Programatically refresh user roles - General Discussions - General Discussions - Progress Community
 General Discussions

Programatically refresh user roles

  • Programatically refresh user roles
  • Greetings,

    I have the following scenario:

    A user logs through a custom login control that I created, once the authentication is successful he's taken to a page where he has to create his profile. At this point he's in the role "MembersNoProfile" and once he finishes creating his profile I use the following methods:

    var roleManager = RoleManager.GetManager("MyProvider");
    roleManager.Provider.SuppressSecurityChecks = true;
    var userManager = UserManager.GetManager("MyProvider");
    userManager.Provider.SuppressSecurityChecks = true;
    var roleMembers = roleManager.GetRole("Members");
    var roleMembersNoProfile = roleManager.GetRole("MembersNoProfile");
    roleManager.AddUserToRole(userManager.GetUser(userId), roleMembers);
    roleManager.RemoveUserFromRole(userId, roleMembersNoProfile);

    This code adds the user to the role "Members" and removes him from the "MembersNoProfile" one. At this point he should be able to access 2 pages that I have created which have a "View Permission" set to the role "Members" only, however when trying to access the page I'm getting a 404 error as if the user didn't had permissions.

    Logging out the user and then logging him again does work since this time the manager acknowledges he now is in the correct role.

    As such my belief is that after changing the user roles the manager doesn't really refresh it's status and it still considers the user not to be in the "Members" role.

    Is there a way to force the manager to refresh the current user roles instead of having to log out and log in the user again?

    Thanks in advance.

  • Hi Daniel,

    In your code I do not see where you commit the transaction  by calling roleManagerInstance.SaveChanges().
    You can make application restart by using RestartApplication(bool rest) static method of SystemManager. When you pass true to the parameter this will make a full restart, but this requires that you should run the project under full trust environment.

    All the best,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Is there another way to force a refresh of the current user's roles after programmatically updating them? I am working on a sso implementation using STS and hooking into the LoginCompleted event to update the user's roles based on information from the sso identity server.

    I got it so that the user's roles do get updated, but they have to do a full logout and log back in cycle before they get "applied." It also appears that during this event the user is not really logged in yet, so I can't try to fire any of the claims manager "refresh" functions.

  • Hello Michael,

    First problem, that after applying the roles, they are not updated is because RoleManager manages the CRUD operations of the roles, which means managing them in the database. In order for the user to have those roles "applied" for the current request, they need to be inserted as claims when the actual request is authenticated.
    LoginCompleted event is not the right place to do, since the user at that point is verified (his credentials are verified) but the request is still not authenticated. 
    What you need to do in order to achieve the scenario you want is to inherit SFClaimsAuthenticationManager and override its Authenticated method. In the overridden method you call the base.Authenticate and you will get the user principal, which contains all the claims about the current request. There you can manipulate the roles (add/remove) and they will be applied immediately for the current request. Note that you go through this method only once, after the user has been verified and while the request is being authenticated. See the an example of how to implement it:

    using Microsoft.IdentityModel.Claims;
    using System;
    using System.Linq;
    using Telerik.Sitefinity.Security;
    using Telerik.Sitefinity.Security.Claims;
    using Telerik.Sitefinity.Security.Configuration;
    namespace SitefinityWebApp
        public class CustomSFClaimsAuthenticationManager : SFClaimsAuthenticationManager
            public override Microsoft.IdentityModel.Claims.IClaimsPrincipal Authenticate(string resourceName, Microsoft.IdentityModel.Claims.IClaimsPrincipal incomingPrincipal)
                var principal = base.Authenticate(resourceName, incomingPrincipal);
                var value = String.Concat(roleId, ";", roleName, ";", roleProvider);
                string issuer = "http://localhost";
                principal.Identities[0].Claims.Add(new Claim(SitefinityClaimTypes.Role, value, ClaimValueTypes.String, issuer, issuer));
                return principal;

    Also, do not forget to register the custom authentication manager in the web.config:

          <claimsAuthenticationManager type="SitefinityWebApp.CustomSFClaimsAuthenticationManager, SitefinityWebApp" />

    I hope this example solves your issue. Feel free to contact us again if any troubles arise.

    Ivan Eftimov
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
  • Ivan, your code gave me the results I needed as well.  The only minor issue is on the backend, when checking roles of a user, the new role isn't listed (but I do gain access to pages).  I'm guessing it's using a cached copy.  Again, for my purposes it doesn't matter but someone else might need it.  It would still be nice to know how to clear the role cache for a particular user w/o restarting the whole site.  Thanks

  • Any alternatives yet to clear the role cache maybe?
  • Hello Njabulo,

    Please check the below KB article for more details on this:

    Sabrie Nedzhip
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items