+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Programatically refresh user roles

Programatically refresh user roles

7 posts, 0 answered
  1. Daniel
    Daniel avatar
    35 posts
    Registered:
    15 Jun 2010
    10 Nov 2010
    Link to this post
    Greetings,

    I have the following scenario:

    A user logs through a custom login control that I created, once the authentication is successful he's taken to a page where he has to create his profile. At this point he's in the role "MembersNoProfile" and once he finishes creating his profile I use the following methods:

    var roleManager = RoleManager.GetManager("MyProvider");
     
    roleManager.Provider.SuppressSecurityChecks = true;
     
    var userManager = UserManager.GetManager("MyProvider");
     
    userManager.Provider.SuppressSecurityChecks = true;
     
    var roleMembers = roleManager.GetRole("Members");
    var roleMembersNoProfile = roleManager.GetRole("MembersNoProfile");
     
    roleManager.AddUserToRole(userManager.GetUser(userId), roleMembers);
    roleManager.RemoveUserFromRole(userId, roleMembersNoProfile);

    This code adds the user to the role "Members" and removes him from the "MembersNoProfile" one. At this point he should be able to access 2 pages that I have created which have a "View Permission" set to the role "Members" only, however when trying to access the page I'm getting a 404 error as if the user didn't had permissions.

    Logging out the user and then logging him again does work since this time the manager acknowledges he now is in the correct role.

    As such my belief is that after changing the user roles the manager doesn't really refresh it's status and it still considers the user not to be in the "Members" role.

    Is there a way to force the manager to refresh the current user roles instead of having to log out and log in the user again?

    Thanks in advance.

    Daniel
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    09 Dec 2016
    11 Nov 2010
    Link to this post
    Hi Daniel,

    In your code I do not see where you commit the transaction  by calling roleManagerInstance.SaveChanges().
    You can make application restart by using RestartApplication(bool rest) static method of SystemManager. When you pass true to the parameter this will make a full restart, but this requires that you should run the project under full trust environment.

    All the best,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Michael
    Michael avatar
    4 posts
    Registered:
    12 May 2014
    13 Nov 2014
    Link to this post

    Is there another way to force a refresh of the current user's roles after programmatically updating them? I am working on a sso implementation using STS and hooking into the LoginCompleted event to update the user's roles based on information from the sso identity server.

    I got it so that the user's roles do get updated, but they have to do a full logout and log back in cycle before they get "applied." It also appears that during this event the user is not really logged in yet, so I can't try to fire any of the claims manager "refresh" functions.

  4. Ivan Eftimov
    Ivan Eftimov avatar
    23 posts
    Registered:
    20 Jul 2016
    18 Nov 2014
    Link to this post
    Hello Michael,

    First problem, that after applying the roles, they are not updated is because RoleManager manages the CRUD operations of the roles, which means managing them in the database. In order for the user to have those roles "applied" for the current request, they need to be inserted as claims when the actual request is authenticated.
    LoginCompleted event is not the right place to do, since the user at that point is verified (his credentials are verified) but the request is still not authenticated. 
    What you need to do in order to achieve the scenario you want is to inherit SFClaimsAuthenticationManager and override its Authenticated method. In the overridden method you call the base.Authenticate and you will get the user principal, which contains all the claims about the current request. There you can manipulate the roles (add/remove) and they will be applied immediately for the current request. Note that you go through this method only once, after the user has been verified and while the request is being authenticated. See the an example of how to implement it:

    using Microsoft.IdentityModel.Claims;
    using System;
    using System.Linq;
    using Telerik.Sitefinity.Security;
    using Telerik.Sitefinity.Security.Claims;
    using Telerik.Sitefinity.Security.Configuration;
     
    namespace SitefinityWebApp
    {
        public class CustomSFClaimsAuthenticationManager : SFClaimsAuthenticationManager
        {
            public override Microsoft.IdentityModel.Claims.IClaimsPrincipal Authenticate(string resourceName, Microsoft.IdentityModel.Claims.IClaimsPrincipal incomingPrincipal)
            {
                var principal = base.Authenticate(resourceName, incomingPrincipal);
                
                var value = String.Concat(roleId, ";", roleName, ";", roleProvider);
                string issuer = "http://localhost";
                principal.Identities[0].Claims.Add(new Claim(SitefinityClaimTypes.Role, value, ClaimValueTypes.String, issuer, issuer));
               
                return principal;
            }
        }
    }

    Also, do not forget to register the custom authentication manager in the web.config:

    <microsoft.identityModel>
        <service>
          <claimsAuthenticationManager type="SitefinityWebApp.CustomSFClaimsAuthenticationManager, SitefinityWebApp" />

    I hope this example solves your issue. Feel free to contact us again if any troubles arise.

    Regards,
    Ivan Eftimov
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  5. cli
    cli avatar
    50 posts
    Registered:
    21 May 2007
    17 Mar 2015 in reply to Ivan Eftimov
    Link to this post

    Ivan, your code gave me the results I needed as well.  The only minor issue is on the backend, when checking roles of a user, the new role isn't listed (but I do gain access to pages).  I'm guessing it's using a cached copy.  Again, for my purposes it doesn't matter but someone else might need it.  It would still be nice to know how to clear the role cache for a particular user w/o restarting the whole site.  Thanks

  6. Njabulo
    Njabulo avatar
    1 posts
    Registered:
    15 Apr 2013
    12 Apr
    Link to this post
    Any alternatives yet to clear the role cache maybe?
  7. Sabrie Nedzhip
    Sabrie Nedzhip avatar
    534 posts
    Registered:
    09 Dec 2016
    15 Apr
    Link to this post
    Hello Njabulo,

    Please check the below KB article for more details on this: 

    http://www.sitefinity.com/developer-network/knowledge-base/details/roles-assigned-to-user-while-logged-in-do-not-take-effect-before-the-user-logs-out-and-logs-in-again


    Regards,
    Sabrie Nedzhip
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
7 posts, 0 answered