Stephen Brannan - 232 - Sep 10, 2014

Does RequiredRole only work on the DTOs themselves? Can yo use them on the Service and/or Service methods? I tried to use it on the service and it doesn’t seem to restrict it.

Stephen Brannan:

Ok I’ve isolated it to the call into OrmLiteAuthRepository.HasRole is returning true when it should be returning false. I can’t seem to set it up to debug into servicestack source so I’m not sure why it’s happening yet.

There’s a test that works when it’s on the Service:

Stephen Brannan:

Is there something I need to enable in configure like a feature? I’m already using the ormliterepository with the auth feature.

How did you assign the role to the user?

Stephen Brannan:

I haven’t assigned the role yet. So the user should not have access to the service but the user still gets into the services.

I’ve added new tests, testing a role with an Authenticated Users with and without the required role and it works as advertised:

Going to create a project to test with OrmLite Auth which I expect to work as well. In the meantime can you prepare a small stand-alone project so I can repro.

Stephen Brannan:

Im still debugging, but it appears as though it calls into IManagedRole.HasRole(RoleNames.Admin) and is returning true even though my user isn’t an admin (though the user name is called admin). Also I should of mentioned earlier that I’m on

Stephen Brannan:

Finally I’ve isolated the issue… Apparently the user was in the Admin role in the UserAuthRole table but it’s roles property on the AuthUserSession was not populated. Any thoughts on why the Roles for the user would be out of sync?

Ok I’ve enabled OrmLiteUserAuth to the test project in this commit:

The /login page lets you login with 2 users test/test which has the required role and test2/test2 which doesn’t have the role. Clicking on /requires-role if you have the role will return a Response DTO with “Haz Access!” whilst accessing it with test2 will redirect back to the /login page since they don’t have access.

Both scenarios work as advertised, both the default behavior of blobbing roles with UserAuth and when using distinct user tables. I’ve not been able to reproduce your issue, you’re going to have to submit a stand-alone repro project or test case for me to continue on. Please do this in future as it’s becoming hard to try guess what the issue is by trying to guess and recreate your environment.

Yes the ‘Admin’ role gives you super user access which will let you access all protected services and areas. It shouldn’t get out of sync when using OrmLiteUserAuth as it will always hit the db to check if the user has the required role or not.

Stephen Brannan:

+Demis Bellot Yup I can see that it eventually goes out to the db to check if the role exists, but why isn’t the session.Roles not already populated with the user’s list of roles?

Stephen Brannan:

+Demis Bellot uhm I wasn’t pointing out an issue in ServiceStack I was trying to get insight into the way ServiceStack handles roles and the user session. I’m still unsure as to why roles are not populated? Are they not populated because I have UseDistinctRolesTable enabled? And as a result I should never rely on session.Roles? This is what’s unclear (for me) in the wiki.

The session.HasRole()/HasPermission() are the public APIs to check if a user has Roles/Permissions. The session.Roles/Permissions is used for AuthProviders which blob the Roles/Permissions with the user. The OrmLiteAuthProvider maintains the Roles/Permissions it in RDBMS tables which it looks at every time.

Stephen Brannan:

So my assumptions are correct. Roles/Permissions on the session are not populated when UseDistinctRolesTable is enabled (aka OrmLiteAuthProvider takes over). Thanks you so very much Demis! My apologies if I caused any frustrations with this post.