Rank: Advanced Member
Groups: HelpDesk, Developers Joined: 11/9/2018(UTC) Posts: 564
Thanks: 122 times Was thanked: 26 time(s) in 25 post(s)
|
I built a new MVC area in /Areas/ for our vendor portal. I started by copying the /Admin/ area and then modified the attributes and views to work as I wanted. This all works great, with one exception.
Our vendors log in using a regular user account. If they authenticate the store, and then navigate to the new area, they have to authenticate again. Once they enter credentials for the vendor portal area, they're in.
This does not happen if the user is an admin user. It only happens if they are a regular store user.
So I've missed something somewhere that handles the authentication correctly for admins, but not for regular users. Any suggestions on where to look?
|
|
|
|
Rank: Advanced Member
Groups: Developers, Registered, HelpDesk, Authorized User Joined: 10/5/2018(UTC) Posts: 704
Thanks: 5 times Was thanked: 113 time(s) in 112 post(s)
|
Quote:[AbleAuthorize(Roles = "System,Admin,Junior Admin,Manage Orders,Manage Catalog,Manage Website,View Reports")] Did you look into this line in AbleAdminController? I think you need to manage role-based access in Vendor controllers using the AbleAuthorize attribute.
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers Joined: 11/9/2018(UTC) Posts: 564
Thanks: 122 times Was thanked: 26 time(s) in 25 post(s)
|
I think I found the cause. In the AbleAuthorizeAttribute class, there's a test for a login sessionId value: Code:
// validate logged in user session id
var userSessionId = filterContext.HttpContext.Session.SessionID;
var persistedSessionId = AbleContext.Current.User.Settings.LoginSessionId;
if (userSessionId != persistedSessionId)
When the if() fails, the code logs out the current able user which then forces a login page. I've never seen that field used before, and there isn't much referencing it. I do see in the shopper LoginDialog method where the value gets set: Code:
if (AbleContext.Current.User.IsAdmin)
{
// FOR ADMIN USERS SAVE SESSION ID TO USER SETTINGS
AbleContext.Current.User.Settings.LoginSessionId = HttpContext.Session.SessionID;
AbleContext.Current.User.Settings.Save();
}
I guess the big question is...why? What's the purpose of storing sessionId to the user object if they're an admin? My guess is that's the answer I've been looking for. Storing sessionId to the user object is what makes the AbleAuthorizeAttribute routine pass-through the authentication instead of always forcing a login page. What do you think?
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close