SaaS CMS has officially launched! Learn more now.

EPiServer Search 7.7.1


So, I found something that kind of bugged me when using episerver search on a staging environment.

What we did was we removed the "Everyone" group from read permissions (which effektivley forces you to login to be able to view the site).

What I then noticed was that my Search refused to return any hits at all, even tho the index looked fine and dandy.

I then noticed that in the PrincipalInfo.Current.RoleList I didnt have our actual roles (That we're calling WebAdmin and WebEditor). What showed up was CmsAdmins and CmsEditors.

So the roles in my RoleList wasn't actually my roles, it was my virual roles that I had from web.config:


While in the index, it indexes the actual roles in the EPISERVER_SEARCH_ACL field:

[[G:Administrators]] [[G:LoginUser]] [[G:WebAdmins]] [[G:WebEditors]]

But my question finally is: Is it really supposed to work like this? Shouldn't PrincipalInfo.Current return the actual roles? Or the indexingservice index the virtual roles instead of the roles?

Maybe this can help someone else with this issue, because this nearly drove me crazy :P


Feb 11, 2016 11:21

Oh I highlighted the wrong line in my code example... :P And I have no idea how to edit my post ^^

edit: and just to rub it in I can edit this post... Interesting... :P

Edited, Feb 11, 2016 11:23
<p>Hi,</p> <p><br />Which role provider are you using?</p> <p>You cannot mix addClaims and replacePrincipal, so make sure you don't have both set to true. I'm not sure which CMS version Search 7.7.1 relates to, but addClaims requires EPiServer.CMS.Core 7.14 or higher. Please see</p> <p>Since you changed the roles on all content, I would recommend re-indexing everything. That can be done on from hidden page in admin, /episerver/cms/admin/indexcontent.aspx.</p> <p></p>
Feb 11, 2016 19:22

Whether PrincipalInfo.Current.RoleList should return all roles, I don't know. But it should return all matching virtual roles if you have replacePrincipal or addClaims.

Do you get the correct roles if you're using Roles.GetRolesForUser() method?

Feb 11, 2016 19:26

I'm using Multiplexing. I do have addClaims, but I do not use replacePrincipal (not quite sure what that is :P).

If what you're saying is true, then I am getting the right roles from PrincipalInfo.Current.RoleList

var accessRightsQuery = new AccessControlListQuery();
accessRightsQuery.AddAclForUser(PrincipalInfo.Current, context);

But that would mean that what's indexed in the EPISERVER_SEARCH_ACL field is wrong. Right? Because if I run the code above, it simply said that I don't have access. Which is true if you look at the roleList and at the indexed field. Because they do not match :)

I honestly thought this code was from the Alloy demo website. But it wasnt actually me that set up this project from the start, so I can't be 100% sure...

But there's still a mismatch that I still believe shouldn't be a mismatch. But it might just be me not understanding something :)

Edit: Yeah, if I use the Roles.GetRolesForUser method I do get the actual roles (the WebAdmin and WebEditor roles for my user). Maybe the actual roles is the wrong way to put it, but you know what I mean (hopefully :P) :)

Edited, Feb 12, 2016 13:57
<p>I've never used AccessControlListQuery() explicitly. Since the roles are added automatically to the query if you use the standard search method.<br />Can you pass in roles from Roles.GetRolesForUser() as well? IIRC there is already a function that concatenates roles from both the role provider(s) and the PrincipalInfo object. I'm pretty sure PrincipalInfo doesn't know about your role providers...</p>
Feb 12, 2016 14:32

No, I can't pass that ( GetRolesForUser() ) into the AccessControlListQuery. It does take some kind of VirtualRole thingy.. :P

AddAclForUser(this AccessControlListQuery query, VirtualRoleRepository<VirtualRoleProviderBase> virtualRoleRepository, PrincipalInfo principal, object context);

And yeah, thats what I noticed. The PrincipalInfo doesn't know anything about the roles, just the virtual roles. Maybe it's just something funky with the AddAclForUser function. Since it only takes PrincipalInfo but seems to check on something else...

Feb 12, 2016 15:43

What I meant, was that you don't have to use the AddAclForUser() method. Instead add the roles one by one:

var roles = GetRoles();
var aclQuery = new AccessControlListQuery();

foreach (var role in roles)
Feb 12, 2016 16:06

Ah ok, sorry I missunderstood. Yeah I can do that.

That means I won't get any hits if I want someone who isnt logged in to be able to search tho. Since the GetRoles then returns am empty array and does not include the "Everyone" role. Again it means that you can't control who gets to search and not with the roles in EPiServer. Not quite satisfied with that either... Sorry.

I mean I can work around this, but it just feels like something isn't quite right....

Feb 12, 2016 16:20

But you wrote in thread start that you just removed the Everyone role, so does it make sense to even add that role to the AccessControlListQuery? Otherwise you can always add that role, even though the user isn't logged in. Since everyone is.... everyone.

Feb 12, 2016 16:28

But you won't get any results back for anonymous users anyway, since the index doesn't have any hits with the everyone role anymore. Which makes sense. BUT if you want, you can add e.g. WebAdmins to the acl while searching if the user isn't logged in, then they will get results back, but that doesn't make sense.

Feb 12, 2016 16:33

Well I guess that is true. I could add the Everyone role manually. And I even guess I would have to be ok with that :P Since like you stated, Everyone is everyone... :) It still feels a little bit off to me tho.

Your answer would indeed work in this specific case, until I decide to allow everyone to browse the site and set the Read permission for Everyone on my site again. The search wouldn't work, thats what I meant...

Thanks so much for discussing this with me tho :) I never said that. Sorry :) This gave me a much better understanding of how the Principal and Roles work.

Feb 12, 2016 16:39

I've read your last message again... and I don't fully understand the problem? Of course you can control the access rights for search result with the built-in role functionality in Episerver. What is not working?

You just have to pass the correct ACL into the search query. That has nothing to do with Episerver, that's your code. And to be safe, always add the Everyone role (but I guess you already get this one from PrincipalInfo object since it's a virtual role).

Feb 12, 2016 16:39
<p>I think it's all because I thought the Principal would return the roles I needed. So yes, it's my code (altho in my defense I didnt write it ;) )</p> <p>But you are correct sir. Thanks again :)</p>
Feb 12, 2016 16:42
<p>No worries. Glad I could help out. Just make sure to add the everyone role, then i will work when you decide to open up the website again.</p>
Feb 12, 2016 16:52

And to be super safe, add the username as well to the ACL :) Sorry for spamming. 

Feb 12, 2016 16:58
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.