Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify how to check if the user is an admin #16866

Merged
merged 9 commits into from
Oct 11, 2024
Merged
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
using OrchardCore.Recipes.Services;
using OrchardCore.Security;
using OrchardCore.Security.Permissions;
using OrchardCore.Security.Services;

namespace OrchardCore.Roles.Recipes;

Expand All @@ -14,14 +13,14 @@ namespace OrchardCore.Roles.Recipes;
public sealed class RolesStep : IRecipeStepHandler
{
private readonly RoleManager<IRole> _roleManager;
private readonly IRoleService _roleService;
private readonly ISystemRoleNameProvider _systemRoleNameProvider;

public RolesStep(
RoleManager<IRole> roleManager,
IRoleService roleService)
ISystemRoleNameProvider systemRoleNameProvider)
{
_roleManager = roleManager;
_roleService = roleService;
_systemRoleNameProvider = systemRoleNameProvider;
}

public async Task ExecuteAsync(RecipeExecutionContext context)
Expand Down Expand Up @@ -58,7 +57,7 @@ public async Task ExecuteAsync(RecipeExecutionContext context)
r.RoleDescription = roleEntry.Description;
r.RoleClaims.RemoveAll(c => c.ClaimType == Permission.ClaimType);

if (!await _roleService.IsAdminRoleAsync(roleName))
if (!await _systemRoleNameProvider.IsAdminRoleAsync(roleName))
{
r.RoleClaims.AddRange(roleEntry.Permissions.Select(RoleClaim.Create));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
using OrchardCore.Security;
using OrchardCore.Security.Services;
using OrchardCore.Users;
using OrchardCore.Users.Services;

Expand All @@ -12,18 +11,18 @@ public class RoleClaimsProvider : IUserClaimsProvider
{
private readonly UserManager<IUser> _userManager;
private readonly RoleManager<IRole> _roleManager;
private readonly IRoleService _roleService;
private readonly ISystemRoleNameProvider _systemRoleNameProvider;
private readonly IdentityOptions _identityOptions;

public RoleClaimsProvider(
UserManager<IUser> userManager,
RoleManager<IRole> roleManager,
IRoleService roleService,
ISystemRoleNameProvider systemRoleNameProvider,
IOptions<IdentityOptions> identityOptions)
{
_userManager = userManager;
_roleManager = roleManager;
_roleService = roleService;
_systemRoleNameProvider = systemRoleNameProvider;
_identityOptions = identityOptions.Value;
}

Expand All @@ -33,16 +32,24 @@ public async Task GenerateAsync(IUser user, ClaimsIdentity claims)
{
return;
}
var adminRoleName = await _systemRoleNameProvider.GetAdminRoleAsync();

var isAdministrator = false;

if (await _userManager.IsInRoleAsync(user, adminRoleName))
{
claims.AddClaim(StandardPermissions.SiteOwnerClaim);

isAdministrator = true;
}

var roleNames = await _userManager.GetRolesAsync(user);
var roles = new List<IRole>();
var addClaims = true;

foreach (var roleName in roleNames)
{
claims.AddClaim(new Claim(_identityOptions.ClaimsIdentity.RoleClaimType, roleName));

if (!_roleManager.SupportsRoleClaims)
if (isAdministrator || !_roleManager.SupportsRoleClaims)
{
continue;
}
Expand All @@ -54,21 +61,6 @@ public async Task GenerateAsync(IUser user, ClaimsIdentity claims)
continue;
}

if (addClaims && await _roleService.IsAdminRoleAsync(role.RoleName))
{
addClaims = false;
}

roles.Add(role);
}

if (roles.Count == 0 || !addClaims)
{
return;
}

foreach (var role in roles)
{
claims.AddClaims(await _roleManager.GetClaimsAsync(role));
}
}
Expand Down
2 changes: 0 additions & 2 deletions src/OrchardCore.Modules/OrchardCore.Roles/Startup.cs
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
using OrchardCore.Modules;
using OrchardCore.Navigation;
using OrchardCore.Recipes;
using OrchardCore.Roles.Core;
using OrchardCore.Roles.Deployment;
using OrchardCore.Roles.Migrations;
using OrchardCore.Roles.Recipes;
Expand All @@ -35,7 +34,6 @@ public override void ConfigureServices(IServiceCollection services)
{
services.AddScoped<IUserClaimsProvider, RoleClaimsProvider>();
services.AddDataMigration<RolesMigrations>();
services.AddScoped<IAuthorizationHandler, RolesPermissionHandler>();
services.AddScoped<RoleStore>();
services.Replace(ServiceDescriptor.Scoped<IRoleClaimStore<IRole>>(sp => sp.GetRequiredService<RoleStore>()));
services.Replace(ServiceDescriptor.Scoped<IRoleStore<IRole>>(sp => sp.GetRequiredService<RoleStore>()));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,21 @@ public SuperUserHandler(ISiteService siteService)

public async Task HandleAsync(AuthorizationHandlerContext context)
{
var userId = context?.User?.FindFirstValue(ClaimTypes.NameIdentifier);
var user = context?.User;

if (user == null)
{
return;
}

if (user.HasClaim(StandardPermissions.SiteOwnerClaim.Type, StandardPermissions.SiteOwnerClaim.Value))
{
SucceedAllRequirements(context);

return;
}

var userId = user.FindFirstValue(ClaimTypes.NameIdentifier);
if (userId == null)
{
return;
Expand Down
23 changes: 5 additions & 18 deletions src/OrchardCore.Modules/OrchardCore.Users/Liquid/UserFilters.cs
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,16 @@
using Fluid;
using Fluid.Values;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using OrchardCore.Liquid;
using OrchardCore.Roles;
using OrchardCore.Security;
using OrchardCore.Security.Permissions;

namespace OrchardCore.Users.Liquid;

public static class UserFilters
{
public static async ValueTask<FluidValue> HasClaim(FluidValue input, FilterArguments arguments, TemplateContext ctx)
public static ValueTask<FluidValue> HasClaim(FluidValue input, FilterArguments arguments, TemplateContext ctx)
{
if (input.ToObjectValue() is LiquidUserAccessor)
{
Expand All @@ -31,21 +29,10 @@ public static async ValueTask<FluidValue> HasClaim(FluidValue input, FilterArgum
return BooleanValue.True;
}

if (string.Equals(claimType, Permission.ClaimType, StringComparison.OrdinalIgnoreCase))
if (string.Equals(claimType, Permission.ClaimType, StringComparison.OrdinalIgnoreCase) &&
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this would be removed if we have a custom filter for authorization, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we would. Because we should still return true if the user is an admin. has_authorization would use the IAutheorizationService to do similar check without evaluating the claims explicitly.

If we need to remove it, we'll have to document it as a breaking change for 3.0 and offer has_authorization as a better way to authorize user

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we should still return true if the user is an admin

In 2.x because it would be a breaking change otherwise. So we can remove it in 3.0.

Copy link
Member Author

@MikeAlhayek MikeAlhayek Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So are you saying to keep this and at somepoint add has_authorization. then in 3.0, we can remove this check from has_claim, correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sebastienros actually we already have has_permission filter that one can already use. So I don't think there is a need to add has_authorization

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think this should be removed e.g. in 3.0, but lets keep it for backward compatibility until then.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a note so we can remove it in 3.0

user.HasClaim(StandardPermissions.SiteOwnerClaim.Type, StandardPermissions.SiteOwnerClaim.Value))
{
var systemRoleNameProvider = context.Services.GetService<ISystemRoleNameProvider>();

if (systemRoleNameProvider != null)
{
// Administrator users do not register individual permissions during login.
// However, they are designed to automatically have all application permissions granted.
var identityOptions = context.Services.GetRequiredService<IOptions<IdentityOptions>>().Value;

if (user.HasClaim(identityOptions.ClaimsIdentity.RoleClaimType, await systemRoleNameProvider.GetAdminRoleAsync()))
{
return BooleanValue.True;
}
}
return BooleanValue.True;
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
using System.Security.Claims;
using OrchardCore.Security.Permissions;

namespace OrchardCore.Security;
Expand All @@ -6,4 +7,9 @@ public static class StandardPermissions
{
[Obsolete("This permission is deprecated and will be removed in future releases. Instead, consider adding users to the system administrator role.")]
public static readonly Permission SiteOwner = new("SiteOwner", "Site Owners Permission", isSecurityCritical: true);

/// <summary>
/// This claim is assigned by the system during the login process if the user belongs to the Administrator role.
/// </summary>
public static readonly Claim SiteOwnerClaim = new("OrchardCorePermissions", "all-permissions");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the type name should be more clear and maybe not related to our permissions only. In the future, we may want to use this claim for other checks, beside checking for the existing permissions.
Something like IsSuperUser = true or similar.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed it to Claim SiteOwner = new("SiteOwner", "true"); and moved it to a new StandardClaims class instead

}
44 changes: 0 additions & 44 deletions src/OrchardCore/OrchardCore.Roles.Core/RolesPermissionHandler.cs

This file was deleted.

60 changes: 0 additions & 60 deletions test/OrchardCore.Tests/Security/RolesPermissionHandlerTests.cs

This file was deleted.