New Permissions for Grids

In The Portal Connector, we offer several widgets that display data in a list. These widgets are ListView, Grid and SubGrid. These widgets can be configured to allow adding, editing and deleting records but prior to The Portal Connector 5.0, these features, when configured, were available for everyone. This is clearly not ideal in many situations where only specific users should be allowed to perform these actions.

The added features can be summed up to:

Add, Edit, Delete and Export buttons can be configured to not appear when users are not logged in.
Add and Edit buttons are restricted based on the permissions of the configured destination page.
Delete and Export buttons can be configured to only appear for users in the correct role.

Configuring the New Permissions

The default setting for these buttons is to allow unauthenticated users access to use them with no restrictions if the grid is configured to use them. This is to maintain existing behavior in existing portal installations.

Preventing Unauthenticated access to Grid Buttons

In the Sitefinity backend, open a page that contains a grid.
Open the grids designer by clicking the Edit link in the top corner of the grid widget.
When the designer opens, click the Advanced button in the bottom corner of the designer to open the properties of the widget.
Click the Model button to open the model properties.
Scroll down to find and then click the GridSettings button.
With the Grid Setting open, the properties we are looking for are:
- AllowAnonymousAddButton
- AllowAnonymousDeleteButton
- AllowAnonymousEditButton
- AllowAnonymousExportButton

As mentioned above, these are set to True by default. This means that when you configure a grid to show the delete button (or any of the 4 buttons) it will be clickable by anyone including those who are not logged in. By changing the correct property for the button in question to false, the button will not render for unauthenticated users and therefore cannot be used.

Restricting Access to Add and Edit Buttons

When a page is configured to be used to add or edit a record, you have the ability to restrict access to the page to users with specific roles. If a page cannot be accessed by the logged in user, the button it is configured on will not appear in the grid.

Permissions on a form can be set by opening the Forms page, clicking Actions for the form you want to change them clicking Permissions as shown in the below image. This will allow you to break the permission inheritance from all other forms and let you specify permissions for this specific form.

Form Permissions

Please keep in mind that if AllowAnonymousAddButton or AllowAnonymousEditButton is set to True, the button will be visible regardless of the users role. To enable role restriction you must set the AllowAnonymousAddButton or AllowAnonymousEditButton to False.

Restricting Access to Delete and Export Buttons

Another typical requirement is to prevent users without the correct permissions from performing actions like deleting and exporting.

Delete and Export Buttons

When you enable Deleting or Exporting, a dropdown will appear containing 2 options:

Default
- This option will leave existing behavior in place. In this mode, the AllowAnonymousDeleteButton/AllowAnonymousExportButton setting is the only one that will affect the visibility of the button.
Roles
- This option will show a role picker that will allow you to select 1 or more roles that are allowed to access the button. If a user is not in one of the configured roles, the button will not be rendered.

As with Add and Edit button restrictions, you must set AllowAnonymousDeleteButton or AllowAnonymousExportButton to False to enable this feature.
to enable this feature.

Conclusion

The Portal Connector has added much needed role based permissions for our Grid and ListView widgets giving portal implementers much needed flexibility to restrict users ability to touch data they are not allowed to. These new features move the requirement to implement these restrictions in JavaScript into the widget designer allowing the less technically inclined implementers to satisfy these kind of restriction requirements.