Programmatic login not acknowledging all roles user is in.
As part of a paid membership system we have set up, I'm trying to programmatically log a user in once they've purchased a membership product through the standard sitefinity ecommerce checkout process.
Firstly, when somebody purchases a membership, they are (programmatically) added to a role called "PaidUser" which has been created via the backend. I am then able to programmatically log them in using a call to the SecurityManager.AuthenticateUser method.
The problem is that the programmatic login doesn't seem to acknowledge that fact that the user is in the "PaidUser" role.
Below is a simplified snippet of what I'm trying to achieve:
01.
protected
void
btnUserLogin_Click(
object
sender, EventArgs e)
02.
03.
04.
//Try to log "PaidUser" in.
05.
UserLoggingReason validate = SecurityManager.AuthenticateUser(UserManager.GetDefaultProviderName(), txtUserName.Text, txtPassword.Text,
true
);
06.
if
(validate == UserLoggingReason.Success)
07.
08.
09.
UserManager userManager = UserManager.GetManager();
10.
11.
ClaimsIdentityProxy identity = ClaimsManager.GetCurrentIdentity();
12.
User user = userManager.GetUser(identity.UserId);
13.
14.
RoleManager roleManager = RoleManager.GetManager();
15.
if
(roleManager.IsUserInRole(user.Id, Globals.Roles.PaidUser))
16.
17.
18.
//Permissions have been set on the redirect page below to only allow access to users in the "PaidUser" role.
19.
//When this User is redirected however, they're greeted with a "This type of page is not served" error.
20.
Response.Redirect(
"/member-admin/my-profile"
);
21.
22.
23.
24.
25.
26.
Even though the user is in the PaidUser role, they are denied access to a page that is only visible to users in the PaidUser role.
If I use the built-in Login widget, everything works fine. But using the code above doesn't work.
I am using version 6.1 and testing in Visual Studio 2010. I have read this post and thus have the project configuered to use "Use Local IIS Web server" and "Use IIS Express" settings.
Any help would be appreciated. Thanks.
Anyone?
Hello Gavin,
I have tested this custom login and it works fine:
<%@ Control Language="C#" AutoEventWireup="true" CodeBehind="CustomLogin.ascx.cs" Inherits="SitefinityWebApp.Examples.CustomLogin" %>
<
asp:Panel
ID
=
"loginWidgetPanel"
runat
=
"server"
DefaultButton
=
"LoginButton"
>
User:
<
asp:TextBox
runat
=
"server"
ID
=
"User"
/>
Pass:
<
input
type
=
"password"
name
=
"Password"
value
=
""
runat
=
"server"
ID
=
"Pass"
/><
br
/>
<
asp:CheckBox
Text
=
"Remember me"
runat
=
"server"
ID
=
"Remember"
/>
<
br
/>
<
asp:Button
Text
=
"Login"
runat
=
"server"
ID
=
"LoginButton"
OnClick
=
"OnLoginClick_Click"
/>
</
asp:Panel
>
protected
void
OnLoginClick_Click(
object
sender, EventArgs e)
var userName =
this
.User.Text;
var pass =
this
.Pass.Value;
var remember =
this
.Remember.Checked;
UserLoggingReason validate = SecurityManager.AuthenticateUser(
null
, userName, pass, remember);
if
(validate == UserLoggingReason.Success)
UserManager userManager = UserManager.GetManager();
ClaimsIdentityProxy identity = ClaimsManager.GetCurrentIdentity();
User user = userManager.GetUser(identity.UserId);
var userIdentity = ClaimsManager.GetCurrentIdentity();
bool
isAuthenticated = userIdentity.IsAuthenticated;
RoleManager roleManager = RoleManager.GetManager();
if
(roleManager.IsUserInRole(user.Id,
"PaidUser"
))
//Permissions have been set on the redirect page below to only allow access to users in the "PaidUser" role.
//When this User is redirected however, they're greeted with a "This type of page is not served" error.
Response.Redirect(
"/paiduser"
);
else
// Add the profile just for the test
AddUserToRoles(userName,
"PaidUser"
, roleManager, userManager);
Response.Redirect(
"/paiduser"
);
public
static
void
AddUserToRoles(
string
userName,
string
roleToAdd, RoleManager roleManager, UserManager userManager)
roleManager.Provider.SuppressSecurityChecks =
true
;
if
(userManager.UserExists(userName))
User user = userManager.GetUser(userName);
Role role = roleManager.GetRole(roleToAdd);
roleManager.AddUserToRole(user, role);
roleManager.SaveChanges();
roleManager.Provider.SuppressSecurityChecks =
false
;