1-888-365-2779
+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Membership and role providers, permissions

Membership and role providers, permissions

24 posts, 0 answered
  1. Darren
    Darren avatar
    72 posts
    Registered:
    19 Mar 2008
    08 May 2008
    Link to this post
    We have a requirement to support SSO as well as forms style login so I've created new membership and role providers which are used for both the CMS and the public website.

    Within the CMS I've created new roles and user accounts and set permissions for different modules and pages.
    The problem I have is even with the permissions set they don't seem to work. My admin roles have been given permission to access the CMS but they can't.
    My user roles have been given permission to view the website but they can't.

    If I apply permissions through the web.config file then everything works.
    For example, this will give my roles and thus accounts access to the CMS...

    <security defaultProvider="DefaultSecurityProvider" cmsProvidersName="Sitefinity">
          <roles>
            <clear />
            <add name="Administrators" permission="Unrestricted" />
            <add name="OpCo1_Admins" permission="Unrestricted" />
            <add name="OpCo2_Admins" permission="Unrestricted" />

    Equally, if I edit my users_in_roles table and set the roles to administrator then they work but not if I assign them to one of my new roles with permission set through the CMS.

    So it appears I'm missing something with roles assignment in the CMS. Within the CMS they look correct so they are recorded but they just aren't having an effect on permissions while doing the same thing through the web.config file fixes everything.

    Does anyone have any suggestions of what this could be? I noticed when trying to log in the method GetRolesForUser() in my provider is called and returns correctly but then access is denied.
  2. Darren
    Darren avatar
    72 posts
    Registered:
    19 Mar 2008
    09 May 2008
    Link to this post
    So looking at this closer, I login and the GetRolesForUser(string username) is called and we correctly return the roles including a role with permission to access the CMS.
    The user is then redirected to the CMS admin page but theres just an error page (This type of page is not served.).
    If I change the database table to assign the user to the 'administrator' role which is defined in the web.config file as have permission 'Unrestricted' then I log in fine.
    If I add an entry to the web.config file to give one of my new roles the same 'unrestricted' permission then I log in fine.
    If I change the GetRolesForUser(string username) method to add 'administrators' to the list of returned roles then I log in correctly.

    So it seems the issue is setting permissions for my roles through the CMS isn't having any effect while doing the same thing through the web.config file or through code works fine.

    When I set these permissions through the CMS, how are they being stored? Presumably it's one of the tables such as sf_GlobalPermissions.
    Can anyone clarify where these permissions are stored, what the columns represent or provide any thoughts on what could be at fault or where in SiteFinity this could be going wrong?

    Thanks

  3. Darren
    Darren avatar
    72 posts
    Registered:
    19 Mar 2008
    09 May 2008
    Link to this post
    Just as an extra note that may clarify this.
    When I log in to the CMS with an account with administrator privileges and then go to the permissions page to set permissions for my other roles I notice they all have deny checked and greyed out.
    What I was doing is checking allow for my roles but presumably the deny is taking precedence.

    However, I haven't actually set permissions for these roles anywhere yet including through the web.config file so where is this 'deny' getting set?


    So I suspect the mechanics are working, I just need to turn off this default setting for my new roles so I'm free to just set permissions through the CMS if that makes sense.
  4. Vlad
    Vlad avatar
    498 posts
    Registered:
    19 Jun 2017
    10 May 2008
    Link to this post
    Hello Darren,

    I am not sure which of your questions I should answer first, since I got lost in your comments. So, let me clarify some basic things about permissions, before we continue this discussion:

    1) CMS permissions are Global and for Page, which are stored respectively in sf_GlobalPermissions and sf_PagePermissions in the database.

    2) If you set a role as unrestricted in the web.config, all users belonging to this role have always full permissions no matter what is set for the role in the database.

    3) Deny is the most powerful permission setting in Sitefinity. If a user belongs to a role that has a specific permission set to Deny, that user cannot perform that function, even if he or she belongs to another role that has the same permission set to Allow.

    Based on the above statements, could you please summarize the problems you have? We would also appreciate some instructions how to reproduce them.

    Best wishes,
    Vlad
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  5. Darren
    Darren avatar
    72 posts
    Registered:
    19 Mar 2008
    12 May 2008
    Link to this post
    What I want is to give some roles access to the CMS and other roles just view permission for the published web app.
    For all these roles I'll also want to control permissions at the page level since there are department owned sections of the web app.

    So initially I set the permissions for these roles through the CMS giving CMS access to those roles who need it and setting permissions at the global level and page level as needed
    Everything looks fine except when I go to log in with one of these accounts with access to the CMS or the published web app I find I don't actually get access.
    My provider gets called for the account roles which we return but the CMS then denies access.
    So I can edit the web.config file and set permissions for my roles to 'unrestricted' and so then get access granted but I don't want to give blanket access for all my roles. Setting permissions individually through the CMS just isn't having any effect.
    Equally setting permissions to 'none' through the web.config file then removed access for those roles and againg setting permissions individually through the CMS is having no effect.

    That's why I'm trying to work out how SiteFinity is using these permissions since I can only affect permissions through the web.config file, not the CMS although the changes applied through the CMS are visible through the CMS, they just have no effect in practice

    I did notice that through the CMS the roles always have 'deny' set and grayed out so I can't uncheck it which explains why my other settings are having no effect (ie set 'Allow' for a role won't work since 'Deny' is also set and grayed out).
    The only way I can get it to uncheck is to set 'unrestricted' for the role in the web.config file but then I can't set deny for the role or turn off 'allow'.

    Why is 'deny' always checked and grayed out even if I don't mention the role at all in the web.config file?
    How can I change this to allow me to set permissions individually in the CMS?

    Thanks
  6. Darren
    Darren avatar
    72 posts
    Registered:
    19 Mar 2008
    12 May 2008
    Link to this post
    The problem seems to be that when logging in, the provider is called to authenticate the user which works fine and the user is then redirected but doesn't have permission for the page they're being redirected to.

    For instance, I log in with an account with permission to access the CMS. The provider is called to authenticate my credentials which works fine.
    The provider is called to check my roles then redirects me into the CMS where I just get an error page with "This type of page is not served."

    So permissions are set in the CMS, the providers are being called correctly and generally everything seems to work except the page itself just isn't being provided regardless of permissions.
    As mentioned earlier, if I give myself Unrestricted access through the web.config file then I'm fine but I need to grant permissions on a page by page and module by module basis so need to set permissions through the CMS.

    Thanks
    Darren
  7. Vlad
    Vlad avatar
    498 posts
    Registered:
    19 Jun 2017
    12 May 2008
    Link to this post
    Hello Darren,

    There are three reasons for getting permission check boxes grayed and checked:
    • The role is set as 'Unrestricted' in the web.config, so it always has full control over everything. ('None' permission in the web.config currently is not used, so it has no effect);
    • The object inherits its permissions for the selected role from its parent. Currently this is implemented only pages. You have an option to break inheritance;
    • The role inherits its permissions for the selected objects from Everyone role. You cannot break this inheritance.
    We suspect, that the 3-rd reason is exactly your problem, since its not handled correctly in the user interface and is not mentioned in the FAQ section. Sorry for that, we will fix this omission soon. If so, you should probably uncheck all Allow and Deny permissions for the Everyone role.

    Please let us know how it goes.

    Best wishes,
    Vlad
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  8. Christian Calderon
    Christian Calderon avatar
    8 posts
    Registered:
    27 Feb 2006
    13 May 2008
    Link to this post
    I'm also implementing a custom membership and role provider: Question, what happens if the user does not belong to any role? what will be the behavior in the user interface on these cases?  In my case, the user is able to see the page, which is not what I want - I was expecting users to ALWAYS be members somehow  of the everyone (public?) group
  9. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    14 May 2008
    Link to this post
    Hello Christian,

    I have a similar issue and have opened a support ticket with Sitefinity.  I'll let you know when I hear back from them.

    J
  10. Christian Calderon
    Christian Calderon avatar
    8 posts
    Registered:
    27 Feb 2006
    14 May 2008
    Link to this post
    This information provides useful information - workarounds. It is NOT the ideal solution for me, I was expecting the providers to be cabable of handling page-level security, otherwise why bother writing them??


    http://www.sitefinity.com/support/forums/support-forum-thread/b1043S-bdghdh.aspx
  11. Vlad
    Vlad avatar
    498 posts
    Registered:
    19 Jun 2017
    16 May 2008
    Link to this post
    Hi Christian,

    I am sorry, but I cannot understand what exactly is bothering you. Could you please elaborate more?

    Actually, all authenticated users from any membership provider ALWAYS belong to Everyone role. We implemented the Everyone special role in order to handle page permissions for other providers.

    Kind regards,
    Vlad
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  12. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    16 May 2008
    Link to this post
    Hello Christian,

    I'm not sure if you've read this post (http://www.sitefinity.com/support/forums/support-forum-thread/b1043S-bdtgth.aspx), but it looks like this issue might have something to do with the login page.  We're using our own login page...are you?  I'll test this now and will let you know.

    J
  13. Christian Calderon
    Christian Calderon avatar
    8 posts
    Registered:
    27 Feb 2006
    16 May 2008
    Link to this post

    This is what I have been trying to test:
    Create a new page and set the view permissions to one specific group and deny to all others.  Use a custom membership provider to  authenticate the user. After login in, users that don't belong to the group with permission to view the page can still view it.

    Ideally, I would like to use a custom membership provider and role provider to manage the authentication and page level security of the CMS pages - however it does not seem to work the way I need - the link I posted indicates that a custom Role Provider cannot be used to acomplish this goal using the CMS, but rather a custom handler or something like that is required.

    I hope what I said here clarifies what I posted earlier.

     

  14. Christian Calderon
    Christian Calderon avatar
    8 posts
    Registered:
    27 Feb 2006
    16 May 2008
    Link to this post
    I'm using a custom login page that makes use of a custom membership provider to authenticate users.
  15. Christian Calderon
    Christian Calderon avatar
    8 posts
    Registered:
    27 Feb 2006
    16 May 2008
    Link to this post
    Per a previous post by Telerik:

    "Unfortunately, in the current version, Pages Permissions could be set only for Sitefinity Role provider, but we have plans to extend them for the other providers in the future."
  16. Vlad
    Vlad avatar
    498 posts
    Registered:
    19 Jun 2017
    17 May 2008
    Link to this post
    Hi Christian Calderon,

    As to this:
    Unfortunately, in the current version, Pages Permissions could be set only for Sitefinity Role provider, but we have plans to extend them for the other providers in the future."

    Yes, currently you can set permissions only for the Role provider which is responsible for Sitefinity users. This provider should be declared in the web.config  and its name should be 'Sitefinity':

        <roleManager enabled="false" cacheRolesInCookie="true" defaultProvider="Sitefinity"
          <providers> 
            <clear/> 
            <add name="Sitefinity" ... /> 
          </providers> 
        </roleManager> 
        <membership defaultProvider="Sitefinity" userIsOnlineTimeWindow="15" hashAlgorithmType=""
          <providers> 
            <clear/> 
            <add name="Sitefinity" ... /> 
          </providers> 
        </membership> 

    Actually, it is not necessary for the provider name to be exactly 'Sitefinity', the main point is that it should be the same as that declared in the cmsProvidersName attribute in the telerik/security section:

    <security cmsProvidersName="Sitefinity" defaultProvider="DefaultSecurityProvider"
        <roles> 
            <clear/> 
            <add name="Administrators" permission="Unrestricted"/> 
            <add name="PublicUsers" permission="None"/> 
        </roles> 
        ... 

    The permissions for users from all other Membership providers are stored for Everyone role.

    Also please have a look at the past post in the following forum thread:
    Security Problem.

    Please let us know if you still have problems.

    Greetings,
    Vlad
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  17. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    18 May 2008
    Link to this post
    Christian/Vlad - I'm using a custom role/member provider and login page.

    I updated the forms authentication section of my web.config to use the default Sitefinity login page (not my custom login page) and this fixed the problem - denies access to the pages for users without role.  Everything work fine, however I need to use my custom login page.  Does this work for you Christian?

    Is there any documentation for integrating login pages into Sitefinity?

    Hope this helps a bit!
    J
  18. Darren
    Darren avatar
    72 posts
    Registered:
    19 Mar 2008
    18 May 2008
    Link to this post
    I created a custom login page which after authenticating the user just wrote out a forms auth cookie like usual which worked for me.
    If you want an example I'll dig it out on Monday.
  19. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    20 May 2008
    Link to this post
    Hello Jason,

    Is there any documentation for integrating login pages into Sitefinity?
    We don't have such documentation yet, but we will gather the information in this thread, try to give it some structure and include it in the new developers documentation that we are preparing.

    Greetings,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  20. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    20 May 2008
    Link to this post
    Darren - An example would be great and save me heaps of time!
  21. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    21 May 2008
    Link to this post

    I’ve just integrated the /Sitefinity/login.aspx.cs page code into my login page. I’ve tested this with several accounts and everything appears to be working properly. If you have any questions or recommendations please let me know!

    Step 1 – Add Sitefinity Imports to your login page code behind page

    #region Sitefinity Imports

    using Telerik.Security;

    using Telerik.Personalization;

    #endregion

    Step 2 – Add the following to your login page code behind.

    2.1 - Make sure to indicate Telerik.Security before UserManager in your page so the correct UserManager is used.

    2.2 - You’ll also need to add YourCustomSecuritySystem.Security before any UserManager that uses your custom security system.

    2.3 - Finally, make sure to replace this.Login1 with the form ID or you login page.

    #region Sitefinity Login Events

    private void SifinityLogin()

    {

    if (!IsPostBack)

    {

    this.Login1.MembershipProvider = Telerik.Security.UserManager.Default.MembershipProvider.Name;

    }

    this.Login1.LoggedIn += new EventHandler(Login1_LoggedIn);

    this.Login1.Authenticate += new AuthenticateEventHandler(Login1_Authenticate);

    }

    void Login1_Authenticate(object sender, AuthenticateEventArgs e)

    {

    e.Authenticated = Telerik.Security.UserManager.Default.ValidateUser(this.Login1.UserName, this.Login1.Password);

    }

    void Login1_LoggedIn(object sender, EventArgs e)

    {

    HttpCookie cookie = this.Response.Cookies[FormsAuthentication.FormsCookieName];

    Telerik.Security.UserManager.Default.SetAuthenticationCookie(cookie);

    }

    #endregion

    Step 3 – Call the method from Step 2 in the Page_Load

    protected void Page_Load(object sender, EventArgs e)

    {

    //Run Sitefinity Login

    SifinityLogin();

    }

  22. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    26 May 2008
    Link to this post
    Hi Jason M,

    Thank you for the effort. Setting custom role and membership providers with custom login control turns out to be tricky, that is why I decided to create a working example right after the service pack, using custom role provider and login control.

    Actually, the thing that was probably missing in your login controls was the call to the SetAuthenticationCookie(cookie) method after the logging in is finished. This method adds data in the authentication cookie that is later used by the Sitefinity http module.

    Thank you once again for sharing and sorry for the caused troubles.

    Greetings,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  23. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    17 Jul 2008
    Link to this post
    Hi guys,

    If you still have troubles on this subject, please refer to this KB article.

    Best wishes,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  24. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    17 Jul 2008
    Link to this post

    Great news about the KB!  This will save people heaps of time.

    J

Register for webinar
24 posts, 0 answered