Blazor SecurityService.IsInRole() issue

baj · April 9, 2020, 3:27pm

Hello,

I am attempting to create a Blazor Server application that will secure pages based on two separate security roles, Admins and Users. All accounts will be assigned to one of these roles, but never both. Some pages will be accessible to only Admins, while others will be accessible to both roles.

I have noticed that when I assign both roles to a page's Access property, the page does not show up in the PanelMenu after login. The page can be accessed if you manually enter the page URL in the browser.

The @attribute [Authorize(Roles="")] directive appears to allow the page to be accessed if the logged in account is a member of one on the assigned roles while your SecurityService.IsInRole() implementation appears to require that the logged in account is a member of all of the assigned roles.

Thanks,
baj

korchev · April 9, 2020, 4:58pm

Hi @baj,

Indeed you are right. We will address that in the next Radzen release.

jamesmd2 · July 29, 2020, 4:35pm

Hi, I've just recently updated to 2.51.2 and the IsInRole method is still not functioning correctly when multiple roles are assigned to a page. Using AD security.

if (!Principal.IsInRole(role))
{
return false;
}

thanks

korchev · July 29, 2020, 4:45pm

The IsInRole method looks like this:

        public bool IsInRole(params string[] roles)
        {
            if (!IsAuthenticated())
            {
                return false;
            }

            if (roles.Contains("Authenticated"))
            {
                return true;
            }

            return roles.Any(role => Principal.IsInRole(role));
        }

Should work as expected - returns true if the principal is member of any of the provided roles.

jamesmd2 · July 29, 2020, 5:18pm

Agreed, I see that that is the code for Default security. When using AD security it generates what I listed.

korchev · July 29, 2020, 6:38pm

This is the code for Active Directory security as well. Make sure your SecurityService isn't in the code generation ignore list.

jamesmd2 · July 29, 2020, 8:24pm

I created 2 new simple Blazor projects, 1 using Default security, and the other using AD security. The Default has your code(+), but the AD still shows the original code I posted. No ignore list in use. I've also updated to 2.51.3.

What could cause my install to generate differently than expected?

Default Security

AD Security

korchev · July 30, 2020, 4:26am

You are right! I was looking at the wrong place. We have fixed that problem and you can temporarily address it like this:

Add the SecurityService.cs file to the code generation ignore list
Add using System.Linq;

Replace the IsInRole method with the following code:

     public bool IsInRole(params string[] roles)
     {
         if (roles.Contains("Everybody"))
         {
             return true;
         }

         if (!IsAuthenticated())
         {
             return false;
         }

         if (roles.Contains("Authenticated"))
         {
             return true;
         }

         return roles.Any(role => Principal.IsInRole(role));
     }