Programatically refresh user roles

Posted by Community Admin on 03-Aug-2018 16:44

Programatically refresh user roles

All Replies

Posted by Community Admin on 10-Nov-2010 00:00

Greetings,


I have the following scenario:

A user logs through a custom login control that I created, once the authentication is successful he's taken to a page where he has to create his profile. At this point he's in the role "MembersNoProfile" and once he finishes creating his profile I use the following methods:

var roleManager = RoleManager.GetManager("MyProvider");
 
roleManager.Provider.SuppressSecurityChecks = true;
 
var userManager = UserManager.GetManager("MyProvider");
 
userManager.Provider.SuppressSecurityChecks = true;
 
var roleMembers = roleManager.GetRole("Members");
var roleMembersNoProfile = roleManager.GetRole("MembersNoProfile");
 
roleManager.AddUserToRole(userManager.GetUser(userId), roleMembers);
roleManager.RemoveUserFromRole(userId, roleMembersNoProfile);

This code adds the user to the role "Members" and removes him from the "MembersNoProfile" one. At this point he should be able to access 2 pages that I have created which have a "View Permission" set to the role "Members" only, however when trying to access the page I'm getting a 404 error as if the user didn't had permissions.

Logging out the user and then logging him again does work since this time the manager acknowledges he now is in the correct role.

As such my belief is that after changing the user roles the manager doesn't really refresh it's status and it still considers the user not to be in the "Members" role.

Is there a way to force the manager to refresh the current user roles instead of having to log out and log in the user again?

Thanks in advance.

Daniel

Posted by Community Admin on 11-Nov-2010 00:00

Hi Daniel,

In your code I do not see where you commit the transaction  by calling roleManagerInstance.SaveChanges().
You can make application restart by using RestartApplication(bool rest) static method of SystemManager. When you pass true to the parameter this will make a full restart, but this requires that you should run the project under full trust environment.

All the best,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 13-Nov-2014 00:00

Is there another way to force a refresh of the current user's roles after programmatically updating them? I am working on a sso implementation using STS and hooking into the LoginCompleted event to update the user's roles based on information from the sso identity server.

I got it so that the user's roles do get updated, but they have to do a full logout and log back in cycle before they get "applied." It also appears that during this event the user is not really logged in yet, so I can't try to fire any of the claims manager "refresh" functions.

Posted by Community Admin on 18-Nov-2014 00:00

Hello Michael,

First problem, that after applying the roles, they are not updated is because RoleManager manages the CRUD operations of the roles, which means managing them in the database. In order for the user to have those roles "applied" for the current request, they need to be inserted as claims when the actual request is authenticated.
LoginCompleted event is not the right place to do, since the user at that point is verified (his credentials are verified) but the request is still not authenticated. 
What you need to do in order to achieve the scenario you want is to inherit SFClaimsAuthenticationManager and override its Authenticated method. In the overridden method you call the base.Authenticate and you will get the user principal, which contains all the claims about the current request. There you can manipulate the roles (add/remove) and they will be applied immediately for the current request. Note that you go through this method only once, after the user has been verified and while the request is being authenticated. See the an example of how to implement it:

using Microsoft.IdentityModel.Claims;
using System;
using System.Linq;
using Telerik.Sitefinity.Security;
using Telerik.Sitefinity.Security.Claims;
using Telerik.Sitefinity.Security.Configuration;
 
namespace SitefinityWebApp
    public class CustomSFClaimsAuthenticationManager : SFClaimsAuthenticationManager
    
        public override Microsoft.IdentityModel.Claims.IClaimsPrincipal Authenticate(string resourceName, Microsoft.IdentityModel.Claims.IClaimsPrincipal incomingPrincipal)
        
            var principal = base.Authenticate(resourceName, incomingPrincipal);
            
            var value = String.Concat(roleId, ";", roleName, ";", roleProvider);
            string issuer = "http://localhost";
            principal.Identities[0].Claims.Add(new Claim(SitefinityClaimTypes.Role, value, ClaimValueTypes.String, issuer, issuer));
           
            return principal;
        
    

Also, do not forget to register the custom authentication manager in the web.config:

<microsoft.identityModel>
    <service>
      <claimsAuthenticationManager type="SitefinityWebApp.CustomSFClaimsAuthenticationManager, SitefinityWebApp" />

I hope this example solves your issue. Feel free to contact us again if any troubles arise.

Regards,
Ivan Eftimov
Telerik
 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 

Posted by Community Admin on 17-Mar-2015 00:00

Ivan, your code gave me the results I needed as well.  The only minor issue is on the backend, when checking roles of a user, the new role isn't listed (but I do gain access to pages).  I'm guessing it's using a cached copy.  Again, for my purposes it doesn't matter but someone else might need it.  It would still be nice to know how to clear the role cache for a particular user w/o restarting the whole site.  Thanks

Posted by Community Admin on 12-Apr-2016 00:00

Any alternatives yet to clear the role cache maybe?

Posted by Community Admin on 15-Apr-2016 00:00

Hello Njabulo,

Please check the below KB article for more details on this: 

www.sitefinity.com/.../roles-assigned-to-user-while-logged-in-do-not-take-effect-before-the-user-logs-out-and-logs-in-again

Regards,
Sabrie Nedzhip
Telerik

 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 

This thread is closed