Oh I highlighted the wrong line in my code example... :P And I have no idea how to edit my post ^^

edit: and just to rub it in I can edit this post... Interesting... :P

<p>Hi,</p> <p><br />Which role provider are you using?</p> <p>You cannot mix addClaims and replacePrincipal, so make sure you don't have both set to true. I'm not sure which CMS version Search 7.7.1 relates to, but addClaims requires EPiServer.CMS.Core 7.14 or higher. Please see http://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Configuration/Configuring-episerverframework/.</p> <p>Since you changed the roles on all content, I would recommend re-indexing everything. That can be done on from hidden page in admin, /episerver/cms/admin/indexcontent.aspx.</p> <p></p>

Whether PrincipalInfo.Current.RoleList should return all roles, I don't know. But it should return all matching virtual roles if you have replacePrincipal or addClaims.

Do you get the correct roles if you're using Roles.GetRolesForUser() method?

I'm using Multiplexing. I do have addClaims, but I do not use replacePrincipal (not quite sure what that is :P).

If what you're saying is true, then I am getting the right roles from PrincipalInfo.Current.RoleList

var accessRightsQuery = new AccessControlListQuery();
accessRightsQuery.AddAclForUser(PrincipalInfo.Current, context);
query.QueryExpressions.Add(accessRightsQuery);

But that would mean that what's indexed in the EPISERVER_SEARCH_ACL field is wrong. Right? Because if I run the code above, it simply said that I don't have access. Which is true if you look at the roleList and at the indexed field. Because they do not match :)

I honestly thought this code was from the Alloy demo website. But it wasnt actually me that set up this project from the start, so I can't be 100% sure...

But there's still a mismatch that I still believe shouldn't be a mismatch. But it might just be me not understanding something :)

Edit: Yeah, if I use the Roles.GetRolesForUser method I do get the actual roles (the WebAdmin and WebEditor roles for my user). Maybe the actual roles is the wrong way to put it, but you know what I mean (hopefully :P) :)

<p>I've never used AccessControlListQuery() explicitly. Since the roles are added automatically to the query if you use the standard search method.<br />Can you pass in roles from Roles.GetRolesForUser() as well? IIRC there is already a function that concatenates roles from both the role provider(s) and the PrincipalInfo object. I'm pretty sure PrincipalInfo doesn't know about your role providers...</p>

No, I can't pass that ( GetRolesForUser() ) into the AccessControlListQuery. It does take some kind of VirtualRole thingy.. :P

AddAclForUser(this AccessControlListQuery query, VirtualRoleRepository<VirtualRoleProviderBase> virtualRoleRepository, PrincipalInfo principal, object context);

And yeah, thats what I noticed. The PrincipalInfo doesn't know anything about the roles, just the virtual roles. Maybe it's just something funky with the AddAclForUser function. Since it only takes PrincipalInfo but seems to check on something else...

What I meant, was that you don't have to use the AddAclForUser() method. Instead add the roles one by one:

var roles = GetRoles();
var aclQuery = new AccessControlListQuery();

foreach (var role in roles)
{
    aclQuery.AddRole(role);
}

Ah ok, sorry I missunderstood. Yeah I can do that.

That means I won't get any hits if I want someone who isnt logged in to be able to search tho. Since the GetRoles then returns am empty array and does not include the "Everyone" role. Again it means that you can't control who gets to search and not with the roles in EPiServer. Not quite satisfied with that either... Sorry.

I mean I can work around this, but it just feels like something isn't quite right....

But you wrote in thread start that you just removed the Everyone role, so does it make sense to even add that role to the AccessControlListQuery? Otherwise you can always add that role, even though the user isn't logged in. Since everyone is.... everyone.

But you won't get any results back for anonymous users anyway, since the index doesn't have any hits with the everyone role anymore. Which makes sense. BUT if you want, you can add e.g. WebAdmins to the acl while searching if the user isn't logged in, then they will get results back, but that doesn't make sense.

Well I guess that is true. I could add the Everyone role manually. And I even guess I would have to be ok with that :P Since like you stated, Everyone is everyone... :) It still feels a little bit off to me tho.

Your answer would indeed work in this specific case, until I decide to allow everyone to browse the site and set the Read permission for Everyone on my site again. The search wouldn't work, thats what I meant...

Thanks so much for discussing this with me tho :) I never said that. Sorry :) This gave me a much better understanding of how the Principal and Roles work.

I've read your last message again... and I don't fully understand the problem? Of course you can control the access rights for search result with the built-in role functionality in Episerver. What is not working?

You just have to pass the correct ACL into the search query. That has nothing to do with Episerver, that's your code. And to be safe, always add the Everyone role (but I guess you already get this one from PrincipalInfo object since it's a virtual role).

<p>I think it's all because I thought the Principal would return the roles I needed. So yes, it's my code (altho in my defense I didnt write it ;) )</p> <p>But you are correct sir. Thanks again :)</p>

<p>No worries. Glad I could help out. Just make sure to add the everyone role, then i will work when you decide to open up the website again.</p>

And to be super safe, add the username as well to the ACL :) Sorry for spamming.