API Questions on Kentico API.
Version 6.x > API > Updating existing user's roles in custom security handler View modes: 
User avatar
Member
Member
Andy - 11/29/2011 7:59:01 AM
   
Updating existing user's roles in custom security handler
Hi - I see when you log a new external user in using OnAuthentication that the docs say do this to add a role
// Initialize a hash table mapping roles to sites for the user
Hashtable rolesTable = new Hashtable();

// Get the code name of the current site
string siteName = CMSContext.CurrentSite.SiteName;

// Assign the user to the current site
usr.SitesRoles[siteName.ToLower()] = rolesTable;

// Add new role "external role" to the hash table to assign it to the user
rolesTable["external role"] = 0;


but if the user already exists, this code (along with the rest of the UserInfo creation code before it in the sample) replaces all the roles a user has. E.g. if the user has been in kentico for a month and is both an external user in "external role", but also has been manually added to "CMS Editors" too, then the code above replaces his 2 roles with just "external role".

So I tried to see if the user exists and just add the role I want like this... but it does nothing.
usr = UserInfoProvider.GetFullUserInfo(osaUser.Email);
if (usr != null) {
if (!usr.IsInSite(siteName))
UserInfoProvider.AddUserToSite(usr.UserName, siteName);
if (!usr.IsInRole(role, siteName))
UserInfoProvider.AddUserToRole(usr.UserName, role, siteName);
}


even tried throwing in a UserInfoProvider.SetUserInfo(usr);
but still nothing

Does OnAuthentication allow updates .. or is the whole external user solution based around rebuilding roles from an external system everytime?
thanks

User avatar
Member
Member
kentico_michal - 11/30/2011 3:25:08 AM
   
RE:Updating existing user's roles in custom security handler
Hello,

By default, Kentico CMS updates user's roles and sites after the OnAuthentication handler. So, even if you change user's roles in OnAuthenticate event, these changes are overridden by Kentico CMS afterwards.

You need to add following line of code into ~\App_Code\Application\CMSAppBase.cs file into CMSSessionStart method and set the UserInfoProvider.ImportExternalRoles property to false in order to achieve what you need (user roles (groups) from AD will be not imported or updated at all when user is accessing your web site):

// If authentication mode is Windows, set user UI culture
if (RequestHelper.IsWindowsAuthentication() && UserInfoProvider.IsAuthenticated())
{
// this line needs to be added
CMS.SiteProvider.UserInfoProvider.ImportExternalRoles = false;

UserInfo currentUser = CMSContext.CurrentUser;
if (!currentUser.IsPublic())
{
UserInfoProvider.SetPreferredCultures(currentUser);
}
}

Best regards,
Michal Legen

User avatar
Member
Member
Andy - 12/6/2011 7:59:36 AM
   
RE:Updating existing user's roles in custom security handler
Thanks Michal. I will give this a try, but I am using forms authentication, so not sure that a line of code in the condition if (RequestHelper.IsWindowsAuthentication() .....
is going to affect anything that I am doing. perhaps I need to add the line outside the condition .. like
// If authentication mode is Windows, set user UI culture
if (RequestHelper.IsWindowsAuthentication() && UserInfoProvider.IsAuthenticated())
{
// this line needs to be added
UserInfo currentUser = CMSContext.CurrentUser;
if (!currentUser.IsPublic())
{
UserInfoProvider.SetPreferredCultures(currentUser);
}
}
CMS.SiteProvider.UserInfoProvider.ImportExternalRoles = false;

User avatar
Member
Member
kentico_michal - 12/9/2011 2:04:04 AM
   
RE:Updating existing user's roles in custom security handler
Hello,

I am sorry. Of course, if you are using forms authentication you need to add the code after the condition.

In general, you need to assign a user to all roles in your custom authentication. This is because, by default, the UserInfoProvider.ImportExternalRoles property is set to true and Kentico CMS refreshes all roles.

On the other hand, if the UserInfoProvider.ImportExternalRoles is set to false, the roles are not refreshed. As a result, you should be able to execute the UserInfoProvider.AddUserToRole method and assign the user to any role in the OnAuthentication handler without Kentico CMS overriding it.

Best regards,
Michal Legen