I'm using 2 membership providers on my Umbraco CMS. 1 provider is used for CMS users and the other is to be used for site membership.
I have 2 role providers too - UmbracoRoleProvider & AspNetSqlRoleProvider. How do I access each one in the code? e.g. when a new user registers, I'd like to add a role for them as "member", but it defaults to the Umbraco role provider because that is the default.
I thought I'd be able to do something like this:
Roles.AddUserToRole(EmailAddress.Text, "Member", "AspNetSqlRoleProvider");
Or something similar, but can't find any info on it. Can it be done over a few lines of code, or is it more complex than that?
Thanks
Using multiple role providers is not supported out of the box. You could use the Composite pattern to implement your own role provider that checks both for valid roles and memberships, but I would try to find a way to use a single role provider instead.
Related
Having trouble finding a good lead on this. I have a aspnetcore app with identityserver4 configured to use asp identity with a sql database.
There is a business requirement that all non AD users are stored in this asp identity database.
All AD users are defined on Azure. I can authenticate them with LDAP and receive their data.
The issue comes after authentication. Whenever asp identity tries to call:
var user = await UserManager.FindByNameAsync(userName);
With an AD user, it fails because the user does not exist. This is because it is using EF to query the asp identity database, where those users are not defined.
private DbSet<TUser> UsersSet { get { return Context.Set<TUser>(); } }
I can not store any of the AD information in the asp identity database (business requirement). I am trying to find a way to get the user store to look both at the asp identity tables, as well as Azure (via LDAP).
My current method for getting the AD users when doing initial auth is here:
await GetADUser(queryParams),
It uses LDAP to authenticate and grab the user object.
One additional requirement is that I can not use an external login screen, the login must all be done from the same company facing login UI. AKA no external providers.
As per #mxmissile, abstracting the UserManager out was the correct call. Then you can also abstract out other managers as needed for special functionality. This is in fact the only class in the inheritance layer for this part of the code that is virtual.
There are built in functions that let you register your custom managers:
services.AddIdentity<IdentityUser, IdentityRole>()
.AddUserManager<ApplicationUserManager<IdentityUser>>()
.AddSignInManager<ApplicationSignInManager<IdentityUser>>()
Hopefully this is a little help to any others that have a similar question. I ended up just overriding a couple of the functions from the base user manager and just calling the base method for anything that did not need my new logic. By default it looks like ASP Identity does not try to look up users by email - just fyi.
Is there a preferred way of doing fine grained access that can be modified during runtime?
ASP.net membership doesn't seem to support this. I thought of creating constant invisible subroles so that there would be a set of hidden roles like "_CanEditContent" and "_CanDeleteOthersContent". The check would be [Authorize(Roles = SubRoles.CanEditUser)] which would check that the user is in a role that has _CanEditUser role. The problem there is of how to assign roles to other roles so that when we create a new role like "UserAdmin" how could we assign "_CanEditUser" role to that new role? That seems impossible.
What I need to do is to be able to create roles during runtime and add custom permissions for new or existing roles I would do the checks with something like [Authorize] and custom checks for AJAX methods. How would I achieve this?
Indeed, asp.net membership does not support this. You'll have to rollout your own mechanism with your own authorization attributes, which will use information about user (or role) permissions.
You can use asp.net membership for role management, and then assign permissions to roles whichever way you want, for example, database.
This is a weird way to state the question, but this is what I'm trying to achieve.
This is what I'm doing
Connect to a MySQL Db(complete)
authenticate(complete)
select all the roles that I have specified in mySQL (complete)
store those roles somehow so I can display controls and links based on their role membership.
I just got this figured out to handle the mySQL part in web.config
system.web
membership defaultProvider="MySQLMembershipProvider" /
roleManager enabled="true" defaultProvider="MySQLRoleProvider" /
/system.web
I'm using this as code
MySqlDataReader dr2 = cmd2.ExecuteReader();
while (dr2.Read())
{
string roleName = dr2["role"].ToString();
//error here -> Roles.AddUserToRole(userID, roleName);
}
Access denied for user ''#'localhost' (using password: NO)
Is Roles.AddUserToRole really what i'm looking for to satisfy my needs. I think I need to store the user roles in the sessio don't I? I
Is Roles.AddUserToRole really what i'm looking for to satisfy my needs. I think I need to store the user roles in the sessio don't I?
NO! Adding user to roles means the provider will link the user to the role. As you already have the user linked, this is a worthless direction.
store those roles somehow so I can display controls and links based on their role membership
Why do you need to do this? At the page level, you can set up ASP.NET security with trimmings so you can automagically exclude pages from the user's view if they are not in the correct role(s). As far as sections/controls/etc, you can check to see if a user IS in a role and then determine whether or not to display it. If you use sections, a lot of this can be done declaratively rather than programmatically.
The one caveat is what your membership provider supports. The "out of the box" providers (Access and SQL Server) support security trimmings and declarative syntax for exclusions of sections of a page, etc. If the MySQL provider full implements all of the methods, you should be fine using it, as well. If you create a custom provider, there are certain parts YOU have to implement to get things to work.
The short story is once you grab a membershipUser (authenticate the person), you will have access to whether the person is in role or not. This is all part of the standard implementation of a membership provider in .NET. As long as the provider you are using for MySQL covers all of the same methods, you can do a quick google search and find tons of sites showing how to show/hide bits based on roles.
I'm building an web application that I want users to have specific permissions to perform a specific action. I don't want to use the default permission and role providers in ASP.NET.
I was thinking of having each User associated with a Role. Each Role is mapped to a set of Permissions (CreatePost, ReadPost, UpdatePost, DeletePost and so on).
I have a couple of questions regarding this. Would it be best to have a boolean property for each Permission on the role or some sort of bitfield? I like the idea of having methods for this but properly need to map these to the permissions stored for the role in the database.
Also, how would I implement this for each action/request? I'm thinking something along the lines of what was posted here but I'm not really sure.
Thanks!
Make your own role provider and register it in the web.config. Look at the MSDN for a sample. Once it is registered it will associate the roles you provide with the principal.
I've just done that for one of my project and it works fine.
To check whether the user has permission to execute a task you'll have to see whether the user is in the required role. In "normal" ASP.NET you will have to do this in code. In MVC you can do that with attributes on each class/method in the controller.
Need to implement Application Role Management feature..
Looked at AZMan , I guess it is bit of a over kill for my application.
Thinking of using XML input , that has multiple hirarchay defining Roles. Given that some roles can participate (like Administrator) in all other (sub) roles.
Any recomondation highly appreciated
If I'm understanding the question correctly, you just need a role implementation that handles hierarchical roles.
One approach might be to implement a custom RoleProvider
If you had your role database setup something like (could also be a hierarchical XML file)
ID Role ParentRoleID
1 Admin null
2 SubAdmin1 1
3 SubAdmin2 1
You could code your custom role provider such that if a user is explicitly assigned the admin role, they are "behind the scenes" given the admin role plus any sub roles. In this example, for a user explicitly assigned the "Admin" role, the GetRolesForUser method would return "Admin, SubAdmin1, SubAdmin2". In this way a call from your code to Roles.IsUserInRole("SubAdmin2") would return true for a user who was only explicitly assigned the "Admin" role.
HTH