Thursday is the day, I normally go to school, but as schools are closed the first week of January, I had a day off. As the boys @ work know it’s allowed to disturb me, they regarly will 
. They are so kind to ask if it’s allowed, so I can do something about it if I want to, but as most of the question are quite challenging I won’t.
Today our teamlead, Martijn, had a question how to restrict access for domains in the User Manager. The answer this afternoon was: no… But actually, I’ve found a solution without writing code! Here’s a lesson: hacking the client .
First of all, have looked in the Core database if the domain were confiured there. Under the node of the application for example. They aren’t…
Second, I’d to found out what’s the exact XAML-file behind the User Manager. It’s ‘Security Manager.xml’ located in ‘/sitecore/shell\Applications/Security/Security manager/’. I opened the file and searched for any DataSource definitions defining the domain. To bad, there wasn’t one… As the XAML-file specified the code beside, I had at least a path to continue searching:
<CodeBeside Type=”Sitecore.Shell.Applications.Security.SecurityManager.SecurityManagerForm,Sitecore.Client”/>
Continued searching using Lutz Roeder’s .NET Reflector. I openend Sitecore.Client and lucky me, it isn’t dotfuscated . Navigated to the SecurityManagerForm-class and opened the client-property. Look what the Disassembler explained to me:
Indeed it’s a ClientPage property which means it is set before. And indeed it is… In the OnLoad method(look at the highlighted part):
My simple conclusion was that I just had to change the QueryString parameter ‘do’ to default select a domain… As our customer should only be able to read the contents in the Extranet domain, we should set the qs to ‘do=extranet’ and disallow the ribbon for anyone except administrators.
Well, we should change the QueryString of a Sheer Application. A bell is ringing… A Sheer App is called from the menu. Menu items are shortcuts to Sheer Apps… Let’s duplicate a ‘shortcut’ a play a bit around with the field inside the ‘shortcut’ and it works!
Cool! Now it’s just up to the security. I’m going to disallow the Domain-ribbon for the userrole our customer works with and after that the User Manager looks like this:
Wohooo . Mission accomplished! And now… Time to sleep 
. See you tomorrow!
Very cool.
I believe this is exactly the reason why Sitecore.Client is not obfuscated – it can be an invaluable insight into sheer ui.
Good job Alex.
It’s always kind’a try’n trial when you start using the dotfuscator, but extremely satisfying when it works.