Sitefinity’s permission attributes explained

If you plan on developing custom modules / custom content types in Sitefinity, then you will likely have to interact with various permissions attributes in Sitefinity. Here is a quick rundown on each one and what it offers:

[ValuePermission(SamplePermissions.Sets.Stores.SetName, SamplePermissions.Sets.Stores.Create)]
public abstract Store CreateStore();
// Need this permission for the returned value of the method. In this case, the created store. Keep in mind, this attribute will allow the method to be executed, but using/displaying the output is subject to permissions. 

[MethodPermission(SamplePermissions.Sets.Stores.SetName, SamplePermissions.Sets.Stores.Create)]
public abstract Store CreateStore();
// Need this permission to run this method. So without having the Create permission, you cannot execute this method

[ParameterPermission("storeToDelete", SamplePermissions.Sets.Stores.SetName, SamplePermissions.Sets.Stores.Delete)]
public abstract void Delete(Store storeToDelete);
// Need this permission on the specified parameter in order to execute the method. Your parameter should be something which contains permissions (ISecuredObject).

[EnumeratorPermission(SamplePermissions.Sets.Stores.SetName, SamplePermissions.Sets.Stores.View)]
public abstract IQueryable<Store> GetStore();
// For each item in this IEnumerable, you need this permission. Similar to ValuePermission in the sense that the returned value is subject to permissions.

[GlobalPermission("ManageUsers")]
 public abstract void AddUserToRole(User user, Role role);
// These are intended for Sitefinity backend permissions. You pass in the name of the global permission to the attribute and it checks for that permission in order for the method to be executed. You can see the full list of options in Telerik.Sitefinity.Security.SecurityConstants.Sets.Backend in the Telerik.Sitefinity.Model assembly.

[TypedMethodPermission(typeof(Store), SamplePermissions.Sets.Stores.SetName, SamplePermissions.Sets.Stores.Create)]
// There are a variety of TypedPermission attributes. TypedPermission attributes allow you to specify that you need these permissions on this type. There are typed attributes to nearly all of the above attributes except Global. TypedValuePermission, TypedMethodPermission, TypedParameterPermission, and TypedEnumeratorPermission.

[TransactionPermission(typeof(Store), SamplePermissions.Sets.Stores.SetName, SecurityConstants.TransactionActionType.Updated, SamplePermissions.Sets.Stores.Manage)]
// This attribute is what truly protects unwanted entries into the database. So if even if someone manages to execute the CreateStore method - this attribute can block the transaction from ever hitting the database.
public override void CommitTransaction()

[TransactionPermission(typeof(Category), SamplePermissions.Sets.Stores.SetName, "Store", SecurityConstants.TransactionActionType.None, SamplePermissions.Sets.Stores.Manage)]
public override void CommitTransaction()
// This is the same attribute as above, but a different overload. This one allows you to pass in a property name of the committed object. In this case, the item is Category (so someone just attempted to create a new Category). This attribute will look at the Store property (navigation property back to our Store model) and verify this permission against the Store item. Very helpful for scenarios where permissions are all determined by the Parent object (like Blog vs Blog Post)

Hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *