Question about Administrator permissions #17750
-
|
I have only been working with Orchard Core for a couple of months and am having an issue with users in the Administrator role. We are in the process of migrating from Orchard Core 1.8.3 to 2.1.6 and are accustomed to Administrators inheriting all the permissions from all other defined roles and while that does work in our dev environment, it does not seem to happen in our UAT environment. My question is: Is this behavior defined somewhere in the configuration and if so, how do I enable it? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
FYI, the |
Beta Was this translation helpful? Give feedback.
-
That is what I expect. The UI indicates we are administrators, but we are not getting those role-based Permissions (Editor, etc.) then... we are not actually administrators? |
Beta Was this translation helpful? Give feedback.
-
|
The UI is designed to list all the permissions per role. Could you please elaborate? |
Beta Was this translation helpful? Give feedback.
-
|
Howe the Administrator role works changed between 2.0.x and 2.1.x, see https://docs.orchardcore.net/en/latest/releases/2.1.0/#site-owner-permission-deprecated-administrator-role-retained-as-a-system-role Note that even before, the Administrator role didn't "inherit" from other roles, rather, it was a conventional and default name for a role with the Site Owner permission (but other roles could contain this permission too). This in turn made all authorization calls for users succeed, as if the user had all the permissions, without necessarily having any other permission. The whole thing was a bit messy, hence we changed it. So, now it's the Administrator role, a new system role (one that's created automatically and one that you can't rename or change), that provides this behavior. In your code, be sure to always use Why you see a difference between environments is a good question, because there's nothing environment-aware in this, however, the state of the app's DB affects it. So, I'd look into differences here. If the code works in the dev environment, than that itself is correct. However, maybe there were errors running migrations in the UAT environment, and the logs tell about it? |
Beta Was this translation helpful? Give feedback.
-
|
Someone had modified dev such that Administrator was getting all the old Permission claims :P It really threw me off because I assumed that was the default behavior. I have subsequently swapped out all the claim-based checks in favor of IAuthorizationService. Thanks so much! |
Beta Was this translation helpful? Give feedback.
-
|
Awesome! |
Beta Was this translation helpful? Give feedback.
Howe the Administrator role works changed between 2.0.x and 2.1.x, see https://docs.orchardcore.net/en/latest/releases/2.1.0/#site-owner-permission-deprecated-administrator-role-retained-as-a-system-role
Note that even before, the Administrator role didn't "inherit" from other roles, rather, it was a conventional and default name for a role with the Site Owner permission (but other roles could contain this permission too). This in turn made all authorization calls for users succeed, as if the user had all the permissions, without necessarily having any other permission.
The whole thing was a bit messy, hence we changed it. So, now it's the Administrator role, a new system role (one that's…