Finding user with specific access rights

Vote:
 

Hi,

I am trying to find list of users for a page who all have edit access to it. However when I debug the follwoing code, QueryAccess(username) always returns 'NoAccess', any ideas?

           string[] usersInRole = Roles.GetUsersInRole(groupName);

            MembershipUserCollection filteredUsers = new MembershipUserCollection();
           
            PageAccessControlList acl = new PageAccessControlList(CurrentPage.PageLink);
           
            foreach (string user in usersInRole)
            {
                MembershipUser tempUser = Membership.GetUser(user);
                //this is always NoAccess ???
                AccessLevel accessLevel = acl.QueryAccess(tempUser.UserName);
                if (accessLevel == AccessLevel.Edit)
                {
                    filteredUsers.Add(tempUser);
                }
  
            }

 

#52580
Aug 03, 2011 19:00
Vote:
 

Don't know why it doesn't work, but you can try to use the PageData QueryDistinctAccess instead.

CurrentPage.QueryDistinctAccess(AccessLevel.Edit) 

#52584
Aug 03, 2011 23:31
Vote:
 

When you pass a user name to QueryAccess it will only check the access for that user since it doesn't know about its roles. I guess most of your users get their access rights through their roles so that is why you see NoAccess.

You need to pass an IPrincipal object which knows about the roles. Most likely you can use PrincipalInfo.CreatePrincipal(username) to get it. But if you use Virtual Roles you must also wrap that principal into a VirtualRolePrincipal or the virtual roles will be ignored. So something like this should work (haven't tried it though):

var username = "whatever";
var principal = PrincipalInfo.CreatePrincipal(username);
var virtualRolePrincipal = VirtualRolePrincipal.CreateWrapper(principal);
var canRead = CurrentPage.ACL.QueryDistinctAccess(virtualRolePrincipal, AccessLevel.Read);

Edit: Spelling

#52588
Edited, Aug 04, 2011 7:51
Vote:
 

On a side note, I see from your code that you are doing this only for a certain group which probably has a limited number of members, but the approach to loop through users is probably not optimal in other conditions. Say you would like to find all the users with a certain access right, then you would have to loop through all users in the database. An alternate approach is to loop over the ACL to gets the ACE:s and see "directly" what groups and users have been given a certain access level (that would miss virtual roles too, though).

#52589
Aug 04, 2011 7:58
Vote:
 

Thanks Magnus, your suggestion worked!

#52592
Aug 04, 2011 11:14
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.