So, I found something that kind of bugged me when using episerver search on a staging environment.
What we did was we removed the "Everyone" group from read permissions (which effektivley forces you to login to be able to view the site).
What I then noticed was that my Search refused to return any hits at all, even tho the index looked fine and dandy.
I then noticed that in the PrincipalInfo.Current.RoleList I didnt have our actual roles (That we're calling WebAdmin and WebEditor). What showed up was CmsAdmins and CmsEditors.
So the roles in my RoleList wasn't actually my roles, it was my virual roles that I had from web.config:
While in the index, it indexes the actual roles in the EPISERVER_SEARCH_ACL field:
[[G:Administrators]] [[G:LoginUser]] [[G:WebAdmins]] [[G:WebEditors]]
But my question finally is: Is it really supposed to work like this? Shouldn't PrincipalInfo.Current return the actual roles? Or the indexingservice index the virtual roles instead of the roles?
Maybe this can help someone else with this issue, because this nearly drove me crazy :P
Oh I highlighted the wrong line in my code example... :P And I have no idea how to edit my post ^^
edit: and just to rub it in I can edit this post... Interesting... :P
Whether PrincipalInfo.Current.RoleList should return all roles, I don't know. But it should return all matching virtual roles if you have replacePrincipal or addClaims.
Do you get the correct roles if you're using Roles.GetRolesForUser() method?
I'm using Multiplexing. I do have addClaims, but I do not use replacePrincipal (not quite sure what that is :P).
If what you're saying is true, then I am getting the right roles from PrincipalInfo.Current.RoleList
var accessRightsQuery = new AccessControlListQuery();
But that would mean that what's indexed in the EPISERVER_SEARCH_ACL field is wrong. Right? Because if I run the code above, it simply said that I don't have access. Which is true if you look at the roleList and at the indexed field. Because they do not match :)
I honestly thought this code was from the Alloy demo website. But it wasnt actually me that set up this project from the start, so I can't be 100% sure...
But there's still a mismatch that I still believe shouldn't be a mismatch. But it might just be me not understanding something :)
Edit: Yeah, if I use the Roles.GetRolesForUser method I do get the actual roles (the WebAdmin and WebEditor roles for my user). Maybe the actual roles is the wrong way to put it, but you know what I mean (hopefully :P) :)
No, I can't pass that ( GetRolesForUser() ) into the AccessControlListQuery. It does take some kind of VirtualRole thingy.. :P
AddAclForUser(this AccessControlListQuery query, VirtualRoleRepository<VirtualRoleProviderBase> virtualRoleRepository, PrincipalInfo principal, object context);
And yeah, thats what I noticed. The PrincipalInfo doesn't know anything about the roles, just the virtual roles. Maybe it's just something funky with the AddAclForUser function. Since it only takes PrincipalInfo but seems to check on something else...
What I meant, was that you don't have to use the AddAclForUser() method. Instead add the roles one by one:
var roles = GetRoles();
var aclQuery = new AccessControlListQuery();
foreach (var role in roles)
Ah ok, sorry I missunderstood. Yeah I can do that.
That means I won't get any hits if I want someone who isnt logged in to be able to search tho. Since the GetRoles then returns am empty array and does not include the "Everyone" role. Again it means that you can't control who gets to search and not with the roles in EPiServer. Not quite satisfied with that either... Sorry.
I mean I can work around this, but it just feels like something isn't quite right....
But you wrote in thread start that you just removed the Everyone role, so does it make sense to even add that role to the AccessControlListQuery? Otherwise you can always add that role, even though the user isn't logged in. Since everyone is.... everyone.
But you won't get any results back for anonymous users anyway, since the index doesn't have any hits with the everyone role anymore. Which makes sense. BUT if you want, you can add e.g. WebAdmins to the acl while searching if the user isn't logged in, then they will get results back, but that doesn't make sense.
Well I guess that is true. I could add the Everyone role manually. And I even guess I would have to be ok with that :P Since like you stated, Everyone is everyone... :) It still feels a little bit off to me tho.
Your answer would indeed work in this specific case, until I decide to allow everyone to browse the site and set the Read permission for Everyone on my site again. The search wouldn't work, thats what I meant...
Thanks so much for discussing this with me tho :) I never said that. Sorry :) This gave me a much better understanding of how the Principal and Roles work.
I've read your last message again... and I don't fully understand the problem? Of course you can control the access rights for search result with the built-in role functionality in Episerver. What is not working?
You just have to pass the correct ACL into the search query. That has nothing to do with Episerver, that's your code. And to be safe, always add the Everyone role (but I guess you already get this one from PrincipalInfo object since it's a virtual role).
And to be super safe, add the username as well to the ACL :) Sorry for spamming.