Vulnerability in EPiServer.Forms
Good Day All,
I have a puzzling question that i need some help with. I have created a virtual role called "MyRole". How do i go about adding a user to this virtual role in code. I know how to add a user to a specific role if they had a membership user account. ie(Roles.AddUserToRole(User.Identity.Name, "MyRole"). The problem is, we don't want to create a million membership accounts. We just want them sign into a form and add them to a virtual role. Could someone please help with this. Thank you in advance.
You should give the Virtual Role code to evaluate whether the user is in that role. You could for example store a value in Session when the user signs in, and then evaluate that value when your Virtual Role is called.
Thanks Magnus, maybe i didn't explain it clear in my previous post. I have been known to do that from time to time. I guess what my question is, how do i add the user to the virutal role programmatically.What i am doing now is when they log in, they are put into a session. I just am looking for guidance on how to actually add them to the virutal role. Thanks.
In your virtual role class (deriving from VirtualRoleProviderBase) you must implement the method IsInVirtualRole. From that method you should return true or false depending on if the passed in principal is in the role. The logic for this you create yourself. In your case it should be sufficient to look at HttpContext.Current.Session for your key and return true/false depending on that since the context should still be the same as the user context.
You also need to register your virtual role in the virtualRoles section in your config, it is actually there that you give it it's name (the class' name doesn't matter).
I can see two possible problems however. One is that the Virtual Role might be called from some place where Session is not initialized. The other is that the role is called from somewhere when the Session isn't the user's session (I mean, if some caller would like to know if someone ELSE is in the role).
But the simplest case might just be sufficient for your needs.