Module Security

Topics: Writing modules
Apr 14, 2011 at 11:49 PM

I created a new Module for the application that I'm going to integrate into Orchard. I would like certain areas of the application only available to the Administrator role. These won't be pages in the Admin area, they will be regular Views in the application. Is there a way for me to specify a security role in my controller that uses the Orchard roles? In a typical application with asp.NET authentication, I would use

[Authorize(Roles = "Administrator")]

at the top of my controller for the Views that I wanted only available to Admins. Is there a way to do this with Orchard?

Thanks for the help!

Coordinator
Apr 14, 2011 at 11:51 PM

You would actually check for permissions rather than roles. There are lots of examples of that in existing modules.

Apr 15, 2011 at 12:29 AM

Gotcha...that was actually pretty simple once I delved into the Comments module to see what it was doing.

Just to verify if I went about this the right way, I added a Permissions.cs file to my project and specified a ManageApp setting. I then went to the Roles area in Orchard Admin and saw my module listed...Administrator already has effective permissions and other roles don't, so I left that alone as I only want the Administrator to have access. In my Controller, I added this to the ActionResult so it just redirects to the home page with the error message.

if (!Services.Authorizer.Authorize(Permissions.ManageApp, T("You are not authorized")))
    return this.RedirectLocal("~/");
Seems like it works as it should. Thanks again!

Coordinator
Apr 15, 2011 at 12:34 AM

Rather than redirect, you should return an HttpUnatuthorizedResult.

Apr 15, 2011 at 6:07 PM
Edited Apr 15, 2011 at 6:22 PM

Thank you...I have changed that code.  This did create an issue though that it's now attempting to redirect me to the Login page, however, the URL it's redirecting to is incorrect. It's trying to send me to /Account/Login, but the actual Login page is located at /Users/Account/Logon, Is there someplace this is being set that I can change it so that it's correct?

I'm wondering if that change is a result of the Open Auth 0.4.0 module perhaps? I disabled the Module, but it didn't change anything.

Apr 15, 2011 at 6:55 PM

Hmm, I get redirected to/Users/Account/AccessDenied?ReturnUrl=%2fAdmin%2fUsers%2fEdit%2f2 when I try something like that.

I wonder has anything been changed in your Web.config or anything like that? I'm not sure how a module could permanent change something after it's been disabled (unless that Url is defined somewhere in the database which sounds unlikely)

Apr 15, 2011 at 6:57 PM

BTW; can you post the full code of your controller action for reference?

Apr 15, 2011 at 6:57 PM

I'll download a clean install and compare it to my web.config, but I have not made any manual changes to it myself.

Apr 15, 2011 at 6:59 PM

Sure...there isn't much to it right now. Justing setting up the basic architecture of a custom module. I got this coding from the HelloWorld sample module

using System.Web.Mvc;
using Orchard.Localization;
using Orchard;
using Orchard.Themes;
using Orchard.Mvc.Extensions;

namespace MyRealityPicks.Controllers
{
    [Themed]
    public class HostController : Controller
    {
        public IOrchardServices Services { get; set; }

        public HostController(IOrchardServices services)
        {
            Services = services;
            T = NullLocalizer.Instance;
        }

        public Localizer T { get; set; }

        public ActionResult Index()
        {
            if (!Services.Authorizer.Authorize(Permissions.ManageApp, T("You are not authorized")))
                return new HttpUnauthorizedResult();
            return View("Index");
        }
    }
}

Coordinator
Apr 15, 2011 at 7:03 PM

What you are describing is exactly an old bug from an old MVC version which has been corrected in the meantime. I have not been able to reproduce it with the current bits.
What you can try is to repro the fix we had applied at this time, by adding this in your web.config. If it solves the issue, you might have an old MVC version.

  <appSettings>
    <add key="autoFormsAuthentication" value="false" />
  </appSettings>
Apr 15, 2011 at 7:12 PM

I checked my web.config and it is identical to clean download of Orchard 1.1.

I tried adding the appSettings from your post above and that didn't change anything.

I tried removing my module and then just simply attempting to go to http://localhost:16377/Account/Login?ReturnUrl=%2fAdmin and I receive the same error:

Server Error in '/' Application.

The IControllerFactory 'Orchard.Mvc.OrchardControllerFactory' did not return a controller for the name 'Account'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.InvalidOperationException: The IControllerFactory 'Orchard.Mvc.OrchardControllerFactory' did not return a controller for the name 'Account'.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace: 

[InvalidOperationException: The IControllerFactory 'Orchard.Mvc.OrchardControllerFactory' did not return a controller for the name 'Account'.]
   System.Web.Mvc.MvcHandler.ProcessRequestInit(HttpContextBase httpContext, IController& controller, IControllerFactory& factory) +415967
   System.Web.Mvc.<>c__DisplayClass6.<BeginProcessRequest>b__2() +49
   System.Web.Mvc.<>c__DisplayClassb`1.<ProcessInApplicationTrust>b__a() +13
   System.Web.Mvc.SecurityUtil.<GetCallInAppTrustThunk>b__0(Action f) +7
   System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action) +22
   System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Func`1 func) +124
   System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +98
   System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) +50
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) +16
   Orchard.Mvc.Routes.HttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) in d:\TeamCity\Projects\Orchard-Default\src\Orchard\Mvc\Routes\ShellRoute.cs:141
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8862676
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184

 

I tried to go to /Admin with the clean install I downloaded and it worked fine...so something has changed on my install that has created this problem.

Apr 15, 2011 at 7:16 PM

You missed /Users from that URL.


Apr 15, 2011 at 7:20 PM

Sorry...I meant I just attempted to go to http:.//localhost:16377/Admin and that's the URL it redirected me to

Apr 15, 2011 at 8:05 PM

No ... I mean you said you tried going to  http://localhost:16377/Account/Login?ReturnUrl=%2fAdmin  and got an error - but it should be /Users/Account/LogOn

Apr 15, 2011 at 9:54 PM

What that was supposed to read was that I attempted to go to http://localhost:16377/Admin and it automatically redirected me to http://localhost:16377/Account/Login?ReturnUrl=%2fAdmin instead of http://localhost:16377/Users/Account/Logon?ReturnUrl=%2fAdmin 

 

I couldn't track it down, so I created a new Orchard site and started installing all the same modules and making the same changes. I cannot duplicate the issue on the new site even though I have done exactly the same things, installed the same modules, created my new custom module and new custom theme. Everything works as it should, so the only thing I can figure is that Visual Studio dorked something up, quite possibly caused by something I did.

Anyways...I have it running on a new Orchard site and it only took me about a half hour to get everything up and running as it was before.

Thanks for trying to troubleshoot that with my though...if I come across it again, I'll post and hopefully I'll have a better idea of what I was doing when it happens.

Apr 19, 2011 at 11:06 AM

@craigmroberts

SOLUTION!!! For the IcontrollerFactory ‘OrchardControlle…….’ Error

If you replace this file with a brand new “Web.config” file (from a new download of orchard) it should be fixed!

 

Error Message

Server Error in '/Orchard' Application.


The IControllerFactory 'Orchard.Mvc.OrchardControllerFactory' did not return a controller for the name 'Account'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: The IControllerFactory 'Orchard.Mvc.OrchardControllerFactory' did not return a controller for the name 'Account'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

 
[InvalidOperationException: The IControllerFactory 'Orchard.Mvc.OrchardControllerFactory' did not return a controller for the name 'Account'.]
…………..

 

Description

The first time I had came across this error was when I tried login into the back end of the Orchard CMS system to be prompted with the error message above. At that time the only possible solution I could find was to completely reinstall Orchard again.

 A day later the problem happened again whilst I left the computer on overnight. The problem was with the “Web.config” file.

 If you replace this file with a brand new “Web.config” file (from a new download of orchard) it should be fixed!

Apr 19, 2011 at 11:14 AM

@CraigMRoberts

I have analysed both my old Web.config file with a new one and the problem was on line 18. Instead of replacing the "Web.config" file just change the value of the "webpages:Enabled" to "false". Please see below for details.

 

Broken file

  <appSettings>
    <add key="webpages:Enabled" value="true" />
    <add key="log4net.Config" value="Config\log4net.config" />
  </appSettings>

 

Working File

  <appSettings>
    <add key="webpages:Enabled" value="false" />
    <add key="log4net.Config" value="Config\log4net.config" />
  </appSettings>

Jul 28, 2011 at 9:06 PM
Edited Jul 28, 2011 at 9:30 PM

Today, I had the issue with the system using /Login instead of /LogOn. It happend when signing in, clicking the user name which lands on Change Password, then signing out ( no password change ). I stopped the ASP.NET Development Server, deleted the /bin and /obj folders, and now I'm properly redirected to Access Denied. Note: I didn't use any solutions mentioned above.

My 2 cents,

JD

Developer
Jul 29, 2011 at 8:07 PM

Sorry, saw my open auth module mentioned... Did this cause the error you were seeing or was it unrelated?

Dec 22, 2011 at 4:08 PM
Edited Dec 22, 2011 at 4:08 PM

@craigmroberts

webpages:Enabled" value="false"  works for me on going Logon instead of Login.

Thanks

Asim