Fixes null reference permissions issue: Fixes #2724

[thabaum]

Permissions for Role Name is null causing child sites to fail to load creating an exception error. #2724

I tried to clear cache in other areas like at the top of GetPermissions and LoadModuleDefnitions however did not resolve the issue of trying to access sites created from the master site.

This fix presented in this PR should... allow Oqtane to continue to run while accessing alias sites.

This is probably not the fix as I seen errors now in the event log for the site:

Unauthorized Folder Get Attempt {Path} For Site {SiteId}

however I logged out and back in and no error.

But then after browsing user profile I would get notification errors popping up

Log Message: Unauthorized Folder Get Attempt Users\1\ For Site 2

So need further testing. This probably should not be returning a null but some reason it is.

[thabaum]

#2721

It may relate to this issue as well I am hoping...

[thabaum]

#2720

looking down the list looks like this one may fall into this fix as well.

[thabaum]

After further review I have created users and no errors, only when the Host views profile on second site. I will put up a number of sites, variety see how things roll out. I did find one security concern we can address potentially.

This Host Profile/Notifications/Identity tabs bring these notifications to site logs:

Unauthorized Folder Get Attempt Users\1\ For Site 2

{"Path":"Users\\1\\","SiteId":2}

This maybe an entirely different issue. Other user profiles dont generate this error. Maybe it is a profile glitch.

[thabaum]

Now if I log into the master site (try to) with the account created on Site 2 it acts like the user is logged in no warnings or errors and just takes you to home page. The user should be told this user does not exist.

If I make a new users on the master site and log in the user is logged into their profile.

Now for sites that want users to be able to log into all the selected sites and sub domain sites along with sharing components and data how are we going to accomplish this? I will test this out as needed. We should just need a wildcard SSL, a domain name and all domains/sub domains working with authentication passing between each for some sites. Other sites on the same installation may be scoped to only the users that are registered.

Not sure if this falls into this PR but while I am in this area testing things I want to be sure things are as expected. I am currently testing Oqtane.Server not running IIS Express.

I have been able to load a basic Blazor template site, however not an Oqtane successfully with ease as one discussion points out. I am hoping we can resolve that as well.

If we can, can we break some of these issues down into discussions that need more focus to fine tune these areas. This all does not need discussed here.

I want to stay focused on properly and securely loading Site 2, Site 3, ...

[sbwalker]

This fix does not address the root cause of the issue.. it will merely stop an error from being thrown in this specific location - but errors will continue to be thrown in other areas. I located the root cause and I am investigating further.

[thabaum]

I have created a few different formulas that keep the system going, I just run into the host folder permission issue when trying to access the Profile after. Trying to understand the logic for why it would be null. I see in the database and from the roles it includes the bool to include all the roles for SiteId == null.

                return _cache.GetOrCreate($"permissions:{alias.TenantId}:{siteId}:{entityName}", entry =>
                {
                    var roles = _roles.GetRoles(siteId, true).ToList();
                    var permissions = _db.Permission.Where(item => item.SiteId == siteId).Where(item => item.EntityName == entityName).ToList();
                    foreach (var permission in permissions)
                    {
                        if (permission.RoleId != null && string.IsNullOrEmpty(permission.RoleName))
                        {
                            var role = roles.Find(item => item.RoleId == permission.RoleId);
                            permission.RoleName = role?.Name ?? "";
                        }
                    }
                    entry.SlidingExpiration = TimeSpan.FromMinutes(30);
                    return permissions;
                });

And

        return _cache.GetOrCreate($"permissions:{alias.TenantId}:{siteId}:{entityName}", entry =>
        {
            var roles = _roles.GetRoles(siteId, true).ToList();
            var permissions = _db.Permission.Where(item => item.SiteId == siteId).Where(item => item.EntityName == entityName).ToList();
            foreach (var permission in permissions)
            {
                if (permission.RoleId != null)
                {
                    var role = roles.Find(item => item.RoleId == permission.RoleId);
                    if (role != null)
                    {
                        permission.RoleName = role.Name;
                    }
                }
            }
            entry.SlidingExpiration = TimeSpan.FromMinutes(30);
            return permissions;
        });

also got me to the same place I am with the issue with Host not being able to access profile folder for profile picture access from Site 2.

From the master site 1 the host can edit the profile image file with folder permissions no problem.

So issue leads me to the Profile logic or File Manager could be fixed for Host and really things are working as normal as far as I can tell. I have not seen or recall exactly how it was acting in the past to compare past behaviors in this area.

But it seems the only bug I am finding is with the Host logging into other sites. I have not tried child sites yet for administrators and users going in and out of portals that should allow a cookie to pass between sites.

But this is what I came up with so far if any of it helps.

first site "Master" logged in as Host

Site 2 logged in as Host

Notice no browse button...

All other users works ok just cross site issue for host.

What I noticed is the error is happening thinking the host is User 1 with User Profile Folder for User 1 Looking in Site 2.

I wonder if Site 2 User 1 is the first registered user for that site?

[sbwalker]

I am going to close this PR as the fix does not address the root cause of #2724 - which was fixed in #2731

[sbwalker]

If there are other issues you have discovered which are unrelated #2724 please log them as new issues rather than including them in the comments for a PR (as they will be lost)

[sbwalker]

Reopening as although #2731 fixes the root cause of #2724, there is potential for Permission records to be orphaned and not associated to a role.