I am using the auto assign role module to assign the role of editor to anyone registering via the "create new account" link. This works just fine.
However, users of the editor role can create other users of different role types. To do this I am using the uCreate module.
The problem is when an editor creates a user, that user also gets the editor role.
I have looked into a number of hooks to programmatically remove the unwanted role but without success. How might I resolve this issue?
When the "editor role" users creates the users by "uCreate module", the hook_user is being called reside in "auto assign role module", This is the problem.
The user_save function from "ucreate module line:299" call the hook_user with "insert" parameter in "auto assign role.module file", line no 155.
case 'insert':
// If this is an administrator creating the account only use auto_assign if
// allowed by auto_admin_active
if (arg(0) == 'admin' && _autoassignrole_get_settings('auto_admin_active') == 0) {
return;
}
Here the code check whether it is admin user, If it is not admin then it will assign editor role to that user.
Instead you can create a custom module and implement hook_user and change the role when a user are inserted.For more info please refer user_save in drupal 6
Related
I have an existing B2C app that I want to give graph access to.
I set this up previously but now want to replicate it but everything i can find is for new apps. I ysed the older graph but i think the article I used has been moved as everything is talking about the new Graph api
Is there a specific article for this, also if anyone has seen an article that describes the process from moving from Azure graph to Microsoft Graph (the new version) for a B2C app that would be great
Thanks
Register the application for the Graph API
In addition to registering the application in the B2C directory,
we must also create an application registration for the graph API.
The three key/id values you will need are the tenantId, ObjectId,
and AppPrincipalId.
To get the tenantId, log into the azure ad b2c directory in the new portal.
https://portal.azure.com/
Be sure you have the correct directory selected after you login
(top right corner).
Click on the help button (a question mark inside a circle) near the
top right corner of the page. In the menu that appears, click the
"Show diagnostics" option. This will display a JSON formatted output in
a new popup/window. Look for the "tenants" array and find the entry
with the display name of the directory you wish to register with the
application. The "id" attribute of that entry is the tenantId.
Example:
{
"clientSessionStartDate": {
//stuff will be here ...
},
//
// more shtuff you don't care about will be here ...
//
"tenants": [
{
"id": "SomeUUIDwithlike36charactersSometime",
"domainName": "yourtenantname.onmicrosoft.com",
"displayName": "displanynameoftenant",
"isSignedInTenant": true
},
// ... snippity lemon
]
// ... snip some more
}
You will also need a unique application Secret and AppPrincipalId to be
generated for the new application.
Also, to set the correct permissions for the application, you will need
its "ObjectId".
The process for registering the application and generating those values
is more complicated, and requires a special module for PowerShell
and the online login module to be downloaded and installed.
Also, be sure you have the latest version of PowerShell installed for
your system, or you will not be able to use the azure module.
Sign-In assistant: https://www.microsoft.com/en-us/download/details.aspx?id=41950
Azure AD PowerShell Module: http://go.microsoft.com/fwlink/p/?linkid=236297
Create the application registration with PowerShell
This next section is an almost verbatim copy-paste fo the documentation.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
After you install the PowerShell module, open PowerShell and connect to
your B2C tenant.
> $msolcred = Get-Credential
After you run Get-Credential, you will be prompted for
a user name and password, Enter the user name and password
of your B2C tenant administrator account.
> Connect-MsolService -credential $msolcred
Before you create your application, you need to generate a new client
secret. Your application will use the client secret to authenticate to
Azure AD and to acquire access tokens. You can generate a valid secret
in PowerShell:
> $bytes = New-Object Byte[] 32
> $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
> $rand.GetBytes($bytes)
> $rand.Dispose()
> $newClientSecret = [System.Convert]::ToBase64String($bytes)
> $newClientSecret
The final command should print your new client secret. Copy it somewhere safe. You'll need it later. Now you can create your application by providing the new client secret as a credential for the app:
> New-MsolServicePrincipal -DisplayName "My New B2C Graph API App" -Type password -Value $newClientSecret
Example output:
DisplayName : My New B2C Graph API App
ServicePrincipalNames : {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
ObjectId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AppPrincipalId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TrustedForDelegation : False
AccountEnabled : True
Addresses : {}
KeyType : Password
KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
StartDate : 1/1/2017 1:33:09 AM
EndDate : 1/1/2017 1:33:09 AM
Usage : Verify
If you successfully create the application, it should print out
properties of the application like the ones above, but with a mix of alpha-numeric characters. You'll need both
ObjectId and AppPrincipalId, so copy those values, too.
You will also need the tenant ID of the B2C directory.
After you create an application in your B2C tenant, you need to assign
it the permissions it needs to perform user CRUD operations. Assign the
application three roles: directory readers (to read users), directory
writers (to create and update users), and a user account administrator
(to delete users). These roles have well-known identifiers, so you can
replace the -RoleMemberObjectId parameter with ObjectId from above and
run the following commands. To see the list of all directory roles,
try running Get-MsolRole.
> Add-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -RoleMemberObjectId <Your-ObjectId> -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId 9360feb5-f418-4baa-8175-e2a00bac4301 -RoleMemberObjectId <Your-ObjectId> -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId <Your-ObjectId> -RoleMemberType servicePrincipal
You now have an application that has permission to create, read,
update, and delete users from your B2C tenant.
I totally forgot this great answer exists and this is how you do it
Authorize By Group in Azure Active Directory B2C
We are using Azure Active Directory and Azure Access Control Services (ACS) to authenticate users in a SharePoint 2010 instance. The users and groups in Azure AD are synched from an on-prem AD directory using Azure AD Connect.
We've gotten almost everything working to authenticate users, but what's not clear is how to control SharePoint access using the groups in Azure AD. We figured out the way to enable the group claim to be passed through per these instructions, but the object ID of the group (e.g., 244728b5-8b9e-4e2f-8703-9853366cd431) is passed, which is meaningless in SP.
Is there a way to pass the group name or should we be using the group ID? Is there a better way to manage group access in SP when authenticating against Azure AD?
Thanks for the help.
You should use the group identifier. To see it,
go to the azure management portal https://manage.windowsazure.com
choose active directory from the list of services on the left
click on your active directory from the list
click on "groups" from the menu at the top
click on the group you want to see the id for in the list
click "properties" from the menu at the top
Copy the ObjectID field from the list of properties
in your code, you can declare a string constant using the objectID
private static string myGroupName = "xxxxxxxx-your-objectID-xxxxxxxxxx";
Then just use "myGroupName" to compare your group to the list of group claims
var isMember = IsGroupMember(myGroupName);
Here is how to look at the claims:
public static bool IsGroupMember(string groupName)
{
var principal = ClaimsPrincipal.Current;
// Look for the groups claim
var supportClaim = principal.Claims.FirstOrDefault(
c => c.Type == "groups" &&
c.Value.Equals(groupName, StringComparison.CurrentCultureIgnoreCase));
return null == supportClaim ? false : true;
}
I am creating the user programatically by calling the UserLocalServiceUtil.addUser(....) and able to assign the site for the created user by calling UserLocalServiceUtil.addRoleUser(userSiteId, userId) It is working fine. I am able to assign the site membership for the user. But how can I assign the Site Administration permission for creates user. (So for I am able to assign user as site member but I need to assign user as a site administrator)
Any suggestions please..
Use UserGroupRoleLocalServiceUtil to assign "Site Administration" role under the Site roles.
Role role = RoleLocalServiceUtil.getRole(companyId, "Site Administrator");
long[] SiteroleIds = {role.getRoleId()};
UserGroupRoleLocalServiceUtil.addUserGroupRoles(userId, siteId, SiteroleIds);
You can use RoleLocalServiceUtil to get object of any role.
Role role = RoleLocalServiceUtil.getRole(roleId);
UserLocalServiceUtil.addRoleUser(role.getRoleId(), user.getUserId());
UserLocalServiceUtil.updateUser(user);
In Sitecore 6 is it possible to change roles for virtual user when already logged in?
I would like to change roles for virtual users that are already logged in to system, but it looks like Sitecore ignores it. I can clear roles and add a new one but all the old roles are still attached to the user.
I think I should to re-login the user but it is not the case for me.
virtualUser.RuntimeSettings.AddedRoles.Clear();
virtualUser.Roles.RemoveAll();
if (permissions != null && permissions.Any())
{
foreach (var role in permissions.Where(d=>!string.IsNullOrEmpty(d.Type)))
{
string domainRole = string.Format("{0}\\{1}", "extranet", role.Type);
if (SC.Security.Accounts.Role.Exists(domainRole))
{
virtualUser.RuntimeSettings.AddedRoles.Add(domainRole);
}
}
}
You can try to use
Sitecore.Caching.CacheManager.ClearSecurityCache(userName);
This method calls another methods:
CacheManager.ClearUserProfileCache(userName);
CacheManager.ClearIsInRoleCache(userName);
CacheManager.ClearAccessResultCache(userName);
So in theory it should do what you need but I haven't confirmed it in practice.
It seems to be that login-out and re-login will set the correct roles because during login the AuthenticationManager will clear the SecurityCache which holds the UserProfile and the Roles.
I don't see a method to add new Roles to the current authenticated user.
I have implemented FBA (Claim based Authentication) on Sharepoint 2010. Following are implemented.
Custom Login page
Custom Sign-in Page
Password recovery page (ForgetPassword.aspx)
In ForgetPassword page user is asked to enter their email address, they used while sign-in and in code behind I am using this email to get the UserName using the Membership.GetUserNameByEmail function and then passing this username to Membership.GetUser function to get the user credential to be send through mail.
But now the code throws as exception saying "The function is not implemented". I am wondering; I am not using any custom database for which I had to create a Custom Membership Provider. Then why I am getting this error. Let me know if anyone has any clue or faced similar problem. Thanks.
Regards,
Paddy
When FBA is configured for SharePoint 2010, two membership providers are defined in the web.config file - Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider (usually named i) and System.Web.Security.SqlMembershipProvider (named FBAMembership in this case). Default membership provider must be set to the former (i.e. SharePoint claims one) in order for FBA authentication to work properly.
When the line containing Membership.GetUserNameByEmail(...) is executed, the default membership provider is used and as a result SPClaimsAuthMembershipProvider.GetUserNameByEmail is called. MSDN says that this method is reserved for internal use and is not intended to be used directly from your code and according to the comment in the Community Content section it throws NotImplementedException.
You need to retrieve an instance of the SqlMembershipProvider provider from the Membership.Providers collection and then call the GetUserNameByEmail method using this instance.
I use prefixes when configuring providers in the web.config file and the retrieve them like this:
string applicationNamePrefix = "fbaProvider_";
MembershipProvider fbaProvider;
foreach (MembershipProvider provider in Membership.Providers)
{
if (provider.ApplicationName.StartsWith(applicationNamePrefix, StringComparison.InvariantCultureIgnoreCase))
{
fbaProvider = provider;
}
}
throw new InvalidOperationException("Appropriate provider was not found.");