Building a media authorization package for Umbraco 8
Umbraco has built-in authorization for pages but when it comes to media, you're up the creek with no paddle!
We've been building Umbraco sites for years but have only recently had a client with the requirements to protect their media.
Having research this, there are a few articles out there describing how to achieve authorized media they're often limited in scope and aren't as full featured as we'd ideally like.
There is a relatively featured rich package available for Umbraco but it's a little expensive depending on the size of your client. More importantly we couldn't easily expand the features to the specific requirements we have.
For these reasons we've decided to create our own. And because we love the Umbraco community and want to give something back we're going to open source our work and publish our own media authorization nuget package: CodeWizards.Umbraco.MediaAuthorization.
Our first goal is to achieve relative feature parity with current available solutons:
- Role based permissions on Media files and folders
- Logging of anauthorized requests
- Configurable Login / unauthrized pages
- Backoffice UI to manage the package.
- Minimal code setup
Minimal code setup is one of our main points so what does this look like?
public class MediaComposer : ComponentComposer<MediaAuthorizationComponent>
That's it. One class to compose the media authorization component.
This wires up all the required services in to Umbraco's DI Container, registers the relevant middle ware and takes care of adding the required properties to the media types.
Configure Login / Access denies pages:
Now you've installed the package, you'll have new options in the settings section of umbraco:
Config is where you specify the login / access denied pages (along with other settings in the future):
And Log is where the access logs are stored:
One of the benefits of our logs page is that it utilizes Umbraco "Infinite Editing" features to open the media and member nodes.
Now that we're installed and configured setting up authorization is as simple as adding one (or more) groups to a Image, File or Folder:
Now, unauthenticated / unauthorized requests will be logged under the logs option in the back office.
Unauthenticated requests will be redirected to the login page with a "returnUrl" parameter for the media the user was attempting to browse.
Unauthorized requests will be redirected to the "Access Denied Page".
If the Login page or Access denied page are not specified then the server will return a HTTP status code 403 (forbidden)
In addition if you need to add more media "types" then merely adding a required group property to it (with the alias "requiredGroup") will allow the package to authroize those as it does other media types.
And it's as easy as that!
CodeWizards.Umbraco.MediaAuthorization will be on nuget soon.
We'll update this article with the link to the nuget package and the link to the github page once it's live.
Please comment with any suggestions for future features / questions you might have!