logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
Joe Payne2  
#1 Posted : Tuesday, January 25, 2022 10:25:52 AM(UTC)
Joe Payne2

Rank: Advanced Member

Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564

Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
I built a new MVC area in /Areas/ for our vendor portal. I started by copying the /Admin/ area and then modified the attributes and views to work as I wanted. This all works great, with one exception.

Our vendors log in using a regular user account. If they authenticate the store, and then navigate to the new area, they have to authenticate again. Once they enter credentials for the vendor portal area, they're in.

This does not happen if the user is an admin user. It only happens if they are a regular store user.

So I've missed something somewhere that handles the authentication correctly for admins, but not for regular users. Any suggestions on where to look?

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

shaharyar  
#2 Posted : Wednesday, January 26, 2022 3:14:44 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Quote:
[AbleAuthorize(Roles = "System,Admin,Junior Admin,Manage Orders,Manage Catalog,Manage Website,View Reports")]


Did you look into this line in AbleAdminController?
I think you need to manage role-based access in Vendor controllers using the AbleAuthorize attribute.
Joe Payne2  
#3 Posted : Friday, February 4, 2022 9:05:49 AM(UTC)
Joe Payne2

Rank: Advanced Member

Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564

Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
I think I found the cause. In the AbleAuthorizeAttribute class, there's a test for a login sessionId value:

Code:

                // validate logged in user session id 
                var userSessionId = filterContext.HttpContext.Session.SessionID;
                var persistedSessionId = AbleContext.Current.User.Settings.LoginSessionId;

                if (userSessionId != persistedSessionId)


When the if() fails, the code logs out the current able user which then forces a login page.

I've never seen that field used before, and there isn't much referencing it. I do see in the shopper LoginDialog method where the value gets set:
Code:

if (AbleContext.Current.User.IsAdmin)
{
    // FOR ADMIN USERS SAVE SESSION ID TO USER SETTINGS
    AbleContext.Current.User.Settings.LoginSessionId = HttpContext.Session.SessionID;
    AbleContext.Current.User.Settings.Save();
}


I guess the big question is...why? What's the purpose of storing sessionId to the user object if they're an admin?

My guess is that's the answer I've been looking for. Storing sessionId to the user object is what makes the AbleAuthorizeAttribute routine pass-through the authentication instead of always forcing a login page.

What do you think?
Users browsing this topic
Guest (3)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.