Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Connie DeCinko 931 posts 1160 karma points
    Oct 04, 2013 @ 23:43
    Connie DeCinko
    0

    Role Based Protection Issue

    I recently configured Umbraco to use Active Directory to login visitors to my Intranet. I created a couple groups in AD and assigned myself to both. Umbraco automatically creates me as a Member. I set Public access/Role based protection on a page selecting just one of the groups/roles. All good. Now, I remove myself from that group in AD. Go back to the page, and even though I should no longer have access to it, I do. I resave the roles, same thing. Republish the page, same thing.

    It seems that once I've been given permissions to view a page, I can view it forever? That won't fly. If we need to take permission to a page away from a staff member, we need any change in AD to be immediate. It kinda is, as I see the group is now in the left pane and not the right when I view the Member in Umbraco.

    Is the permission being cached? How do I revoke it?

     

  • Kevin Jump 2343 posts 14890 karma points MVP 8x c-trib
    Oct 05, 2013 @ 00:00
    Kevin Jump
    0

    It might not be an umbraco thing, permissions are cached against your token, so once you've logged on the client and server are only passing tokens around that represent the groups you were in at logon time.

    Also if you have multiple domain controllers replication can have a slight delay, so removing from one can sometimes take a few minutes to appear on the other.

    in umbraco terms at logon to the site your token will be created and it will last for the lifetime of your session, so you need to logoff or expire the session for the token to be rebuilt with the groups in it.

    AD is a complex beast, but it would check the above first.

  • Connie DeCinko 931 posts 1160 karma points
    Oct 05, 2013 @ 00:17
    Connie DeCinko
    0

    Is there any way to immediately kill the session? Say for an employee fired on the spot?  Seems like once they get the token there's no way to take it away.

     

  • Kevin Jump 2343 posts 14890 karma points MVP 8x c-trib
    Oct 05, 2013 @ 00:20
    Kevin Jump
    0

    It that happened you would disable their account they wouldn't be able to get on to anything - that would be immediate across your domain for everything :)

    Tokens only last for the session timeout (usually about 20mins by default?)

    I'm not aware of anything to kill other peoples sessions other than bouncing the server, but i'm guessing something might exist.

  • Mohammad Alshibli 1 post 21 karma points
    Jan 08, 2014 @ 21:15
    Mohammad Alshibli
    0

    Dear All,

    I am trying to install the ACS Extension for Role Based Protection, every time I do the following error 

    Occurs . 

Please Sign in or register to post replies

Write your reply to:

Draft