-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mute or remove privileges from a user. Admin changes #8502
Comments
@HaoK is |
RefreshSignInCookie refreshes your cookie, it doesn't refresh someone elses cookie. You need to UpdateSecurityStamp on banned user, and that only triggers a refresh after the default validation interval, there is no immediate revocation by default |
@HaoK Adding roles is a rare event, perhaps we should suggest they send a message to the user in the new role to sign-out/sign. It sounds like the following advice I added is incomplete: Add a user to a role Roles are stored in the Identity cookie. Changes made to user roles are not persisted to the cookie until the cookie is regenerated or the user signs out and signs in. Applications that add users to a role should call |
Well the typical scenario for RefreshSignIn is when they are on their manage page and doing something on them. Admin scenarios are not something identity supports generally at this time. So changing someone elses roles is not something we typically deal with as its an admin scenario |
Supporting real-time admin pages is ultra-low priority. I think it's reasonable for the admin to send a message to the user: "If you are currently signed in, sign-out and sign in again to use your new privilege - or wait approximately 30 minutes until the Identity cookie is refreshed. |
Sounds good to me |
For adding new privileges, that may be so. |
Check on the server whether they have privileges rather than trusting the cookie |
Cookies are by definition stale, hit your db if you want to ensure they have permissions |
Okay, thank you! |
Just to make certain though, do I understand You correctly that I should use UserManager.IsInRoleAsync https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.usermanager-1.isinroleasync?view=aspnetcore-2.1 instead of ClaimsPrincipal.IsInRole? |
That hits the database yes so it is guaranteed to be correct |
"Roles are stored in the Identity cookie. Changes made to user roles are not persisted to the cookie until the cookie is regenerated or the user signs out and signs in. Applications that add users to a role should call
SignInManager.RefreshSignInAsync(user)
to update the cookie."I am dreadfully sorry but this really doesn't seem to change the observable behavior with regards to issue #8474
I have created an extremely simplistic project to show this, the code is accessible at https://github.com/gaazkam/RefreshSignIn
The project contains a page "Ban" that both allows users to ban other user via adding them to the role "Banned" and should be inaccessible to banned users (for the sake of simplicity)
This is the banning C# code from this page:
As you can see SignInManager.RefreshSignInAsync IS called here
In spite of this the problematic observable behavior persists: if UserA bans UserB while UserB is logged in, UserB STILL can successfully access the Ban page they should not be able to access, at least until they log out and log in again. Or until enough time has passed, as you have mentioned waiting 30mins indeed makes UserB effectivelly banned, but I feel this still should happen immediatelly, not after 30 mins.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: