November Happy Hour will be moved to Thursday December 5th.
November Happy Hour will be moved to Thursday December 5th.
Hi,
please verify the authorization configuration section of the uiUrl folder in web.config to see whether it allows other groups ? Can you post it here?
We've made some progress in identifying the error here. The community gadgets have an AUthorize attribute that is hard coded to look for Administrators, CommunityAdmins or CommunityModerators, regardless if you use those groups or not.
We can get users to see them if they are admins on the machine running the site (ie they belong to the group bultin\administrators, which apparently counts for the authorize attribute), but that is less than ideal since our users get their groups from the AD anyway.
You can use virtual roles to remap the administrator role (in EPiServerFramwork.config if you are using CMS6 R2)
<virtualRoles replacePrincipal="true">
<providers>
<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer" />
<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
<add roles=" Administrators, YourAdministratorRole" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
</providers>
</virtualRoles>
Sorry for taking so long to respond. I just forgot about until doing an inventory of my inbox today. Unfortunately, I don't really have good news. We never did manage to solve this problem, at least not directly. Instead, we were forced to implement a complicated workaround.
The easiest fix to this problem is to just add users to the groups that are allowed to see the gadgets. It is possible that the membership provider (or is it the other one, I can never remeber) overrides any groups assigned. It did for us anyway, which caused a much larger problems with functionality taht requires specific groups to function. Club specific forums in Relate+ being one such example (and the only one I can think of). So we ended up bypassing the whole login process altogether, so we could persist manually assigned user groups. Which solved this problem for us as ell.
I actually solved this now by modifying the GetRolesForUser method. You could do this in a number of ways. I wanted to check if the user is a member of a specific AD-group, like this:
public override string[] GetRolesForUser(string username)
{
DirectoryData userResult = GetUser(username);
if(userResult == null)
{
return new string[0];
//throw new ProviderException(String.Format("The user {0} does not exist.", username));
}
List<string> roleList = GetRolesForUserRecursive(userResult);
//THIS IS THE MODIFIED PART
List<string> appendGroups = new List<string>();
foreach (string thisRole in roleList)
{
if(thisRole.Equals("YourADGroup"))
appendGroups.Add("CommunityAdmins");
}
roleList.AddRange(appendGroups);
//
return roleList.ToArray();
}
Jonas (or someone else helpful person),
where can I find this GetRolesForUser method?
We are still struggling with this problem (same group as author Våglin above used to attend). We tried to get rid of the workaround Våglin wrote about above but got stuck on this problem again.
Any other suggestions how to sync CommunityAdmins with AD groups other than overriding the GetRolesForUser method?
We have tried the solution Tom Stenius wrote about in his blog: http://blog.tomstenius.com/2009/04/episerver-community-role-and-membership.html but it doesn't help us with the Community administration. With the EPiServerCommonIntegrationMembershipProvider I don't even see the Community tab as local admin, which I do if I only use the WindowsMembershipProvider.
Thanks in advance / Josef
You will find the method in ActiveDirectoryRoleProvder. You wil have to follow this blog: http://blog.tomstenius.com/2010/08/active-directory-membership-and-role.html and set up your site using that provider.
Thank you Jonas for your quick reply!
I downloaded the code Tom referred to but it didn't compile. I noticed he also refers to Relate+ 1.x but we run 2.0 and I also found out that those classes seems to exist in our EPiServer.Security assembly already so I guess they have been included in 2.0?
Anyhow, instead I wrote a class that overrides WindowsRoleProvider which adds "CommunityAdmins" & "CommunityModerators" to the roles. That was successful in the way that I can now see the Community tab and some of the contents below the Admin & Moderate subtabs. But still some content (that I see as local admin) is hidden and I get an access denied message in the first page after clicking the admin tab.
Do you know if this is related to the configuration, or if I have to manually set access rights to the community content for these groups?
Would it still be better to use the AD role provider instead of my overriding Win role provider? It's really hard to find any documentation about the differences between all different providers.
Thanks, Josef
Did you modify the EpiserverFramework.config roles? I believe you have to add your AD-groups to te virtualRoles section:
<add name="cmsAdmins" roles="Administrators, WebAdmins, YourAdGroupName"/>
Yes I did. I even added "CommunityAdmins" to "CmsAdmins" after I read your reply. But is the CmsAdmins role relevant for the Community content? What I really don't know yet is what the WebAdmins role is all about? Do you have a clue? Perhaps I should put it in my GetRolesForUser() as well?
I'm having some serisous problems with the community gadgets in our testing environment. They only show up for users who belong to the builtin\administrators account, regardless of what other community groups they belong to or what rights have been set.
We're using WindowsRoleProvider and EPiServerCommonIntegrationMembershipProvider, so we're authenticating against ourAD and all groups from there have been added to EPiServer Community.