-
-
Notifications
You must be signed in to change notification settings - Fork 353
Rock security
General security details TBD
Person impersonation provides a way to for a user to be identified through a unique url parameter. This means that urls can be generated that link to a Rock instance and contain an identifier that will identify (not authenticate) the user without them having to create an account or login. For example, users receive an email asking them for their t-shirt size and after clicking on the provided link, they are taken to a particular landing page. Rock identifies the unique person and a block prompts them for their t-shirt size and and then stores it.
The Person object now has a read-only property called "ImpersonationParameter." This will return a parameter name and value string that can be added to a generated URL (the parameter name is always rckipid).
Whenever a Rock page is requested and the rckipid url parameter is included, Rock will evaluate the parameter and set the CurrentUser to a dynamic user record associated with the person that the value belongs to.
The User object has a IsAuthenticated property that will be false if the current user was set by the rckipid parameter. IsAuthenticated will be true only if the user actually logged in (was authenticated).
It is important to evaluate the IsAuthenticated property of the CurrentUser if an action requires that the user has actually logged in. For example, the LoginStatus.ascx block will only display the "My Account" link if the current user is authenticated.