Permissions on multi-site installation

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
11/14/2013 11:55:21 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Permissions on multi-site installation

I have an installation with multiple (10) sites (by host name), running in the mode where they share user accounts. Through a quirk of fate, the master site for user accounts is not the same as the parent site. We started off with the sites not sharing users accounts, and when we started sharing there was one child site that had all the accounts we wanted to retain. So, in line with https://www.mojoportal.com/using-related-sites-mode we have

 <add key="UseRelatedSiteMode" value="true"/>
 <add key="RelatedSiteID" value="2"/>
 <add key="RelatedSiteModeHideRoleManagerInChildSites" value="true"/>

Today I added a new site, created a new role, and set a permission associated with that site/role (so that users in that role could not alter settings on features). I didn't change anything else to do with permissions.

Subsequently we found that other users who could previously Manage Users (e.g. to authorize registrations) could no longer do so. I have had to go through the other sites settings the "Roles that can manage users" to include their role again (they are not site Admin).

And this has happened before at least twice, though at the time we just assumed it must have been human error.

I suspect there may be some little bug in here, but first can I check how I should be doing this? It appears that the permissions for any one site can be set either from the parent site using the site list page > permissions, OR they can be set within each site using the page Admin/PermissionsMenu.aspx   Is it correct that either can be used, and both do exactly the same thing?

Any thoughts on what might have caused the unwanted change?  I wonder if was the action of creating a new site, but don't want to test right now as this is all live.

 

11/15/2013 12:11:56 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Permissions on multi-site installation

Hi,

It sounds like there could be a bug when creating new sites.

However with related sites mode users and roles are shared accross sites. As such it is intended to keep roles that can manage users the same across sites, ie site context should not change who can manage a user it should not be possible to manage a user only in site x but not in site y since it is the same user.

I believe that we have logic to sync allowed roles for such things so that all sites get updated when they are changed. The possible bug is if the new site creation is resetting them. What should happen is the new site gets created with the same values for roles that can manage users as the rest of the sites. Then if you change them it should again affect all sites.

There are a number of security related Site Settings that are intended to by synchronized across sites when using related sites mode including:

  • RolesThatCanViewMemberList
  • RolesThatCanManageUsers
  • RolesThatCanLookupUsers

This is because it is one set of users and one set of roles. Those roles are looked up on the current site not the master site for enforcement so have to actually sync the data.

Given that information let me know if you think there is a bug when creating new sites let me know and ideally steps to produce the problem.

Thanks,

Joe

11/15/2013 2:23:36 PM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: Permissions on multi-site installation

Hi Joe

Observations from a controlled test... on creating a new site, the roles that can manage users in the new site are not the same as in the other sites. The pre-existing sites had some non-admin (custom) roles configured for things like "manage users", while in the new site all check-boxes are empty (on Admin/PermissionEdit.aspx?p=14f91361-5c61-4579-9b98-858d86b955d4&SiteID=11). The same observation applies to other permissions.

I think the above is the real bug, and next comes the effect...

Now I go into one of the permissions in the new site (e.g. roles not allowed to change feature settings), and set something and Save. This blitzes all the permissions that were set on the other sites, presumably by sync'ing them with the newly saved permissions which didn't actually start as a clone of the other sites.

Darn - now I've got to set them all again ;-)

11/15/2013 2:39:10 PM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: Permissions on multi-site installation

Further observations... I'm now finding that when I correct the "Roles that can manage users" on any one site, this does not sync across the others (assuming this should be an instant SQL sync). I'm also now finding that editing "Roles NOT allowed to edit feature instance settings" does not sync this permission across the others either. So now I'm very puzzled how the new site managed to fry the settings on the other sites, unless this something that happens only the first time permissions settings are created for the new site.

Does this give you enough to check the code?

 

 

11/15/2013 2:57:59 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Permissions on multi-site installation

Roles NOT allowed to edit feature instance settings is site specific so that you have granular control over who can edit each site independently. It is not the same as user management.

It does update Roles that can manage users immediately but the changes may take a few minutes, site settings is cached for 5 minutes by default I think.

I cannot patch the current release because I've already submitted it to the web app gallery and the file must match the submitted checksum, but I can email you a patched version of mojoPortal.Web.dll that should fix the problem with new site creation. It will make sure the new site gets the synced things from the master site immediately after site creation. It would be great if you could confirm the fix. I think I have it now to clear all the sites cache as well after syncing

Thanks,

Joe

11/16/2013 5:58:11 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: Permissions on multi-site installation

Hi Joe, I have upgraded to 2.4 and dropped in your mojoPortal.web.dll patch.

Some observations... first I tested the syncing of changes to "Roles that can manage users" (RTCMU). I thought it wasn't working at all; in one of the sites I added an extra role to RTCMU. It did not appear on the same permission page for the other sites, even after waiting 5 minutes, then recycling the app pool, restarting the web site, etc.  I tested this twice, once making the change from the original parent site (Site 1), and once making the change in the "RelatedSiteID" site (Site 2).

Aside: I've had a quick look in the DB and cannot see where these permissions are defined.

Then I tested creating a new site, and interesting things happened!

On Site 2 (the master for users/roles) the RTCMU changed from what I had set in the last test above to the roles I set in the first test above, i.e. the roles from site 1 were rolled out across all sites upon creating a new one. The new site did pick up these configured permissions (so that bug is fixed!).

I can also confirm that changing any permissions on the new site no longer wipes the RTCMU permissions on the other sites - this was our main problem so that's an excellent result.

So the remaining issue appears to be the syncing mechanism on saving changes to RTCMU permissions (others not tested). The fact that the new site inherited permission from Site 1, which were different from the permissions I had subsequently set on Site 2, suggests that the sync is really not happening (and it's not just a caching issue). The fact that the new site inherited from site 1 and not from my user/role site wouldn't matter if the sync had worked. Hope this helps!?

 

11/19/2013 12:43:38 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Permissions on multi-site installation

ok, i was able to reproduce this problem. here is a link to a patch that fixes for mojoPortal version 2.4.0.0.

Thanks,

Joe

11/20/2013 1:51:59 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: Permissions on multi-site installation

Thanks Joe - that patch has nailed it. It certainly now mirrors the permissions concerning users across all sites (immediately), and doesn't do so for permissions not concerning users (though I've only tested a couple of these). At some point I shall re-test what happen on creating a new site, but that was certainly fixed in the earlier patch you sent.

Can you confirm that the only settings that are supposed to replicate are the three permissions for users (lookup, create, manage)?

 

11/20/2013 1:31:46 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Permissions on multi-site installation

Thanks for confirming the fix.

There are quite a few settings that must be kept in sync in related sites mode. Anything related to login and registration, ldap settings, password format and rules, captcha, password recovery etc.

If you really want to see every setting that is synced see the method SyncRelatedSites in SiteSettings.cs

​Thanks,

Joe

You must sign in to post in the forums. This thread is closed to new posts.