Let me try and create a repo. I deleted the json log I sent you above as I see there are client email addresses in it.
1 Like
The Admin User role is required to access the Admin UI, are you testing this from the same URL?
I don’t think giving you a stripped down repo that does not point to same db etc. will work. If you give me your github username I can give you access to the repo which has the dev server db details etc in. You can then try and debug / see if you get the same locally. I can just change the passwords when you are done, or I can take a zip of my whole project with all the packages etc and share it with you on onedrive. Would have to PM the password to onedrive to you though. You can then also access the records in the db e.g. cacheentry through the AutoQuery API
No I never want access to any confidential information. Try creating the stand-alone repro, you can usually identify the issue in the process.
When testing different user behavior on the same URL make sure you’re using different browsers so you’re not getting credentials/cookies conflicts.
I cleared all cookies before doing the tests. I use the same plugins in another project and basically the same source code for both projects as it comes from mixin’s. Only user passwords differ in CreateUser. Quickly testing on this project and will then do a repo. Thanks for always being so responsive and quick to help. I love servicestack and your great service
Ok, so I tested on a totally different database, different login details (password). My App User database only has Admin, Guest and SysAdmin Roles, nothing else. When logging in using this new project, this is what I get.
Looking at my cache entry table it has :
Logging in using https://localhost:5001/ui/ gives the same results.
What’s the issue here?
So my https://localhost:5001/login show I have the roles Admin, Client, Partner. These roles however does not even exist in my AppUser table at all, and user in this new database and Servicetack project also only has Admin Role
Sigh.
These must be App roles used in Attributes.
I understand what you say, but it return all App Roles on localhost(as you explained), but when deployed and running in a docker container in aws and pointing to the same db with exactly the same source code and logging into the same user it only shows the user as having the Admin Role. I tried to reproduce it using a clean project with ormlite, but am not able to reproduce. We can do a zoom session you you can take remote control over my pc on the project that is giving the issues. It is mostly autoquery autocrudgen stuff with some views. Very little code that can cause this.
This definitely sounds environment related since “Client” and “Partner” aren’t something we have in any templates or samples that I can think of.
Are you sharing a remote cache server? If so, how is a cache entry resolved? Eg, by email/id/something else? Is it possible this shared resource is conflicting in ways between deployments/databases etc?
Remove any shared infra (eg, create a stand alone reproduction) and you will likely find the root cause of the issue.
It returns App roles for the Admin user which indicates you have it defined in your code base, do a simple string search in your code base to find it, otherwise create a stand alone repro.
So we use a shared Postgres db sitting on the cloud for tables and for cache. So both the localhost (on my machine) and the one on the cloud, point to the same database. I created a release and sent it to one of my developers who did a dotnet run on exactly the same project with same db, and only get Admin as the role when he log in. When I run the same release on my PC, I get Admin,SuperUser as my roles. I clear browser cache and cookies and CacheEntry caching table before logging in. CacheEntry table show just Admin as the role.
I went to postman now and did the following two calls.
https://marketinnovationsapi.dev.scad.tk/auth/login.json. Below is the response.
{
"UserId": "1",
"SessionId": "MOhBNGObvTdxG4jxlmiE",
"UserName": "andy.fensham@scadsoftware.com",
"DisplayName": "Andy Fensham",
"ProfileUrl": "data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E %3Cstyle%3E .path%7B%7D %3C/style%3E %3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84V84.14C1 84.14 2.38 78.81 8.81 77.16C8.81 77.16 19.16 73.37 27.26 69.85C31.46 68.02 32.36 66.93 36.59 65.06C36.59 65.06 37.03 62.9 36.87 61.6H40.18C40.18 61.6 40.93 62.05 40.18 56.94C40.18 56.94 35.63 55.78 35.45 47.66C35.45 47.66 32.41 48.68 32.22 43.76C32.1 40.42 29.52 37.52 33.23 35.12L31.35 30.02C31.35 30.02 28.08 9.51 38.95 12.54C34.36 7.06 64.93 1.59 66.91 18.96C66.91 18.96 68.33 28.35 66.91 34.77C66.91 34.77 71.38 34.25 68.39 42.84C68.39 42.84 66.75 49.01 64.23 47.62C64.23 47.62 64.65 55.43 60.68 56.76C60.68 56.76 60.96 60.92 60.96 61.2L64.74 61.76C64.74 61.76 64.17 65.16 64.84 65.54C64.84 65.54 69.32 68.61 74.66 69.98C84.96 72.62 97.96 77.16 97.96 81.13C97.96 81.13 99 86.42 99 92.85L1 92.84Z'/%3E%3C/g%3E%3C/svg%3E",
"Roles": [
"Admin"
],
"Permissions": []
}
and
https://localhost:5001/auth/login.json. Below is the response.
{
"UserId": "1",
"SessionId": "SgAfpgLIUxr30AwGZ7U2",
"UserName": "andy.fensham@scadsoftware.com",
"DisplayName": "Andy Fensham",
"ProfileUrl": "data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E %3Cstyle%3E .path%7B%7D %3C/style%3E %3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84V84.14C1 84.14 2.38 78.81 8.81 77.16C8.81 77.16 19.16 73.37 27.26 69.85C31.46 68.02 32.36 66.93 36.59 65.06C36.59 65.06 37.03 62.9 36.87 61.6H40.18C40.18 61.6 40.93 62.05 40.18 56.94C40.18 56.94 35.63 55.78 35.45 47.66C35.45 47.66 32.41 48.68 32.22 43.76C32.1 40.42 29.52 37.52 33.23 35.12L31.35 30.02C31.35 30.02 28.08 9.51 38.95 12.54C34.36 7.06 64.93 1.59 66.91 18.96C66.91 18.96 68.33 28.35 66.91 34.77C66.91 34.77 71.38 34.25 68.39 42.84C68.39 42.84 66.75 49.01 64.23 47.62C64.23 47.62 64.65 55.43 60.68 56.76C60.68 56.76 60.96 60.92 60.96 61.2L64.74 61.76C64.74 61.76 64.17 65.16 64.84 65.54C64.84 65.54 69.32 68.61 74.66 69.98C84.96 72.62 97.96 77.16 97.96 81.13C97.96 81.13 99 86.42 99 92.85L1 92.84Z'/%3E%3C/g%3E%3C/svg%3E",
"Roles": [
"Admin",
"SuperUser"
],
"Permissions": []
}
Both run exactly the same source code and points to same database.
Did you check your App code base for these roles??
These aren’t roles that exist in the fx suggesting it’s an issue with your environment, e.g. you’re not running the version you think you are.
Either way we’ll need a repro to assist any further.
Manage to reproduce the issue. Here is the git repo.
Download the repo and run it. Go to https://localhost:5001/login and login as andy.fensham@scadsoftware.com. Password is in the repo. It will bring back that I am in Admin and SysAdmin Role.
Then downgrade to earlier version 6.3.0 or 6.2.1. Again login as andy.fensham@scadsoftware.com. It will show you are in Admin Role only. Also , on the 6.3.1 package, browsing to users show empty users in 6.3.1.
The roles behavior is working as expected, returning all App Roles for the Admin user is a change in this next release as our Blazor auth components require it for the Admin user to have access to protected components.
I’ll checkout the Admin Users issue.
Admin UI issue was due to changing JSON camelCasing default which should be resolved from latest v6.3.1+ that’s now available on MyGet
Thanks Mythz. Just a question. We work in the banking industry, where segregation of duties is very important. So in my case someone can be an Admin (which can create users for e.g.), but that does not have any access to other functions etc. With an Admin also getting all the other roles as well, that would make it impossible to handle segregation of duties. Do you maybe have a solution for that.
Choose a different role. Do not use the built-in super user Admin role for any restricted App role, it always has access to everything.