Shared Files: Access Denied when downloading files

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
5/26/2009 8:46:56 AM
Diego Mora
Gravatar
Total Posts 149
View Posts
Partner
mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Shared Files: Access Denied when downloading files

Sys op: Server Win 2003 - Client Vista
Database: SQL
mojoPortal: 2-3-0-4-b

User: member of roles "A" and "B"
Page A: is visible to role "A"
SharedFiles Module B in page A: is visible to role "B"

When User opens Page A, he can view the list of files in SF Module B (as expected)

If User clicks on one file to download it, he gets "Access Denied" Page.

I have double checked roles membership on User and security settings on Page A and SFModule B and it seems ok.

Any suggestions ?

 

5/26/2009 3:01:39 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Shared Files: Access Denied when downloading files

Hi Diego,

I'll try to replicate this issue tomorrow, I did not get to it today.

Best,

Joe 

5/27/2009 1:06:27 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Shared Files: Access Denied when downloading files

Hi Diego,

I just looked into this on my local machine and I found a bug but not the one I was looking for. I followed your steps exactly and made roles name "A" and "B". And the bug I found was that when I went to page settings for a page the "A" was checked as if the page was already visible to this new role. The bug was the way we were determining whether to select the item was like this:

if(pageSettings.AuthorizedRoles.LastIndexOf(listItem.Value) > -1)
listItem.Selected = true;

but it was a bug because "A" is a substring of another role "All Users" that the page already had as an allowed role, so it selected the "A" role incorrectly.

Since the pageSettings.AuthorizedRoles is a semi colon separated list of role names the fix was to change it like this:

if(pageSettings.AuthorizedRoles.LastIndexOf(listItem.Value + ";") > -1)
istItem.Selected = true;

I've searched the code and found several places where this bug exists and fixed it so it will be fixed in the next release. In the meantime it should only happen if a role name is a substring of another role name.

After fixing this I was not able to produce the problem so I suspect this issue is related possibly to the settings appearing as if the page or module allows a role in the UI when in fact it does not according to the database. So it was really enforcing the roles correctly according to the db roles but the apparent role settings in the UI were incorrect.

Best,

Joe

 

5/28/2009 6:40:41 AM
Diego Mora
Gravatar
Total Posts 149
View Posts
Partner
mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Re: Shared Files: Access Denied when downloading files

Hi Joe!

Thanks for the quick debug. It's good you found and solved that problem.
As you said, however, the issue I posted seems not just related to the substring control on role name.
To simplify my post I mentioned Role "A" and "B" but the real case is more articulated.

I tried to reproduce from scratch the case in my test site (new pages, modules, roles, users, etc...) to verify whether I missed
anything and whether the problem is systematic or occasional.
When I tested one Shared file module with the appropriate security settings it was working but as I reproduced on the test site the
exact layout of the production site page I got the error.

THE PROBLEM OCCURS ONLY IF MORE THAN ONE SHARED FILE MODULE IS PLACED IN THE PAGE CONTENT !

I'll try to explain better because I think this issue could be interesting for other people and you could reproduce it as well in your
development environment.

According to my tests, the permission error does not show for features other than Shared Files; all modules I used are correctly
visible/not visible in line with permissions settings, but for Shared File I got the error when I try to open the file itself
within the module.

The portal I'm working on contains in main menu a page dedicated to the members of the association (page "Members Area").
Page "Members Area" is visible to anonymous and registered users who are respectively invited to login and apply for accreditation.
No other content is visible to them.

Registered users are accredited after enrollment to "Association Members" role by the Administrator so they can view the other contents of
the page. All sub-pages of "Member Area" are reserved to "Association Members" ("Roles that can view the page" Tab of Security Settings is
checked on "Association Members" role)

Up to this point everything works fine but then comes the problem.

Accredited Users (one or more members of "Association Members" role) could also be part of a member company/group, so I created
this new roles:
"000000 - Member A" (Member Company A and related ref.no.)
"999999 - Member B" (Member Company B and related ref.no.)
...
"###### - Member X" (Member Company X and related ref.no.)

The sub-page "Member Documents" (Member Area > Member Documents) contains several Shared Files Modules, one for each "Member
Company".

Each SF Module has the following security settings:
Roles that can view this content: "###### - Member X" (checked)
Roles that can edit this content: "Administrators" (checked)

How does it work ?

Administrator can reach the page "Member Area" > "Member Documents" and can view/edit content of all contained SF Modules (Right!)

Registered User, member of "Association Members" and "###### - Member X", can view the page and "only his" Shared Files module with
the permission to view assigned to "###### - Member X" role (Right!)

When registered user click on the contained file, he gets the permissions error page (Wrong!)

I hope this report, more detailed than the previous, helps you to replicate and fix the issue.

In case you wish to make any preliminary validation testing of the module before distribution of next release, please do not hesitate
to send me the amended object(s).

Thanks again for the support.
Diego
 

PS: I have just updated our translation into Italian of mojoPortal 2-3-0-4-b and made it downloadable to registered users on our new site dedicated to mojoPortal projects at http://www.effectiveweb.it/download.aspx. Feel free to use/distribute.

5/28/2009 6:55:22 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Shared Files: Access Denied when downloading files

Hi Diego,

I still can't produce it, perhaps I'm not understanding all the steps. Can you demonstrate the problem on demo.mojoportal.com and then I can login as the user who is not able to download?

Thanks,

Joe

 

5/28/2009 7:00:49 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Shared Files: Access Denied when downloading files

Hi Diego,

Your site looks great! I added it to the sites list. Do you mind just zipping the resource files and email to me at joe dot audette at g mail dotcom?

I also am thinking you should join our partner program.

Best,

Joe

5/28/2009 7:35:15 AM
Diego Mora
Gravatar
Total Posts 149
View Posts
Partner
mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Re: Shared Files: Access Denied when downloading files

Here we are...

on your demo site I replicate the issue.

Login as AccreditedUser@email.ext

PW: AccreditedUser

You are member of roles "Association Members" and "000000 - Member A"

If you browse to Members area > Memebr Documents youc can view the SF module you are authorized to (and not the orther outhorized to role "999999 - Member B")

Try to download one of the pdf documents... et voilà!

Now I need some energy, I'll be back at my desk ater a sandwich or two ;-)

Diego

5/28/2009 7:44:37 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Shared Files: Access Denied when downloading files

Hi Diego,

Thanks!

You have demonstrated it clearly and I will fix it. I will post again after I complete my investigation.

Best,

Joe 

5/28/2009 8:09:01 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Shared Files: Access Denied when downloading files

Hi Diego,

After making the same page and module permissions structure I was able to reproduce it on my local machine and found the problem. It was a logic error, it was denying access if there  was any module on the page that user is not allowed to see when it should only be checking the specific module. 

So this will be fixed in svn soon and fixed in the next release.

Thanks!

Joe

5/28/2009 8:10:40 AM
Diego Mora
Gravatar
Total Posts 149
View Posts
Partner
mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Re: Shared Files: Access Denied when downloading files

Great!
thank you very much.
Diego

You must sign in to post in the forums. This thread is closed to new posts.