Determining if a user is in a role

Topics: Writing modules
Jun 3, 2011 at 8:23 PM

Been searching through the repositories/services for this, but couldn't find what I was looking for. Is there something in Orchard that handles something like:

bool isNinja = User.IsInRole("Ninja");

Are there plans to put together some documentation on the API for this kind of stuff?

Coordinator
Jun 3, 2011 at 8:33 PM

You don't need to search for roles. You need to search for permissions, using Authroization Service, and Role is an implementation.

Jun 3, 2011 at 8:37 PM
Edited Jun 3, 2011 at 8:38 PM

I don't follow...I don't want to check if they have permission to something, I want to check if a user exists in a specific role...I checked the authorization service and it only has CheckAccess and TryCheckAccess methods, both take in a permission object...

Can you give me an example of how I'd look up to see if a user exists in a given role by name?

Coordinator
Jun 3, 2011 at 9:08 PM

someUserContentItem.As<UserRolesPart>().Roles.Contains("Ninja"). But Sébastien's suggestion is good: you need to look hard at the scenario you are trying to implement and make super-sure this is not permissions in disguise (it usually is).

Jun 3, 2011 at 9:08 PM

The way that Orchard works is:

- Different Permissions exist for each thing a user may or may not be allowed to do. You can add your own custom Permissions by implementing IPermissionProvider.

- An admin user of Orchard can then define Roles. Each role is given a set of permissions that are assigned for that Role.

So checking for a specific role isn't the proper way to do things. Instead you define the permissions that you want to manage, then create a role called "Ninja" and give them those permissions. In your business logic you check for the individual permissions rather than the role itself.

Perhaps it would help more if you expanded your example to describe what you are trying to achieve and I could suggest the actual permissions model for you to use.

Jun 3, 2011 at 9:18 PM

I understand what you're getting at.  We have a need for people to be able to register for the site and thus be given appropriate permissions to view certain content. I wrote a module that accomplishes this using roles.

For instance, we need a registration form for Pirates and Ninjas.  If you go to oursite.com/ninja/register and complete it successfully, you are placed in the ninja role. Same for oursite.com/pirate/register...

There's also an admin piece that you can setup what roles are available for registration.

I have all of this working, but we just got a requirement in that requires us to also register existing users for that content, so now if I'm already a user of the site and I want to become a ninja, oursite.com/ninja/register should handle that as well.

When you're on that page and the code determines you're an existing user, the last thing I need to do is to check if you're already a ninja and then present them with an appropriate message, otherwise let them click a button that puts them in that role.

So, I'm not actually checking to see if they can do something (permissions), I just need to know if they are in that given role.  On the pages where we need to use those permissions to say, restrict content to only ninjas, I think that's where we'd use the permissions stuff you're talking about.  For this purpose, unless you tell me different, I think I still just need to check the role they are in.

Jun 3, 2011 at 10:05 PM

To be honest I'd just create a "NinjaPermission" and assign that to the Ninja role, and a "PiratePermission" to assign to the Pirate role. Then you can still work within the permissions system and you have flexibility for the future. Maybe later on you'd create a "PirateCaptain" role but he still needs the Pirate permission - you don't want to restrict yourself unnecessarily.

By the way; what is this site? I want to play pirates vs. ninjas :)

Coordinator
Jun 3, 2011 at 10:06 PM
Edited Jun 3, 2011 at 10:07 PM

I'd disagree with Pete on that: they do look like they should be roles. I provided the code to do it in my previous message.

Role should work with "is a", permissions should work with "can do". You are or are not a Ninja, you can or cannot enter any place without being seen.

Jun 3, 2011 at 10:08 PM

Sounds good, I'll look into doing that for version 2.  That'll be a good learning experience getting into the permissions model. 

The site isn't live yet, though it's for a pretty big client, though I'm 99.9% sure that the Pirate and Ninja roles won't make it into production, as fun as it is working with Pirates/Ninjas/Robots/Zombies.

Jun 3, 2011 at 10:10 PM

Thanks guys, this forum is awesome, and has helped me immensely thus far. I hope when this module is done I can contribute it to the gallery...

Developer
Jun 6, 2011 at 2:25 PM

@tjans: I've read the whole thread and noticed you've been doing an item-level authorization, am I right? I've recently contributed a Content Authorization module, that'd surely help you out.

Jun 6, 2011 at 2:28 PM

Awesome! We'll be sure to check it out when we get to the other side where we're using the permissions to authorize content...