Roles Problems

Mar 12, 2008 at 6:33 PM
Hi,

1 - I think BE have some bug...or im doing something really wrong. When I unselect ALL roles form a user he still have acess to EXTENSIONS Tab.
2 - If i take-out some permissoes for i.e. "Editors" in tab Blogroll, in the file "web.sitemap" he still have acess to this Tab.

Any one have this problem to ?
Mar 12, 2008 at 9:59 PM
Edited Mar 13, 2008 at 1:25 PM
I tried to reproduce your problem on a test site at http://be4.balcoding.com/ and was not able to reproduce it. I followed these steps:

1. Logged in as admin.
2. Created a user
3. Logged out.
4. Logged in as the new user (saw nothing)
5. Logged out
6. Logged in as admin.
7. Added all roles to that user
8. Logged Out
9. Logged back in as that user (saw everything)
10. Tried removing my own roles, but the checkbox kept rechecking itself.
11. Logged Out
12. Logged in as admin.
13. Removed roles from the user
14. Logged Out
15. Logged in as that user, and did NOT see any admin stuff.

Maybe the Web.sitemap is not being used? I think if is not properly referenced that there is not any security on the admin pages.

Does you SiteMap declaration in web.config look something like this:

<siteMap defaultProvider="PageSiteMap" enabled="true" >
<providers>
<add name="PageSiteMap" description="The site map provider that reads in the .sitemap XML files." type="BlogEngine.Core.Web.Controls.PageSiteMap, BlogEngine.Core"/>
<add name="SecuritySiteMap" description="Used for authenticated users." type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" securityTrimmingEnabled="true" siteMapFile="Web.sitemap" />
</providers>
</siteMap>

And is there a file in the same directory called Web.sitemap that looks something like this:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/default.aspx" title="Blog Engine" description="" roles="administrators, editors">
<siteMapNode url="~/admin/Pages/Addentry.aspx" title="addentry" description="" roles="administrators, editors"/>
<siteMapNode url="~/admin/Pages/Blogroll.aspx" title="blogroll" description="" roles="administrators, editors"/>
<siteMapNode url="~/admin/Pages/Controls.aspx" title="controls" description="" roles="administrators"/>
<siteMapNode url="~/admin/Pages/Categories.aspx" title="categories" description="" roles="administrators, editors"/>
<siteMapNode url="~/admin/Pages/Pages.aspx" title="pages" description="" roles="administrators, editors"/>
<siteMapNode url="~/admin/Pages/PingServices.aspx" title="PingServices" description="" roles="administrators"/>
<siteMapNode url="~/admin/Pages/referrers.aspx" title="referrers" description="" roles="administrators, editors"/>
<siteMapNode url="~/admin/Pages/Settings.aspx" title="settings" description="" roles="administrators"/>
<siteMapNode url="~/admin/Pages/Profiles.aspx" title="profiles" description="" roles="administrators, editors"/>
<siteMapNode url="~/admin/Pages/Users.aspx" title="users" description="" roles="administrators"/>
<siteMapNode url="~/admin/Extension Manager/Default.aspx" title="Extensions" description="" roles="administrators"/>
</siteMapNode>
</siteMap>

Edit: Posted the sitemap for when BlogEngine is running in the ~/blog/ subdirectory. Updated it to be a sitemap for when BlogEngine is in the root directory of the application.
Mar 13, 2008 at 10:28 AM
Hi I discovered the same effect too - last night. Regardless of the users role, I the SiteMapProvider was returning the "Extensions" node every time.

I worked around it (for now) with the code below :

private void BindMenu()
{
foreach (SiteMapNode adminNode in SiteMap.Providers"SecuritySiteMap".RootNode.ChildNodes)
{
if (adminNode.IsAccessibleToUser(HttpContext.Current))
{
//START : WORKAROUND
if (!IsUserInRole(adminNode))
continue;
//END : WORKAROUND

if (!Request.RawUrl.ToUpperInvariant().Contains("/ADMIN/") && (adminNode.Url.Contains("xmanager") || adminNode.Url.Contains("PingServices")))
continue;


HtmlAnchor a = new HtmlAnchor();
a.HRef = adminNode.Url;

a.InnerHtml = "<span>" + Translate(adminNode.Title) + "</span>";//"<span>" + Translate(info.Name.Replace(".aspx", string.Empty)) + "</span>";
if (Request.RawUrl.EndsWith(adminNode.Url, StringComparison.OrdinalIgnoreCase))
a.Attributes"class" = "current";
HtmlGenericControl li = new HtmlGenericControl("li");
li.Controls.Add(a);
ulMenu.Controls.Add(li);
}
}

if (!Request.RawUrl.ToUpperInvariant().Contains("/ADMIN/"))
AddItem(Resources.labels.changePassword, Utils.RelativeWebRoot + "login.aspx");
}

public bool IsUserInRole(SiteMapNode node)
{
for (int i = 0; i < node.Roles.Count; i++)
{
if (HttpContext.Current.User.IsInRole(node.Rolesi.ToString()))
return true;
}
return false;
}
Mar 13, 2008 at 11:56 AM
I think this is a caching problem, try deleting your browser cache.
Mar 13, 2008 at 12:12 PM
BrianLakstinsl, YES i have that files. i just download the files and try it in local and remote websites. still with the same problem.

markqjones, in what file you put that code ?
Mar 13, 2008 at 12:34 PM
That is ../Blogengine.NET/admin/menu.ascx.cs
Mar 13, 2008 at 1:03 PM
Yeah i tried that and also changed the rolesprovider to not send persist the roles in a cookie. It always "appears" to bring back nodes that users dont have the rights to see. I tried with a few users. My soln, isnt a solution at all really as the user can still navigate to the page, if they know the url.

jtentor wrote:
I think this is a caching problem, try deleting your browser cache.

Mar 13, 2008 at 1:47 PM

azevedo wrote:
BrianLakstinsl, YES i have that files. i just download the files and try it in local and remote websites. still with the same problem.


Are you installing it in any special way? The test site http://be4.balcoding.com/ I reference above is pretty much the standard install. Can you cause the same problem on it?
Mar 13, 2008 at 2:26 PM
Well the only difference I have is that I use the SQLDataProvider not the XMLDataProvider. This may be something or nothing, but, thats really the only difference i know of.

I also tried to do the same on your install and didnt get the same result...Wierd - let me know if I can be of any more help!

cheers
Mark


BrianLakstins wrote:

azevedo wrote:
BrianLakstinsl, YES i have that files. i just download the files and try it in local and remote websites. still with the same problem.


Are you installing it in any special way? The test site http://be4.balcoding.com/ I reference above is pretty much the standard install. Can you cause the same problem on it?

Mar 13, 2008 at 3:58 PM
Edited Mar 13, 2008 at 4:00 PM
Hi Brian, i try it in your site and its working good. No Issues there. I just installed in another remote server, and still have the problem.

ca you please try if you got the same error there ? it in:

http://www.jgobras.com/blog/

note: i put this is a directory, but in other server i installed in the root.

I just donwload the software, copy to server and that is... nothing special...

Thanks.



BrianLakstins wrote:

azevedo wrote:
BrianLakstinsl, YES i have that files. i just download the files and try it in local and remote websites. still with the same problem.


Are you installing it in any special way? The test site http://be4.balcoding.com/ I reference above is pretty much the standard install. Can you cause the same problem on it?

Mar 13, 2008 at 6:51 PM
I tried it and I saw how it did not work.

I checked the 1.3.0.0 code against what I am running, and found this in a web.config file the admin/Extension Manager directory. It seems to be missing from the 1.3.0.0 code. Put it in a file and call it web.config and stick it in the admin/Extension Manager directory and it should protect the Extensions admin page.

<?xml version="1.0"?>
<configuration>
<location path="default.aspx">
<system.web>
<authorization>
<allow roles="administrators"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
Mar 14, 2008 at 10:23 PM
Nice brian...it works. Thanks a lot.

BrianLakstins wrote:
I tried it and I saw how it did not work.

I checked the 1.3.0.0 code against what I am running, and found this in a web.config file the admin/Extension Manager directory. It seems to be missing from the 1.3.0.0 code. Put it in a file and call it web.config and stick it in the admin/Extension Manager directory and it should protect the Extensions admin page.

<?xml version="1.0"?>
<configuration>
<location path="default.aspx">
<system.web>
<authorization>
<allow roles="administrators"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>