Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Bo Jacobsen 606 posts 2404 karma points
    Apr 17, 2024 @ 07:50
    Bo Jacobsen
    0

    Does public access use MemberManager?

    Hi all.

    Using Umbraco 13. We have created a custom MemberManager for our solution like:

    IUmbracoBuilder.SetMemberManager<CustomMemberManager>();
    

    And we are using it like described here https://docs.umbraco.com/umbraco-cms/reference/querying/imembermanager

    The issue we are having is that we would like to do an extra validation on assigned member type on pages that uses the public access.

    But it does not seems like that the public access is using the MemberManager because our CustomMemberManager does not get hit when we try to debug it while trying to access a page with a member group assigned to it in the public access.

    So the question is, does the public access not use the MemberManager and how would we hook into or override the validation method for it?

  • Marc Goodson 2155 posts 14408 karma points MVP 9x c-trib
    Apr 17, 2024 @ 21:54
    Marc Goodson
    1

    Hi Bo

    It looks like it is the IPublicAccessChecker that is responsible for the checking.

    https://github.com/umbraco/Umbraco-CMS/blob/cc39d36ff55d5be2e3a3bdbaf38f3126a00003d3/src/Umbraco.Web.Common/Security/PublicAccessChecker.cs#L34

    But it does appear it's getting the current registered IMember manager in order to get the current username and current user roles in order to do the has access check...

    ...so I'm not sure why your custom implementation isn't being hit :-(

    I wonder if you can replace IPublicAccessChecker?

    Regards

    Marc

  • Bo Jacobsen 606 posts 2404 karma points
    Apr 18, 2024 @ 07:15
    Bo Jacobsen
    0

    Hi Marc.

    Thanks for your feedback.

    It does hit our CustomMemberManager with GetUserAsync and GetRolesAsync.

    But from your link it looks like it uses the IPublicAccessService with !_publicAccessService.HasAccess(publishedContentId, _contentService, username!, userRoles) to determin if the member has access.

    The method used is an extension here https://github.com/umbraco/Umbraco-CMS/blob/cc39d36ff55d5be2e3a3bdbaf38f3126a00003d3/src/Umbraco.Core/Services/PublicAccessServiceExtensions.cs#L49

    And it seems like it checks the PublicAccessEntry like:

    entry.Rules.Any(x =>
                (x.RuleType == Constants.Conventions.PublicAccess.MemberUsernameRuleType &&
                 username.Equals(x.RuleValue, StringComparison.OrdinalIgnoreCase))
                || (x.RuleType == Constants.Conventions.PublicAccess.MemberRoleRuleType && roles.Contains(x.RuleValue)));
    

    It would have been so great if it instead took the roles and then used the MemberManager.IsMemberAuthorizedAsync(allowGroups: roles) if the ruletype is MemberRoleRuleType.

    So we might wanna override the default controllers instead and add a IAuthorizationFilter with our custom memberType check.

  • Bo Jacobsen 606 posts 2404 karma points
    Apr 18, 2024 @ 13:53
    Bo Jacobsen
    100

    To answer my own question if the public access uses the MemberManager?

    The answer is yes, but it does not use it like I thought it would.

    Public Access uses the MemberManager's GetUserAsync and GetRolesAsync.

    Public Access do not use the MemberManager's MemberHasAccessAsync or IsMemberAuthorizedAsync.

Please Sign in or register to post replies

Write your reply to:

Draft