine.Core;
using BlogEngine.Core.Web.Controls;
using System.Collections.Generic;
 
/// <summary>
/// Summary description for PostSecurity
/// </summary>
[Extension("Checks to see if a user can see this blog post.",
            "1.0", "<a href=\"http://www.lavablast.com\">LavaBlast.com</a>")]
public class PostSecurity
{
    static protected ExtensionSettings settings = null;
 
    public PostSecurity()
    {
        Post.Serving += new EventHandler<ServingEventArgs>(Post_Serving);
 
        ExtensionSettings s = new ExtensionSettings("PostSecurity");
 
        s.AddParameter("Role", "Role", 50, true);
        s.AddParameter("Category", "Category", 50);
 
        // describe specific rules for entering parameters
        s.Help = "Checks to see if the user has any of those roles before displaying the post. ";
        s.Help += "You can associate a role with a specific category. ";
        s.Help += "All posts having this category will require that the user have the role. ";
        s.Help += "A parameter with only a role without a category will enable to filter all posts to this role. ";
 
        s.AddValues(new string[] { "Registered", "" });
 
        ExtensionManager.ImportSettings(s);
        settings = ExtensionManager.GetSettings("PostSecurity");
    }
 
    protected void Post_Serving(object sender, ServingEventArgs e)
    {
        Post post = (Post)sender;
        bool continu = false;
 
        MembershipUser user = Membership.GetUser();
 
        continu = user != null;
 
        if (user != null)
        {
            List<string> categories = new List<string>();
            foreach (Category cat in post.Categories)
                categories.Add(cat.Title);
 
            string[] r = Roles.GetRolesForUser();
 
            List<string> roles = new List<string>(r);
 
            DataTable table = settings.GetDataTable();
            foreach (DataRow row in table.Rows)
            {
                if (string.IsNullOrEmpty((string)row["Category"]))
                    continu &= roles.Contains((string)row["Role"]);
                else
                {
                    if (categories.Contains((string)row["Category"]))
                        continu &= roles.Contains((string)row["Role"]);
                }
            }
        }
 
        e.Cancel = !continu;
    }
}

 

Simply saving this code in a .cs and putting it in your App_Code/Extensions for BlogEngine.net shall enable the plugin.

kick it on DotNetKicks.com