Administrator doesn't have access to everything by default anymore
#17108
Comments
|
@hieucd04 by default user that belong to "Administrator" role will automatically have full permission without doing anything. What you are reporting was an issue in < 2.1.1. But was fixed in 2.1.2 as per the PR you referenced. Are you sure you are using 2.1.2? |
|
Good Afternoon Mike, We just upgraded yesterday from OrchardCore 1.8.3 to 2.1.2. The upgrade included updating the OrchardCore Nuget packages to the latest version and making some code changes to update json from newtownsoft to system.text. I completed the upgrade in a local separate branch which is not deployed to the dev server. However, we are now unable to access the admin functionality on the dev server as well as other local branches which are still on 1.8.3. All users however can access the admin functionality from the 2.1.2 branch I did the upgrade in. Seems the issue is branch specific as opposed to user specific. Please see my screen shots. My question is, would upgrading from OrchardCore 1.8.3 to 2.1.2 on a local branch cause any automatic update to the database/orchardcore system that would affect the admin permissions for all branches/users? Regards, Anthony Giordano 1.8.3 No Admin Access 2.1.2 Admin Access |
|
@anthnyg12b Ion the screenshot, what permission check are you checking for to show the "Administation" link? The screenshots you shared seems to be from two separate users Also, if you are using Liquid to check for permission, be sure to use |
|
Good Afternoon Mike, When further debugging we noticed that the admin panel on 2.1.2 version has the 'system' text next to it and limited upons upon edit However the earlier version(1.8.3) doesn't have the 'system ' text next to it and also offers more options upon edit. We suspect this is the cause of our issues. Do you know of a way in 2.1.2 to get the Admin options we see in 1.8.3(No system text and permissions options) |
|
@anthnyg12b this is not an issue but a new feature added in 2.1. It's importants to read all release notes before upgrading to a new version just so you aware of the new changes. Please read this https://docs.orchardcore.net/en/latest/releases/2.1.0/#site-owner-permission-deprecated-administrator-role-retained-as-a-system-role The Administrator role is now is reserved for system. Meaning you can't modify it. By design it grants any user with that role access to everything. |
|
Hi Mike, Thanks for your reply, our issue is specifically related to the users who have admin privilege no longer being able to access to admin page in our older version (1.8.3) which resides in a separate branch from our upgrade to 2.1.2. For background we are using IGlobalMethodProvider for custom script methods and the "Permission.AccessAdminPanel" is failing for already admin users when we call "AuthorizationService.AuthorizeAsync( user, AdminPermissions.AccessAdminPanel ), b => allow = b );" causing allow to be false. We started seeing this issue shortly after our upgrade to from 1.8.3 to 2.1.2 and were wondering if Orchard overrides/Changes any roles in the DB for users after an upgrade? because on the older version users are not getting Admin Access and while it's working as expected on the new version. |
|
@anthnyg12b I am not sure what your custom script does. Are you able to share you full If the implementation use
|
|
Hi Mike, The user does have the Administrator Claim, but it's worth noting there is no 'SiteOwner: true' claim. Below are the claims I see when debugging both the upgrade and original version of orchardcore. Please find the IGlobalMethodProvider implementation method |
|
The I don't see any issue with your script except that the Instead of doing can you do Hopefully that helps. |
In addition to what @MikeAlhayek said, if you migrate to newer versions the database will get updated. In general you can't go back to earlier version, because the schema might have changed. |
|
Thanks for your response, we noticed this issue upon installing the 2.1.2 nuget packages. Our goal was to have the upgrade changes in their own separate branch for testing but as you said it has updated the common database as well. Are there any tweaks we can make to the code in 1.8.3 or the updated database to allow admin users to access the admin panel in our original 1.8.3 version. |
Maybe the simplest solution is to add the users to another role which only has the required permissions. This should then work in both versions. |
|
@gvkries I am not aware of any migration changes that will impact permissions. There is a migration that would create SiteOwner role is a rare case. But, I don't think migrations here will impact permissions. But the Newtonsoft changes could have impacted how the documents in the database are serialized. @anthnyg12b did you try what I suggested here #17108 (comment) ? It is not recommended to use the same database for production and preview environment. You should maintain separate database since we use code-first-approach which will allow the code to change the database. You could backup your production database into a new database and connect your upgraded code to the new database. this way you are testing with a copy of your production data without impacting your production data. |
|
Yes, I did try the code change suggested in '#17108 (comment)', I still get the same issue. Thankfully this issue is on our non-prod database (which is shared by both the 1.8.3 and 2.1.2 branches). |
|
@MikeAlhayek I extracted & decoded JWT of both
{
"iss": "http://192.168.1.2/",
"exp": 1733526384,
"iat": 1733522784,
"aud": "oct:Default",
"scope": "openid profile offline_access",
"jti": "55497c2c-1337-48f5-8997-624095e17508",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "46jq65b68st5pss1gc5wpk9jn2",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]",
"email": "[email protected]",
"email_verified": true,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator",
"oc:entyp": "user",
"sub": "46jq65b68st5pss1gc5wpk9jn2",
"name": "admin",
"role": "Administrator",
"oi_prst": "oidc-interactive",
"oi_au_id": "73195a486ea44c27a842ec543630dfcf",
"client_id": "oidc-interactive",
"oi_tkn_id": "836bd6d4797d46bda78240ef01ca9bd9"
}
{
"iss": "http://192.168.1.2/",
"exp": 1733527050,
"iat": 1733523450,
"aud": "oct:Default",
"scope": "openid profile offline_access",
"jti": "56391db1-0e36-474d-ab84-a7996a12f3a7",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "4qzwbb88b023wrtx51q8hvn4m6",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator",
"Permission": [
"Administrator",
"ManageSecurityHeadersSettings",
"ManageShortcodeTemplates",
"API.Fusion.Policy.UnrestrictedAccess",
"ManageSettings",
"PublishContent",
"EditContent",
"DeleteContent",
"PreviewContent",
"CloneContent",
"AccessContentApi",
"ListContent",
"EditContentOwner",
"ViewContentTypes",
"EditContentTypes",
"ViewProtectedPages",
"AccessAdminPanel",
"ManageAdminSettings",
"ManageTemplates",
"ManageAdminTemplates",
"SetHomepage",
"ManageUsers",
"View Users",
"ManageOwnUserInformation",
"ListUsers",
"EditUsers",
"DeleteUsers",
"AssignRoleToUsers",
"Import",
"Export",
"ManageDeploymentPlan",
"ManageRemoteInstances",
"ManageRemoteClients",
"ExportRemoteInstances",
"ManageFeatures",
"ManageLayers",
"ManageMediaFolder",
"ManageMediaProfiles",
"ViewMediaOptions",
"ManageMenu",
"ManageApplications",
"ManageScopes",
"ManageClientSettings",
"ManageServerSettings",
"ManageValidationSettings",
"ManageQueries",
"ManageRoles",
"SiteOwner",
"ManageTenants",
"ManageTenantFeatureProfiles",
"ApplyTheme"
],
"email": "[email protected]",
"email_verified": true,
"oc:entyp": "user",
"sub": "4qzwbb88b023wrtx51q8hvn4m6",
"name": "admin",
"oi_prst": "oidc-interactive",
"oi_au_id": "8ef17bece0304e229b5077f073e43e0f",
"client_id": "oidc-interactive",
"oi_tkn_id": "05aa57db21b5486bbdfd86778c2dcae7"
} |
|
@hieucd04 that is expected. We no longer add permissions claims for Administrator users. The code below, will grant authorization if the user has the Administrator role. So checking individual permission will always return true. if you can provide a repo, I can test it for you further. I am expecting this to be a problem in your project. |
|
It seems that this issue didn't really move for quite a while despite us asking the author for further feedback. Is this something you'd like to revisit any time soon or should we close? Please reply. |
|
Closing this issue because it didn't receive further feedback from the author for very long. If you think this is still relevant, feel free to reopen it with the requested details. |
Describe the bug
OpenIdmodule ofOrchardCoreAdministratorroleBearertoken using that user403Administratorrole have access to everything again?Orchard Core version
2.1.2
Expected behavior
Administratorshould have access to everything by default without me having to do anything.The text was updated successfully, but these errors were encountered: