Still using a very old (and slightly customized) version of BlogEngine.NET on a Windows XP (!) server so I'm a bit afraid to upgrade.
In the past, I have written a couple of extensions in order to grant or prevent access to static pages and/or posts based upon the users / roles and / or the post categories. For instance, I can prevent access to the blog from unauthenticated users, I can grant access to a subset of the blog (post categories) to users having the 'Readers' role, etc.
I noticed that images are still accessible, either ones stored explicitly under the /App_Data/files/ folder and served by the image.axd handler, or ones associated with blog posts.
Is there an extension point available where I could add some logic to prevent access to images based on criteria such as authentication and/or users / roles ? Perhaps based upon their file extensions, or whatnot ?
I don't know about an official extension point but I think the edits you need to make are as follows.
According to this line in the web.config
<add verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" validate="false"/>
The image.axd is handled by BlogEngine.Core.Web.HttpHandlers.ImageHandler
If you look in the BlogEngine.Core project you will find the ImageHandler.cs that defines this class. Assuming you need access to the Session you will need to IReadOnlySessionState as an implemented interface to the class.
public class ImageHandler : IHttpHandler, IReadOnlySessionState {
...
}
Once this is in place you can access the Session in the ProcessRequest Method to perform your custom checks.
public void ProcessRequest(HttpContext context) {
if(context.Session["SomeKey"] == true){
//serve image code goes here
}
}