SaaS CMS has officially launched! Learn more now.

web.config in the modules/add-on-name folder

Nat
Nat
Vote:
 

is the web.config packaged in the modules/_protected/add-on-folder-folder able to control access to the add on folder contents?

it seems that most add on s come complete with a web.config with 
 

    <authorization>
      <deny users="*" />
    </authorization>

I have recently installed the advanced-cms.ExternalReviews package, but it does not allow non logged in users to access the external content reviews as the required styles/scripts from the addon redirect to the login. I thought I could control this by changing the packaged folder web.config to 

    <authorization>
      <allow users="*" />
    </authorization>

but it doesnt seem to have an effect.

do I simply need to add the allow in the main web.config?

thanks

#255391
Edited, May 24, 2021 8:51
Vote:
 

Hello Nat

The external reviews module has a number of config options that can be set in code, depending on your requirements. The options are documented here:

https://github.com/advanced-cms/advanced-reviews#security 

What is your specific requirement so we can advise on the correct configuration of these options.

David

#255398
May 24, 2021 10:23
Nat
Vote:
 

Hi David

ideally we would like external reviewers not to have to log in to add reviews at all, but its looking like that is not possible?

i had thought to simply add a authorization rule in to allow all access to the 

/EPiServer/advanced-cms.ExternalReviews/Views/

folder so that the required scripts and styles would load for everyone - because if you dont log in those 302 redirect to the login page which basically stops the review fucntionality working at all. But then we also have problems with the images being served up from the 

/Episerver/cms/Content/path-to-image

path, which also dont load for unauthenticated viewers of the page.

but guessing that is not how this is supposed to work?

If we have all reviewers using a shared login, then I would expect that when the external reviewer tries to load the external link, it would kick to the login and then back to the page after a successful login

#255399
Edited, May 24, 2021 10:35
Vote:
 

Hello Nat

You can use virtual roles to define a "ExternalReviewers" role which would allow anyone with the link to review and comment. They can then provide their real name when writing a review. It would mean anyone with the link could then review and comment so I'd advise trying to at least restrict this to internal users? The config I used to test is as follows (add to your <episerver.framework> config):

<episerver.framework>
  <!--Other config-->
  <virtualRoles addClaims="true">
    <providers>
      <!--Other config-->
      <add name="ExternalReviewers" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
    </providers>
  </virtualRoles>
  <!--Other config-->
</episerver.framework>

You can learn more about creating custom virtual roles here if you have a way of identifying users who you want to review and comment:

https://world.episerver.com/documentation/developer-guides/CMS/security/Virtual-roles/ 

David

#255405
Edited, May 24, 2021 12:52
Vote:
 

Ps the code to configure advanced reviews in relation to the above is below:

using AdvancedExternalReviews;
using EPiServer.Framework;
using EPiServer.Framework.Initialization;
using EPiServer.ServiceLocation;

namespace Demo.Web
{
[InitializableModule]
[ModuleDependency(typeof(FrameworkInitialization))]
public class ExternalReviewInitialization : IConfigurableModule
{
    public void ConfigureContainer(ServiceConfigurationContext context)
    {
        context.Services.Configure<ExternalReviewOptions>(options =>
        {
            options.EditableLinksEnabled = true;
        });
    }

    public void Initialize(InitializationEngine context) { }

    public void Uninitialize(InitializationEngine context) { }
}
}
#255406
May 24, 2021 12:58
Nat
Vote:
 

Hi David

thanks for that, I had tried that config, but when accessing the link both the 

/EPiServer/advanced-cms.ExternalReviews/Views/external-review-component.js

/EPiServer/advanced-cms.ExternalReviews/Views/reset.css

both redirect to the main CMS login - so the review page does not function correctly - which I guess is why I was on this magical mystery tour in the first place. :(

I dont know if this is standard but we have a 

<location path="EPiServer">
  <system.web>
    <authorization>
        <allow roles="WebEditors, WebAdmins, Administrators" />
        <deny users="*" />
      </authorization>

so guess that could well be causing issues - although it does seem to be set up like that in the Alloy template

#255408
Edited, May 24, 2021 13:21
Vote:
 

Hi Nat

Did that issue still occur with the virtual role configuration I provied?

I can see the same issue when I do not have the following line in my virtual providers section:

<add name="ExternalReviewers" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" /> 

David

#255410
Edited, May 24, 2021 14:45
Nat
Vote:
 

adding the virtual role doesnt seem to make any difference at all - both the js/css files are not loading.

OK, so say I add a reviewer user, how do I get the externalReview pages to redirect to the login?

as I guess I cant expect people to login via the standard CMS login, where they will complete the login form and then stay on that page - albeit without the 'login failed' error and then know to paste in the external link.. 

or is it easier to use the pin - in which the login does seem to come up, but then the submit of that login seems to 404

sorry, this is turning out to be a right pain.. really appreciate your help with this.

#255411
Edited, May 24, 2021 15:02
Vote:
 

Can I ask what identity provider you are using in the implementation? I tried in a straight Alloy site which uses ASP.net Identity

#255412
May 24, 2021 15:05
Vote:
 

You can also try explicitly adding a <location path="EPiServer/advanced-cms.ExternalReviews/Views"> element in web.config to allow Everyone so those resources load

#255413
May 24, 2021 15:06
Nat
Vote:
 

Hi David, 

I had done just that, and it did work, although felt a little bit sledgehammer for a nut - and then noticed the web.config in the modules/_protected folder for the package and thought I might simply be able to change it there - as with my initial question.

and I would also need to add a similar location rule for episerver/cms/content to allow the images to show up, as they seemed to be served from that url, and wasnt sure what the security concerns with that might be.

#255414
Edited, May 24, 2021 15:13
David Knipe - May 24, 2021 15:17
As a general rule there should be no need to change the web.config in the modules/_protected folder. The approach of setting an explicit location path is valid and specific so I wouldn't worry too much.

The bigger question is why the virtual role doesn't work as this is what allows the content to be seen. Could be down to identity provider so can you confirm what identity provider you are using?
Nat
Vote:
 

its the

SqlServerMembershipProvider - System.Web.Providers.DefaultMembershipProvider

and we do have other virtual roles in our list, so not sure what is going on there. 

assuming 'EveryoneRole' includes unauthenticated visitors

#255417
May 24, 2021 15:31
Vote:
 

Correct EveryoneRole just returns true so everyone should be in it. Virtual Roles have worked for years so I am curious as why they are not working for you in this instance. Can you check you don't have 'ExternalReviewers' already defined in admin mode? Then try and create some content and set the permissions to 'ExternalReviewers' only and see if you get access or not. If you are working in code you can just check IsInRole("ExternalReviewers"). I have only tested with ASP.net indentity so that is the only difference I can see with your configuration.

If you want to debug you could create our own virutal role and see what gets executed. Here's the code for EveryoneRole:

[ServiceConfiguration]
public class EveryoneRole : VirtualRoleProviderBase
{
    // Fields
    private static string _roleName;
    private const string DefaultRoleName = "Everyone";

    // Methods
    public override bool IsInVirtualRole(IPrincipal principal, object context) => 
        true;

    // Properties
    public override string Name
    {
        get => 
            (base.Name ?? "Everyone");
        set
        {
            base.Name = value;
        }
    }

    public static string RoleName
    {
        get => 
            (_roleName ?? (_roleName = "Everyone"));
        set
        {
            _roleName = value;
        }
    }
}
#255418
May 24, 2021 15:44
Nat
Vote:
 

Morning David

So I am giving up on leaving it wide open, and think I will simply create a shared user for everyone. However, if I am adding a virtual role via the web.config - that doesnt seem to appear in the groups/roles list in the admin section, so difficult to assign a user to that group.

Also, when I tried this yesterday - accessing the edit link generated by the external reviews package, didnt prompt the user to login. Is there any way of getting this to work?

closest I got was to use the pin code instead, where the enter code did show - well the enter code box shoed, but on a completely blank page with no text to prompt the user at all. and then on submitting that, it 404'ed anyway.

basically I am thinking there is something pretty messed up in the solution somewhere, so maybe I should spend some time looking for that.

#255458
May 25, 2021 8:56
Vote:
 

Hi Nat

You do not need to create a virtual role if you are creating a shared user, just create a real role called ExternalReviewers and add the shared user to that role.

That should probably do the trick and also would mean people should get a login prompt.

David

#255459
May 25, 2021 9:25
Nat
Vote:
 

thanks again David

I have added the role and user, but the only way I can get a login prompt, and get the scripts to work is by adding this to the config

<location path="externalContentReviews">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="EPiServer/advanced-cms.ExternalReviews/Views">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

but at this point I am willing to accept that. 🤷‍♂️

think we should maybe look at changing the way users log in

#255460
May 25, 2021 9:52
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.