Try our conversational search powered by Generative AI!

Roles.IsUserInRole != Context.User.IsInRole



I've stumbled on what I think is a bug in EPiServer CMS R2.
It seems that all the controlls and rolechecking in EPiServer uses Context.User.IsInRole to check if the user has sufficent rights. The thing is that if you use a custom RoleProvider it has the method Role.IsUserInRole wich should be used and not Context.User.IsInrole. The method Context.User.IsInrole derrives from .NET 1.1 and calls the RolePrincipal class. The caching is
done in this class which calls Role.GetRolesForUser and then caches
the list for subsequent calls.

That meand that if you've built a custom roleprovider with some own logic in it.
User.IsInRole wont always be the same as Role.IsUserInRole. User.IsInRole is also very slow when you use Active Directory Membership Provider.

Why don't EPiServer use Role.IsUserInRole instead of User.IsInRole? In my opinion this is a major bug that is hard to address.


Feb 04, 2009 15:23

You can argue that it is an inconsistancy that the RolePrincipal implementation of IPrincipal.IsInRole provided by Microsoft does not call Roles.IsUserInRole, and if I google for it I find many people feel the same way.

But, User.IsInRole is the way to check roles for the currently logged in user because ASP.NET does not require you to use role providers at all or you can even provide your own implementation of IPrincipal. For example the concept "virtual roles" in EPiServer CMS does just this by wrapping an existing principal. And if you don't like the default implementation of RolePrincipal you can even provide your own or complain to Microsoft.

If you look at new frameworks from Microsoft such as ASP.NET MVC you will find that they also call User.IsInRole rather than calling directly into Roles.IsUserInRole.

Hope that helps.






Jul 03, 2009 15:15
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.