Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Bo Jacobsen 597 posts 2395 karma points
    14 days ago
    Bo Jacobsen
    0

    Does public access use MemberManager?

    Using Umbraco And Getting Started
    Umbraco 9

    Hi all.

    Using Umbraco 13. We have created a custom MemberManager for our solution like:

    IUmbracoBuilder.SetMemberManager<CustomMemberManager>();

    And we are using it like described here https://docs.umbraco.com/umbraco-cms/reference/querying/imembermanager

    The issue we are having is that we would like to do an extra validation on assigned member type on pages that uses the public access.

    But it does not seems like that the public access is using the MemberManager because our CustomMemberManager does not get hit when we try to debug it while trying to access a page with a member group assigned to it in the public access.

    So the question is, does the public access not use the MemberManager and how would we hook into or override the validation method for it?

    Copy Link
  • Marc Goodson 2141 posts 14344 karma points MVP 8x c-trib
    1 week ago
    Marc Goodson
    1

    Hi Bo

    It looks like it is the IPublicAccessChecker that is responsible for the checking.

    https://github.com/umbraco/Umbraco-CMS/blob/cc39d36ff55d5be2e3a3bdbaf38f3126a00003d3/src/Umbraco.Web.Common/Security/PublicAccessChecker.cs#L34

    But it does appear it's getting the current registered IMember manager in order to get the current username and current user roles in order to do the has access check...

    ...so I'm not sure why your custom implementation isn't being hit :-(

    I wonder if you can replace IPublicAccessChecker?

    Regards

    Marc

    Copy Link
  • Bo Jacobsen 597 posts 2395 karma points
    1 week ago
    Bo Jacobsen
    0

    Hi Marc.

    Thanks for your feedback.

    It does hit our CustomMemberManager with GetUserAsync and GetRolesAsync.

    But from your link it looks like it uses the IPublicAccessService with !_publicAccessService.HasAccess(publishedContentId, _contentService, username!, userRoles) to determin if the member has access.

    The method used is an extension here https://github.com/umbraco/Umbraco-CMS/blob/cc39d36ff55d5be2e3a3bdbaf38f3126a00003d3/src/Umbraco.Core/Services/PublicAccessServiceExtensions.cs#L49

    And it seems like it checks the PublicAccessEntry like:

    entry.Rules.Any(x =>
            (x.RuleType == Constants.Conventions.PublicAccess.MemberUsernameRuleType &&
             username.Equals(x.RuleValue, StringComparison.OrdinalIgnoreCase))
            || (x.RuleType == Constants.Conventions.PublicAccess.MemberRoleRuleType && roles.Contains(x.RuleValue)));

    It would have been so great if it instead took the roles and then used the MemberManager.IsMemberAuthorizedAsync(allowGroups: roles) if the ruletype is MemberRoleRuleType.

    So we might wanna override the default controllers instead and add a IAuthorizationFilter with our custom memberType check.

    Copy Link
  • Bo Jacobsen 597 posts 2395 karma points
    1 week ago
    Bo Jacobsen
    100

    To answer my own question if the public access uses the MemberManager?

    The answer is yes, but it does not use it like I thought it would.

    Public Access uses the MemberManager's GetUserAsync and GetRolesAsync.

    Public Access do not use the MemberManager's MemberHasAccessAsync or IsMemberAuthorizedAsync.

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft