• Specify edit / admin rights for each page – this allows you to define parts of the page tree that editors have permissions over. These permissions allow you to use the to specify one of the following access levels for each page (Read / Create / Change/ Delete / Publish / Administer) which dictates an editor’s ability to create / view and publish a page.
• Specify access levels required to view each edit mode tab – this allows you to group particular page properties onto particular tabs and show or hide those based on the access levels defined above.

However – what is missing here is a more granular approach for individual properties on each page. For example allowing users in a ‘MetaEditor’ role to update page meta data without being able to edit anything else.

EPiServer exposes an EditPanel.LoadedPage event which allows you to modify the loaded PageData object and modify it accordingly. One of the code properties available on an EPiServer property is DisplayEditUI which dictates whether the property is shown on the edit panel. Using the EditPanel.LoadedPage event to set property visibility in this way isn’t new.  However now we have strongly typed PageType classes (thanks to PageTypeBuilder) we can revisit this and treat it as a true application cross cutting concern.

What I wanted to be able to achieve was a true attribute based security system, that worked with the standard ASP.Net Membership model allowing developers to set which roles and users would be able to view and modify each property by setting an code based attribute in the TypedPageData class.

The solution relies on the following pieces:

• An EPiServer Initialization module that hooks up a method to the EditPanel.LoadedPage event.
• An Authorize attribute that you can place on PageTypeBuilder TypedPageData classes and properties.
• A locator which will scan your current page type for each property and modify the DisplayEditUI property based on the attributes values.

The following rules apply:

• A property level [Authorize] attribute will override any setting from a class level [Authorize] attribute
• [Authorize] attributes can set either usernames or roles which will be honoured – see the example below.
• The [Authorize] attribute allows you to specify whether you wish to apply the security rules to the built in-EPiServer properties as well as any you have defined through code.

Here is an example usage:

using System;
using FortuneCookie.PropertySecurity;
using PageTypeBuilder;
using EPiServer.Templates.AlloyTech.PageTypes.Tabs;

namespace EPiServer.Templates.AlloyTech.PageTypes.AlloyTech
{
   [PageType("74f6ef3e-407b-4132-8108-7fa831910197",
   Name = "[AlloyTech] Standard page",
   Filename = "/Templates/AlloyTech/Pages/Page.aspx",
   DefaultChildSortOrder = EPiServer.Filters.FilterSortOrder.None,
   Description = "The standard page is the most commonly used page on the web site.",
   DefaultVisibleInMenu = true,
   AvailablePageTypes = new Type[] {  })]
   [Authorize(Principals = "StandardPageEditorRole,mark.everard", ApplyToDefaultProperties = false)]
   public class StandardpagePageType : TypedPageData
   {
      [PageTypeProperty(EditCaption = "Main body",
      HelpText = "The main body will be shown in the main content area of the page",
      Tab = typeof(InformationTab),
      Type = typeof(EPiServer.SpecializedProperties.PropertyXhtmlString))]
      [Authorize(Principals = "MainBodyEditorRole")]
      public virtual string MainBody { get; set; }

      [PageTypeProperty(EditCaption = "Secondary body",
      HelpText = "The contents of this property will be shown in the right column of the page, you can use both text and images for layout.",
      Tab = typeof(InformationTab),
      Type = typeof(EPiServer.SpecializedProperties.PropertyXhtmlString))]
      public virtual string SecondaryBody { get; set; }
   }
}

In this case – any editor will be able to see the default EPiServer page properties (PageName, PageCategories etc). Editors in the StandardPageEditorRoles and me (user with username mark.everard) will be able to view / edit the SecondaryBody property, and only editors in the MainBodyEditorRole will be able to modify the MainBody property.

At present,  I’m not too happy with the blanket approach to the default properties that the current version has. I’d be interested to hear any better ideas for dealing with this – or better yet send me a pull request to the project on GitHub.

A Nuget package (FortuneCookie.PropertySecurity) built against .Net 4.0 / EPiServer 6R2 and PTB 2.0 has been uploaded for review to the EPiServer Nuget feed (and so should be available soon). The source code is available on GitHub – https://github.com/markeverard/FortuneCookie.PropertySecurity

Coming to talk to us this time will be:

• Meridium – who will be telling us all about the latest version of ImageVault – which is image and digital asset management module for EPiServer.
• Joel Abrahamsson – who should need little introduction. Joel has been instrumental in helping to improve the EPiServer development experience – through his open source projects such as PageTypeBuilder and EPiAbstractions (amongst others). Tonight though Joel will be wearing a different hat as he’ll be talking about his latest project. Truffler.Net – an advanced search engine and C# API
• Plus – some other (to be confirmed) talks from our community members

We will start presentations promptly at 7pm so please aim to get there for 6:30pm

There will be some food and drinks (kindly provided by EPiServer UK) and plenty of opportunity to network and talk tech.

Full details are on the Meetup page where you can sign up and RSVP to confirm attendance.

I hope you’ll agree that its a great program and also I think we’re incredibly lucky to have both Meridium and Joel flying over from Sweden to come and talk to us. Please show your support.

See you all on the 23rd.

Mark

This function allows an editor to create a Composer area that will display a unique list of other Composer functions; depending on which visitor group a user is matched to in your site. This means that editors can personalise more than just page content, and can also adjust the page layout and functionality offered to each visitor, by dragging different Composer functions into each Personalized ‘slide’ within the Personalization Container function.

Upgrading a site to 6 R2

After upgrading a few sites from CMS6 to CMS6R2, if you don’t check the option to import PageTypes during the upgrade process (which if you’re using PageTypeBuilder you might think you can skip) then  the Personalization container isn’t created, and you’ll be missing this piece of functionality.

The easiest way to re-create this function is to export the composer PageType information from a ‘fresh’ install of the Composer / R2 Alloy Tech site, and then import this into your site.

To save you the hassle of setting up a fresh demo site. I’ve included an exported Composer Personalization function as a download below (.xml format).

PersonalizationContainer.zip – Import using EPiServer Composer Import / Export page.

You just need to import this using the Composer import feature in EPiServer Admin mode, and hey presto!

Technically, this is normally achieved by adding a querystring key to the campaign link url and then tracking requests that use this key. So for example, a Google Adwords campaign linking to your /products page would also include a querystring parameter of cid=marketingcampaign (example: http://yoursite.com/products?cid=marketingcampaign)

This querystring parameter can be picked up by your analytics implementation and used to track various aspects of the campaign.

On an EPiServer CMS6 R2 site, editors can use the Personalization/Visitor Group framework to provide a unique page experience per visitor, meaning that its possible to provide personalized content for each external marketing campaign on any page on your site.

Out-of-the-box, EPiServer provides a criterion which checks the incoming request Url or the page referrer, but not one that checks the querystring of the incoming request.

Creating a Visitor group criterion is straight forward – the only issue I’ve ever had trouble with; is when working on a .NET 4.0 project – which was solved by Ted Nyberg.

I’ve created a simple QueryString Criterion which will provide a match based on the following:

1. Whether the current request contains a user specified querystring key
2. and / or whether the current request contains a matching querystring key which also has the user specified value.

The source code is available as part of the Criteria Pack on Codeplex and of course there is a Nuget package on Nuget.episerver.com – (as soon as its been approved!)

Wow, what an incredible experience!

“Pair 120 developers with a collection of UK charities each with an IT need. Lock them in a room, feed with caffeine, cooked pig and sugar. Leave to bake over the course of a weekend, peel open (and off the floor) on Sunday afternoon. Stand back and view the results.”

The concept, execution and community was superb (see @stack72′s post for a great list of thanks to those involved). A special thanks must also go to UCL for hosting the event and the generous sponsors for providing financial support and goodies! Come the Sunday afternoon ‘show and tell’, all of the project teams delivered some great work, much of which will make a tangible difference to each of the UK charities that got involved.

“For the first time in living memory, someone cried because the software we did was so good.”

What better testimonial than this? How many times have you had this reaction whilst working in your day job

GiveCamp UK 2011 - photo by Bert Craven

A software development microcosm

Whilst the time-scales involved in GiveCamp make it an unreal experience, at the end of the day it’s just software development, and so the normal rules and pitfalls of software development apply.

The thing that really struck me whilst working, is that is that it’s very easy to get carried away and lose focus from the end output. Whilst much of this could be attributed to the excitement, intensity (and tiredness) that surrounds the event. Actually it is just par for the (software development) course.

If you’re ever involved in a future GiveCamp (and by all means you should), here are some of my top tips……

Deliver deliver deliver

Don’t overreach and try to build the Tower of Babel. Solving one problem well, is better than half solving many problems.

This means you constantly have to question the solution to make sure that every design decision that is made, is made for the right reasons. Do you really need that level of granular security or additional view? Focus on your core functionality only.

Remember building ‘cool’ stuff is not the output you’re looking for. Delivering a working solution that solves a real world problem is the ONLY goal….

Engagement

As ever, it is important that you have a engaged stakeholder / product owner – who is actively available to field questions and define their needs (we all know this from our day jobs right?)

Remember though, the charities will be like a kid in a sweetshop – whilst you are their ‘knight in shining armour’. It’s ok to question their requirement wish-list. 41 hours is not a long time to deliver a solution. So always make sure you stay focussed on solving a real and well defined problem.

Keep it simple stupid

After the weekend, the solutions are handed over lock and key to the charities. You need to make sure they know what you’ve built for them and that they have enough information to support it going forwards. This could mean documentation! One team produced a 40 page document on how to install a SQL Server instance. The time spent on that document was way more important than any one additional software feature. Without it, the solution wouldn’t have even been deployed.

Remember – not everybody knows the things you as a developer takes for granted. Imagine that you’re delivering a solution for your dear Nan. That’s the level you should aim for.

Focus on what you know

When you’re under pressure to deliver, don’t go off-piste and make some ‘left-field’ technology choices, so you can learn the latest new and shiny thing. Stick with what you know and what your team has capabilities with. Don’t worry, they’ll still be plenty of opportunity to learn.

For me I was working with ASP.NET / MVC but I still learnt more about Git, Entity Framework and what an awesome service AppHarbor provide.

Future me

I definitely wish I’d had ‘future me’, looking over my shoulder to remind of those things throughout the weekend (especially at 2am on Sunday morning when the adrenaline was wearing thin). However I also know that ‘future me’ would have told me how proud he was of all of us who donated time and effort to help out.

Top stuff to all involved. Here’s to GiveCamp UK 2012!

Aside from code, the majority of our day-to-day interactions in the workplace are with team members, managers, clients and other colleagues. These human interactions are often much harder to predict and respond to, but can have a much greater impact on your work environment, productivity and workplace happiness.

I attended Roy Osherove’s ‘Lead Better London’ course held at Skills Matter back in July (and have been meaning to post a follow up about it ever since). Roy was / is a leading voice in the .NET community (though now he’s exploring what Ruby has to offer) and is the author of ‘The Art of Unit Testing‘, which I consider to be THE book to read if you want to learn and become better at writing test code for your software. Roy regularly blogs about software team leadership issues over on FiveWhys.com, and it is from there where I found out about the course.

The 2-day course caught my eye, as it was focussed on managing people and software teams rather than any specific project methodology, such as agile. Courses such as these give you a great opportunity to take a step back and view your workplace and your interactions within it in a different light, without the distraction of your ‘real work’. Roy is a great mentor and from the off, ably demonstrated the ‘ninja’ leadership techniques he was trying to teach to us. His ability to listen, comprehend and consolidate a problem down to a fundamental is a skill I really want to perfect.

Things I took home with me from the course:

• Confidence to Lead: motivation to tackle the issues I see day-to-day in my workplace
• How I react: ability to recognise my own and my colleagues behavioural traits and adjust my response to suit
• Who I want to be: a clearer idea of the characteristics I believe make a good leader and the willpower to make sure I follow the right path.

The plural of Lego is Lego, not Legos. The word Lego is a trademark and should be used as such. Here is a picture of some Lego bricks.

Roy is holding another course in London this November (2011) , so if you’re interested in learning how to lead and grow a software team, then you should do what you need to do to get yourself on his course.

For me, the challenge now is to take the skills I’ve learnt and put them into practise in my day-to-day work life.

Let the human experiment begin……

Out of the box, the MVC framework also allows you to set validation attributes on your models which are inspected at the model binding stage, meaning that your controller actions can inspect the ModelState.IsValid property to assess whether the user submitted data meet expectations. This attribute based approach to validation provides a clean way to handle validation (a cross-cutting concern) without introducing additional code into your controller action.

One of the features needed when putting together the Fortune Cookie Personalization Engine for EPiServer was to perform validation on a user submitted criteria value. As a reminder, in the context of the Personalization Engine, a criteria is an editor submitted string which is persisted and used by a ContentProvider to allow for a more granular method of content retrieval. For further background and explanation, check out one of my earlier posts – Personalization Engine – ContentProvider Criteria Models

In the full Personalization Engine domain model, criteria properties belong to IContentModel objects which are used to specify the user interface displayed to an editor to allow them to enter the criteria. Below is an example of a TextBoxCriteriaModel which renders as a textbox in the Admin interface.

The string value from this criteria input is posted to the controller action.  However as the type of IContentModel depends on the value of the ContentProvider dropdown, validation attributes cannot be set directly on the model passed to/from this view as different concrete IContentModel types need to be able to specify different validation rules.

To provide validation of the composite IContentModel using validation attributes, we have to hook in to one of the extension points of the ASP.NET MVC framework and create a custom model binder.

Validating composite models

Our custom ModelBinder needs to perform the following tasks:

• Bind the incoming data against an AdminViewModel (the model passed from the user interface shown above).
• Obtain an instance of the specified ICriteriaModel and update the ICriteriaModel’s criteria property with the value posted by the form.
• Validate the composite (and now populated) ICriteriaModel
• Update the ModelState with the validation results from the composite model, along with the original parent model validation results

As the custom ModelBinder needs to perform all of the existing validation and binding that the DefaultModelBinder would, I’ve chosen to inherit from it and add the additional composite model validation logic into the overriden BindModel method. An instantiated IContentModel is obtained from the AdminViewModel, and the ModelValidator framework class allows us to validate the composite IContentModel, before updating the bindingContext.ModelState with an validation errors.

public class CriteriaValidationModelBinder : DefaultModelBinder
{
   const string ValidationPropertyName = "Criteria";

   public override object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
   {
      if (bindingContext.Model != null)
         return bindingContext.Model;

      var model = base.BindModel(controllerContext, bindingContext);

      var adminViewModel = model as AdminViewModel;
      if (adminViewModel == null)
         return model;

      var criteriaValue = bindingContext.ValueProvider.GetValue(ValidationPropertyName);
      adminViewModel.CriteriaModel.Criteria = criteriaValue != null ? criteriaValue.AttemptedValue : string.Empty;

      ModelMetadata modelMetadata = ModelMetadataProviders.Current.GetMetadataForType(() => adminViewModel.CriteriaModel, typeof(ICriteriaModel));
      ModelValidator compositeValidator = ModelValidator.GetModelValidator(modelMetadata, controllerContext);

      foreach (ModelValidationResult result in compositeValidator.Validate(null))
         bindingContext.ModelState.AddModelError(ValidationPropertyName, result.Message);

      return model;
   }
}

Our custom ModelBinder can be hooked into our application in Global.asax, or in an EPiServer IInitializableModule using the following method.

private void AddCriteriaValidationModelBinder()
{
    ModelBinders.Binders.Add(typeof(AdminViewModel), new CriteriaValidationModelBinder());
}

And that’s it…. ModelBinders are an important piece of the MVC framework, and in the majority of scenarios you can rely on the DefaultModeBinder to handle all of your requirements. However creating your own ModelBinder for more advanced requirements is pretty straightforward, depending on your requirements for your binder

Lee Crowe has stepped up to the mark and contributed these for me – Thanks Lee

These User Interface elements are contained in a separate NuGet package: FortuneCookie.PersonalizationEngine.UI (dependent on FortuneCookie.PersonalizationEngine) ,which is available to download the EPiServer NuGet feed.

The packages contains:

1) A custom property, (using Lee’s  multiple selection custom property)  – which allow you to select a limited set of defined Personalization Engine content providers from which to return content. This allows you to have PersonalizationEngine rules defined on a page-by-page basis.

2) Two dynamic content controls (using the new DynamicContentPlugin attribute) – one which just displays PersonalizationEngine results from the full rule-set, and one which uses the custom property described above to allow a limited sub-set.

FortuneCookie.PersonalizationEngine 1.1

Additionally there is a new version of the core FortuneCookie.PersonalizationEngine, which contains some minor updates and enhancements

1) Added a new event that you can hook into to filter any results prior to them being returned from the PersonalizatioEngine. A good usage for this may be to filter by PageType definition in the case you don’t want your PersonalizationEngine results to contain a particular PageType

The example below will filter all Article pages from any content returned from a PagesWithPageNameContentProvider. The event is hooked on in Global.asax

protected void Application_Start(Object sender, EventArgs e)
{
 PersonalizationEngine.OnContentProviderGetContent += PersonalizationEngine_OnContentProviderGetContent;
}

 private void PersonalizationEngine_OnContentProviderGetContent(ContentProviderEventArgs e)
 {
     if (e.ContentProviderType == typeof(PagesWithPageNameContentProvider))
          e.ContentProviderPages = e.ContentProviderPages.Where(p => p.PageTypeID != PageTypeResolver.Instance.GetPageTypeID(typeof(ArticlePageType)));
 }

2) Changed the call to DataFactory.Instance.GetPages, to an iterated call to DataFactory.Instance.GetPage in the CachedContentProviderBase class. Although the latter method is less performant – there is an acknowledged bug in CMS6R2 which means that PageTypeBuilder does not hook into the GetPages method result meaning that returned results are unTyped.

Both of these packages are now available in the EPiServer Nuget Feed

(Note: If you’re serving a large amount of media content, then you’d be better off looking at a full media hosting solution rather than just serving from the EPiServer VPP).

Http-Headers

Obviously the files were identical, so the only difference was in how IIS was serving them. Below are the Http responses (captured using FireBug) for the identical .m4v video files, one served from a VPP, and one from a native path.

The significant difference is the Accept-Ranges : bytes header. Cool – so we can just add in this header to our response and we’re sorted right? WRONG I’m afraid!

HTTP/1.1 Accept-Ranges header field

The Accept-Ranges response-header field allows the server to indicate its acceptance of range requests for a resource. This means that the server is open to partial downloads of files, and that clients (web-browsers) can download a limited ‘chunk’ of a file by requesting a specific byte-range, for-example bytes 5001-9999.

Going back to our original issue of why the files didn’t play on an iOS device, a quick look on the Apple developer notes (via StackOverflow) confirms that the web server needs to be configured to correctly handle byte-range requests. This explains why our file doesn’t work on an iOS device when served from an EPiServer VPP.

EPiServer.Web.StaticFileHandler

Our site was running using IIS7.5 in integrated pipeline mode, meaning that pretty much the whole Request / Response pipeline is handled by ASP.NET modules. Looking in the EPiServer site web.config you can see that the location path elements for VPP paths (Global /PageFiles etc) contain the HttpHandlers that are responsible for serving VPP filess. This is a bespoke EPiServer file handler implementation (EPiServer.Web.StaticFileHandler), which unlike the default IIS7 StaticFileHandler does not support Range-Requests

The Solution

Now you didn’t think that I’d explain all of this, without heroically coming up with a solution did you? Well I am providing a solution, but its hardly heroic as most of the hard work was done many years ago by Scott Mitchell – see Range-Specific Requests in ASP.NET. In his post Scott explains and provides an example of how to roll a HttpHandler with support for range-specific HTTP requests.

I’ve inherited from the RangeRequestHandlerBase class that Scott posted in the above article, and overidden a few methods adding in some EPiServer specifics, such as mapping the request path to the physical VPP file path and also using the EPiServer.Web.MimeMapping class to handle mapping from an extension to a mime type.

    public class RangeRequestFileHandler : RangeRequestHandlerBase
    {
        ///
        /// Returns a FileInfo object from the mapped VirtualPathProviderFile
        ///
        /// <param name="context" />
        ///
        public override FileInfo GetRequestedFileInfo(HttpContext context)
        {
            UnifiedFile file = GetFileInfoFromVirtualPathProvider(context);

            if (file == null)
                return null;

            PreventRewriteOnOutgoingStream();
            return new FileInfo(file.LocalPath);
        }

        private static UnifiedFile GetFileInfoFromVirtualPathProvider(HttpContext context)
        {
            return GenericHostingEnvironment.VirtualPathProvider.GetFile(context.Request.FilePath) as UnifiedFile;
        }

        ///
        /// Returns the MIME type from the mapped VirtualPathProviderFile
        ///
        /// <param name="context" />
        ///
        public override string GetRequestedFileMimeType(HttpContext context)
        {
            UnifiedFile file = GetFileInfoFromVirtualPathProvider(context);
            return MimeMapping.GetMimeMapping(file.Name);
        }

        ///
        /// Prevents episerver rewrite on outgoing stream.
        ///
        private void PreventRewriteOnOutgoingStream()
        {
            if (UrlRewriteProvider.Module != null)
                UrlRewriteProvider.Module.FURLRewriteResponse = false;
        }

This handler can be used to serve files from your VPP folders by adding the following configuration (IIS7 only folks – which if you’re not using then you really should be pushing for an upgrade!). This handler listed below is set up only to serve files of type .m4v – and remember that it does not provide any of the native EPiServer functionality for setting the staticFile cache expiration time.

<location path="Global">
     <system.webServer>
         <handlers>
              <add name="webresources" path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader"/>
              <add name="videofiles" path="*.m4v" verb="*" type="FortuneCookie.RangeRequestFileHandler.RangeRequestFileHandler, FortuneCookie.RangeRequestFileHandler"/>
              <add name="wildcard" path="*" verb="*" type="EPiServer.Web.StaticFileHandler, EPiServer"/>
         </handlers>
      </system.webServer>
      <staticFile expirationTime="-1.0:0:0"/>
 </location>

The full source code can be downloaded from the Code section at EPiServer World and a NuGet package is available that will auto-magically add in the code and configure your Global and PageFile VPP’s to serve .mp4, .m4v and .mov video files using the RangeRequestFileHandler.

• Paul Dunstone (from our hosts Rufus) – who will be talking about an EPiServer / SmartLogic integration that allowed for a rich and automated content classification. Paul previously blogged about this, but this will provide a great opportunity to understand more of the technical details.

• Raghavendra Bangalore-Govindaiah (aka Rags) – who will be presenting an overview of a COMET based pushed real-time data feed integration with an EPiServer site. For those of you who have never heard of COMET before, this should be interesting as COMET introduces a new model of working across the web. Rather than the traditional request/response cycle it uses long held http requests to allow the server to PUSH content updates directly to client web browsers.

• Mark Everard -I’ll be giving an  overview of NuGet, Microsoft’s package management tool for ASP.NET / Visual Studio, including a look at how to create your own packages and integrate the creation process with your project’s build script using MSBuild.

It again should be a great night and I hope to see you a lot of you there.

~ Mark