New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot create ItemAcl for "Everyone" #595

Closed
jomiham opened this Issue Mar 3, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@jomiham

jomiham commented Mar 3, 2016

Hi,

First off, I want to thank you for all your work! I really love the Sitecore Powershell integration and we use it frequently in our project.

However, today I needed to script item permissions for "Everyone" and it seems that this is currently not supported by New-ItemAcl.

I found two separate, but related issues:

  1. The AccountIdentity does not support non-domain accounts ("Everyone"). Instead it defaults the domain to "sitecore". If there is no "standard" way of doing this, a workaround could be to use "\Everyone" to explicitly specify an empty domain. Another way could be that you pass in an actual Account for this special case.
  2. AccountIdentity always checks that there is an actual Role or User for an account. This is good for regular situations, but of course does not work for the "Everyone" special case.

I have tried the straight forward approach:

PS master:\content>New-ItemAcl -Identity "Everyone" -PropagationType Any -SecurityPermission DenyInheritance -AccessRight * 
New-ItemAcl : Cannot find an account with identity 'sitecore\Everyone'.
At line:1 char:1
+ New-ItemAcl -Identity "Everyone" -PropagationType Any -SecurityPermission DenyIn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (sitecore\Everyone:AccountIdentity) [New-ItemAcl], ObjectNotFoundException
    + FullyQualifiedErrorId : AccountNotFound,Cognifide.PowerShell.Commandlets.Security.Items.NewItemAclCommand

New-ItemAcl : Value cannot be null.
Parameter name: account
At line:1 char:1
+ New-ItemAcl -Identity "Everyone" -PropagationType Any -SecurityPermission DenyIn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-ItemAcl], ArgumentNullException
    + FullyQualifiedErrorId : System.ArgumentNullException,Cognifide.PowerShell.Commandlets.Security.Items.NewItemAclCommand

I also tried explicity passing in an account but that fails since AccountIdentity tries to access account.Domain.Name when the Domain is null:

PS master:\content>$account = [Sitecore.Security.Accounts.Role]::FromName("Everyone")
PS master:\content>$account

Name                                     Domain       IsEveryone
----                                     ------       ----------
Everyone                                              True


PS master:\content>New-ItemAcl -Identity $account -PropagationType Any -SecurityPermission DenyInheritance -AccessRight *
New-ItemAcl : Cannot bind parameter 'Identity'. Cannot convert value "Sitecore.Security.Accounts.Role" to type "Cognifide.PowerShell.Commandlets.Security.AccountIdentity". Error: "Object reference
not set to an instance of an object."
At line:1 char:23
+ New-ItemAcl -Identity $account -PropagationType Any -SecurityPermission DenyInhe ...
+                       ~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-ItemAcl], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Cognifide.PowerShell.Commandlets.Security.Items.NewItemAclCommand

If we get around the NullReference error when there is no domain, we still get stuck since there is no actual role with that name:

PS master:\content>$account = [Sitecore.Security.Accounts.Role]::FromName("sitecore\Everyone")
PS master:\content>$account

Name                                     Domain       IsEveryone
----                                     ------       ----------
sitecore\Everyone                        sitecore     True


PS master:\content>New-ItemAcl -Identity $account -PropagationType Any -SecurityPermission DenyInheritance -AccessRight *
New-ItemAcl : Cannot find an account with identity 'sitecore\Everyone'.
At line:1 char:1
+ New-ItemAcl -Identity $account -PropagationType Any -SecurityPermission DenyInhe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (sitecore\Everyone:AccountIdentity) [New-ItemAcl], ObjectNotFoundException
    + FullyQualifiedErrorId : AccountNotFound,Cognifide.PowerShell.Commandlets.Security.Items.NewItemAclCommand

New-ItemAcl : Value cannot be null.
Parameter name: account
At line:1 char:1
+ New-ItemAcl -Identity $account -PropagationType Any -SecurityPermission DenyInhe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-ItemAcl], ArgumentNullException
    + FullyQualifiedErrorId : System.ArgumentNullException,Cognifide.PowerShell.Commandlets.Security.Items.NewItemAclCommand

My guess would be that AccountIdentity needs special knowledge of the Everyone "roles".

Or do you see a better way of approaching it?

@AdamNaj

This comment has been minimized.

Member

AdamNaj commented Mar 4, 2016

I've created a more generic task and fill fix it as part of that task. Thanks for reporting, and thank you for the kind words and for using SPE!

@AdamNaj AdamNaj closed this Mar 4, 2016

@AdamNaj AdamNaj added this to the 4.0 milestone Mar 4, 2016

@AdamNaj AdamNaj self-assigned this Mar 4, 2016

AdamNaj added a commit that referenced this issue Mar 4, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment