Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)

Blog 2
Location: BlogsAll BlogsDNN Development    
Posted by: mamlin 11/21/2008 1:42 PM

THIS ARTICLE APPLIES TO DNN VERSIONS PRIOR TO 5.0
The DotNetNuke framework is great in many ways but its website administration rights are not very granular.  In many cases you either need to have full admin rights or you simply won't be allowed to perform a critical function (like create new web pages).  Well, there is a trick you can do to extend certain ADMIN rights to selected users without actually making them administrators.  Best of all, you can do it from within the DNN UI...


THE ISSUE:  ADMIN tabs only available to ADMINISTRATORS
Let's say you've got a group of "content management" users who need to be able to create and edit web pages.  In short, they need complete access to the PAGES admin tab interface.  Unfortunately, PAGES can only be accessed by users who are ADMINISTRATORS and is therefore not available to non-admins.  Or is it?

There is a simple method you can use to make ADMIN tabs available to any user role.


Two Methods:  PARENT PAGE and PARENTID
The secret is to use the "PARENT PAGE" setting of the PAGES page to move PAGES out of the ADMIN tab area.  Unfortunately, the pages under the ADMIN tab do not allow you to access the PAGE SETTINGS.  Fortunately there are two ways we can set the "PARENT PAGE" value:

Method 1:  Use the DNN UI (PARENT PAGE)
If you do not have database access (or are simply not comfortable mucking around with SQL) you can move the PAGES page using your site's web pages.  Here's how:

  1. Log in to your portal as an administrator.
     
  2. Browse to ADMIN->PAGES.  Look at the URL and make a note of the tabid value (the number in the URL following "/tabid/").
     
  3. Copy-and-paste the following URL into your browser, substituting your own domain and tabid values:
     
    http://{your domain}/tabid/{your tabid}/ctl/Tab/action/edit/Default.aspx
     
  4. Now you should be on your PAGES' page SETTINGS.  Change the "PARENT PAGE" value from "ADMIN" to something outside of "ADMIN" (or to "None Selected").
     
    That's it!  Now you can use the PERMISSIONS settings to decide which users can see/edit the PAGES page.

Method 2:  Use SQL (PARENTID)
If you do have database access and are comfortable with SQL UPDATEs you can accomplish the same thing as Method 1 directly from the DB.  Simply UPDATE the TABS table with "PARENTID = NULL" where "TABID = {your PAGES tabid}".   Done.  Be sure to go back to the PAGES's SETTINGS to set up your user permissions.


OTHER ADMIN PAGES
This same trick can be used on other ADMIN tabs (we often do this with both the PAGES tab in addition to the FILE MANAGER* tab).  Just remember to be extra careful about what tabs you move and what permissions you set.  The IT security rule-of-thumb is "Always give only the minimal level of access needed to accomplish a goal".
 

*** A special note about FILE MANAGER:
The FILE MANAGER requires a few extra steps to be functional for non-admins.  The FILE MANAGER module utilizes a special "UPLOADROLES" module setting that determines who can upload files.  In addition to the steps above, you'll need to add a database entry (via SQL) for each user security role that you wish to grant uplaod rights to.  I recommend creating a new security role called "FileAdmin" so you can easily administer file management rights separate from other security roles.

Instructions for granting file management rights:
You MUST use SQL for this (if you do not have a SQL management tool/editor and have a HOST account for your DNN site you can execute SQL using the basic interface under HOST->SQL).

  1. Go to ADMIN->SECURITY ROLES and create a new security role named "FileAdmin". 
     
  2. Using SQL, run the following query to determine the role ID value of your new "FileAdmin" role:
     
    Select ROLEID, PORTALID from ROLES where ROLENAME = 'FileAdmin'
     
    Note that, if you have more than one portal, you will have more than one value returned if you've created this role on multiple portals.  Used the PORTALID value to determine which ROLEID value to use.  If this is the first time you've done this you should only have one ROLEID value returned. 
     
  3. Now we need to know the module Id of the File Manager module.  Using SQL, run the following query:
     
    Select MODULEID, PORTALID from MODULES 
    where ModuleTitle = 'File Manager'
     
    Again, as in step 2, if you have multiple portals then use the PORTALID value to determine which MODULEID is the correct one for the portal you're working with. 
     
  4. Using SQL, run the following INSERT to add the "FileAdmin" role to the list of roles allowed to upload files using the FILE MANAGER module:
     
    INSERT INTO MODULESETTINGS ( ModuleID, SettingName, SettingValue )
    VALUES ( {your moduleid}, 'uploadroles', {your roleid} )
     
  5. Now we need to grant edit rights to the FILE ADMIN module.  To get to the module's SETTINGS page we'll use the same trick we used to get to the FILE MANAGERS page settings.  In your browser, enter the following URL:
     
    http://{your domain}/tabid/{your tabid}/ctl/Module/ModuleId/{your moduleid}/Default.aspx
     
    Under PERMISSIONS grant "EDIT" rights to the new "FileAdmin" role. 
     
  6. Finally, on the FILE MANAGER page under FOLDER SECURITY SETTINGS, give both "View Folder" and "Write to Folder" rights to the "FileAdmin" security role for the ROOT folder. 
     
  7. (THIS STEP IS OPTIONAL) One quirk with this is that those who get "EDIT" rights to the FILE ADMIN module will also end up getting a partial CONTROL PANEL display (the admin/page editor bar across the top of the page, above the skin).  This is unnecessary and potentially confusing.  It doesn't hurt anything, but if you'd prefer it to not appear you can add the following line to the very bottom of your DNN skin file (sorry - this won't work from inside a Text/HTML module or from within a page's Header Tags setting):
     
    < % If Not DotNetNuke.Security.PortalSecurity.IsInRoles(PortalSettings.AdministratorRoleName) % >
       < style >.ControlPanel{display:none}< /style >
    < %  End If  % >
     
    Please note that this will hide any HTML element using the CSS class "ControlPanel".  To limit this change to your File Manager page:  Create a copy of your skin's .ASCX file, apply this change to the copy and set your File Manager page settings to use the copy instead of the default skin.
     

Whew!  Ok, so that's a lot tougher than it was to get the FILE MANAGER page out of the ADMIN area.  Fortunately you found our blog and (hopefully) our notes have saved you some time and headache.  At the very least, if you decide this looks a bit too complicated then you can feel better about shelling out some cash for a third party file management module.

UPDATE (11-24-2008):
This blog entry was referenced in a thread over in the DotNetNuke.com forums.  One of the ensuing comments came from the well-known Mitchel Sellers, a longtime DNN developer and contributor up in Iowa and a current member of the DNN "Documents" core module development team.  Mitchel pointed out that the ADMIN modules were never intended to be shared among non-admin users and that there could be security risks involed in doing so.

Quite right!  Although the underlying functionality is already built into DNN for sharing ADMIN modules as well as for moving them around to various pages on a portal (same as "normal" modules), the ADMIN modules themselves have probably not been inherently subjected to the same level of vulnerability testing as non-admin modules which get a much greater pounding via use by the general (non-admin) DNN population.

Keeping that in mind, admins would be well-served to follow the rule-of-thumb advice I cited before: "Always give only the minimal level of access needed to accomplish a goal".

Thanks for reading, Mr. Sellers!
  
Permalink |  Trackback
Comments (17)   Add Comment
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Saran    11/24/2008 9:21 PM
Hi Mamlin, I followed each and every step you've specified in the blog. But still I'm gettting the same message: "Either you are not currently logged in, or you do not have access to this content." Still no luck! Am I missing something? Thanks, Saran
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    1/21/2009 11:48 PM
Saran- If you're not already doing so, I'd recommend trying your proof-of-concept on a DNN instance with a single portal since this means you'll only have one FILEMANAGER module to worry with. Following are a few things to double-check (assumes you've created a new user security role called 'FileAdmin'): ____________________________________________________________________________________________________ (1) In MODULESETTINGS, make an entry for -every- FILEMANAGER module ID with SETTINGNAME = 'uploadroles' and SETTINGVALUE ='FileAdmin'. It's safe to do this for every instance of FILEMANAGER since your users will still only be able to access and use FILEMANAGER on portals you've added the 'FileAdmin' role to. ____________________________________________________________________________________________________ Also: You should be able to use either the actual role name or the ROLEID integer value. If you're using the name, use 'FileAdmin' for the SETTINGVALUE. If you're using the ROLEID integer value, try adding a semicolon before and after the value. Example: If your 'FileAdmin' ROLEID is 12, insert ';12;' instead of '12' as your SETTINGVALUE. ____________________________________________________________________________________________________ (2) For your target FILEMANAGER module, make sure you have given "EDIT MODULE" rights to the "FileAdmin" role. ____________________________________________________________________________________________________ (3) For your target FILEMANAGER module, make sure you have "VIEW FOLDER" and "WRITE TO FOLDER" options checked for the 'FileAdmin' role for the "PORTAL ROOT" folder. To insure this is set for "PORTAL ROOT", first select "Portal Root" under the FILEMANAGER's "Folders" area, then check the "WRITE TO FOLDER" option for 'FileAdmin' under the "Folder Security Settings / Permissions" section and then click "UPDATE" to save the settings. ____________________________________________________________________________________________________ (4) Finally, when testing the upload function make sure the account you're logged in with has the 'FileAdmin' role.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Diane    12/12/2008 5:20 PM
Can this also work for a large group of users, setup to have access to their own pages. The problem becomes when they want to upload or import photos or documents from their own computer, they are only seeing the browse server option which shows only the webserver files. Can you setup a user or user group to only have access to external uploads...from their computers to upload from?
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    12/12/2008 5:39 PM
Diane- If you're referring to uploading images via the Blog and/or Text/HTML module, I believe you may be overlooking the file upload feature of the "insert image" popup box -- it's very easy to miss as the option is buried within the "browse server files" option. EXAMPLE: To upload an image from your PC's local drive and insert it into a Blog posting or a Text/HTML module, go into EDIT mode for a Blog posting or Text/HTML module and click the "Insert/Edit Image" icon in the text editor menu. This brings up an "Image Properties" popup box. Click the "Browse Server" button to bring up an "Image Gallery" box. Now, at the top-right of this box there should be a single-line text input and a "Browse" button next to a "Upload File" link. If you do not see this then your DNN account does not have EDIT permissions for your portal's root folder (an admin will need to go into the File Manager module and set EDIT permissions on the ROOT folder for the specific user or for the appropriate security group). If you DO see the "Browse" button, click it and a new popup will open showing you the files on YOUR computer. Select one, click "upload file" and the file will be uploaded to the currently selected server directory (the portal's ROOT directory by default). You can then click on the server's copy of the file to have it inserted into your Blog posting / Text module. Try that and let me know how it works for you (or tell me if I've completely misunderstood your question).
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Diane    12/15/2008 9:34 AM
Changing the edit permissions worked. I had setup personal folders for each user and now they can access them, and upload information from their computers. Thanks Diane
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Diane    12/15/2008 11:05 AM
One additional Upload question; Our setup is for a school district and I have teachers in different schools and want them to be able to upload their files into their own folders, which are setup by school. Currently they click browse server, then templates/schoolname/stafffolder/username ...to get to their own folder to upload to. Is there a way to setup a default folder for each users to automatically get to? Thank you again for all your help with this.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Ely    12/15/2008 9:37 AM
Hello, I followed steps in method 1 and it worked. Problem now is that the File Manger is no longer under my Admin menu. What can I do to get it back under Admin menu? Thanks!
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    12/15/2008 5:45 PM
Diane- Glad to hear that you pinpointed the issue and now have everything running. As for setting a "starting" default folder per user/user role, I'm not aware of a way to do this. Recall that the current File Manager module was only inteded for use by the site ADMIN so making ROOT the default starting folder was all that was required. If File Manager had a "Go To Folder" option in the UI then it would be possible to add helper script to the page to do the job. Unfortunately this isn't the case - I believe you'd need to change core File Manager code (I avoid changes to core code whenever possible). However, since you've made File Manager available as a standard module on standard page, you can now add other modules to the page. This allows the File Manager page to be a little friendlier to users by adding a "Text/HTML" or a "FAQ" module with simple user instructions.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    12/15/2008 11:13 AM
Ely- Using this method, you cannot share admin modules AND leave the modules under the ADMIN root tab. Even if you try to change user VIEW permissions directly without moving the File Manager module, the module is automatically moved by DNN into a separate page. I usually create a root tab named "Content Admin" (or something similar) and place the TABS and/or FILE MANAGER pages under "Content Admin".
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Diane    12/15/2008 5:45 PM
Thank you for all of your help. I have the users all uploading files into their own folders.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Graham    1/21/2009 11:33 PM
Hi. Many thanks for the article. I have sucessfully moved the User Accounts tab to a new Site Admin tab for Power Users. How do I allow power users to Add New Users? The options are only available when i log in as an adminsitartor.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Nick    1/21/2009 11:28 PM
Brilliant! With some editing on the basic idea, a lot is possible with this article.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    1/21/2009 11:32 PM
Nick- Thanks and I agree a lot is made possible by moving modules out of the ADMIN-only space. Fortunately DNN 5.x has addressed this point and made all modules open for assigning to security roles. Now all we have to do is wait for a stable, bug-free and widely-supported (by third-party modules) version of 5.x to be released...
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    1/21/2009 11:41 PM
Graham- I'll need to dig into the USERS module code to see what's up. For sites with large memberships we've generally relied on a third-party user admin module so I've not walked through the USERS module code as much as I have for other core modules. I'll add a new blog entry (rather than another comment) once I determine what is and is not possible with the USERS module. Subscribe to our recently-opened RSS feed to be sure to catch new blog postings.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Rick    3/2/2009 2:40 PM
For giving access to non-admin users to USERS module, modify the DataBind function in admin\security\SecurityRoles.ascx.vb to: If (Not (objUser Is Nothing) AndAlso objUser.IsSuperUser) OrElse _ PortalSecurity.IsInRoles(PortalSettings.AdministratorRoleName) = False Then If (Not PortalSecurity.IsInRole("Role you want to give access to goes here")) Then Response.Redirect(NavigateURL("Access Denied"), True) End If End If
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
mamlin    3/2/2009 2:48 PM
Thanks, Rick, for answering Graham's question. Disclaimer: I've not tried Rick's solution myself so I can't comment on it other than to say "sorry" for the lack of formatting due to how markup (line breaks) for comments are stripped out by the blog module.
Re: Give ADMIN tabs access to Non-Admin DotNetNuke Users (Pages, File Manager, etc)
Adnan    7/2/2009 11:51 AM
Hey thanx for the nice post and tip RICK .. it really helped me to allow access to "users roles" to a non admin users . But i want to allow non admin user to manage other users paswords as well (change or reset ). the Rick post trick only allow to manage roles but i want to mage users passwords as well. ny tips will be appreciated :)

Your name:
Title:
Comment:
Security Code
Enter the code shown above in the box below
Add Comment   Cancel 
You are here:  
 
>> Back to the top of the blog list...

 
        account   blog   click   cloud   code   create   data   events   example   feature   file   files   free   function   good   google   just   line   links   list   module   modules   need   note   number   option   page   pages   query   results   role   roles   script   search   select   settings   simple   site   skin   solution   step   tags   terms   time   user   users   value   version   want  
Minimize Google AJAX Search
 
Search ES:  
This is an example of a Google AJAX Search with asynchronous search execution for two searches.  See our blog series, 'Add Google AJAX Search to your DNN skin' for info and sample code.
  
     
Minimize Buy Stuff
 
Stuff by Eguana Solutions
(Be sorta cool!)
  
     
Minimize Most-Commented Blogs
 
 
     

Minimize Looking for more info?
 

There are tons of helpful
posts from Eguana Solutions 
on the DotNetNuke.com forums.  
 
Click HERE to see our posts.

  
     
Minimize Modules for Sale
 

Looking for Eguana's modules? 
We're still working on them!  

Until ours are ready to dazzle and
amaze, you'll have to make do with
the thousands of modules already
available on SnowCovered.

  
     
Minimize Favorite Modules
 

There are many great DNN modules.
A few we highly recommend are:
 
Dynamic Registration
Total control over the user signup process.  Create custom forms, execute your own SQL, use the integrated payment processing features to assign user roles, validate USERNAMEs via AJAX and much more.  Very cool.
 
URL Master
Change to friendly URLs that really ARE friendly.  Add keywords into your page URLs for better SEO.  Create 301 redirects for individual pages.  Force visitors (and search bots) to a single domain (i.e., make everyone use the "www" version of your site's URL or vice versa).  One of the single best upgrades for any DNN site.
 
Document Exchange 5 (DMX5)
Drag-and-drop from Windows Explorer directly into the DMX file manager!  File versioning, file and folder moderation, extend user permissions down to the file level (for user groups and even for individual users).  Infinite file and file info presentation options via custom display templates.  Store files locally or remotely via UNC (i.e., can securely store files somewhere besides your web server).  Much more.
 
XMOD by DNNDev
Rock-solid form module for data collection.  From simple feedback / email forms to complex, multi-part tabbed forms.  XMOD is different from other form modules because XMOD does not create a new database table for every new form definition -- an important feature if you plan to create dozens or hundreds of forms over the life of your DNN instance!  Excellent support from the developer and an active community around this module.
 
If you desire your form module to create a new DB table for each new form definition, a great alternative to XMOD is the Dynamic Forms module from DataSprings.  Dynamic Forms offers direct DB access beyond that found in XMOD as well as an easy drag-and-drop form builder option to help you get up and running very quickly.

  
     

Login