Customizing security in AbleCommerce 7

This forum is where we'll mirror posts that are of value to the community so they may be more easily found.
Post Reply
User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Customizing security in AbleCommerce 7

Post by AbleMods » Mon Mar 09, 2009 10:54 pm

Introduction
Several people have asked me how to customize security in AC7. So in an effort to avoid the work I SHOULD be doing, this seemed like the perfect time to write an article :wink: This article describes how to create customized security roles in AC7. These will be different and in addition to the existing roles provided by the default install. As always, back up anything you're going to change before you change it. Some (very) minor programming will be involved and you'll need direct access to your store SQL tables.

Security Roles Explained
ASP.Net Security roles are the result of three different ASP.Net security features coming together.

First, every folder in the Admin side has a web.config file. This file dictates, among other things, which security roles have access to the contents of the folder. You can specify groups and/or specific users to be permitted(allow) or prevented (deny) access to the folder contents.

Second, the standard sitemap file in the ~/Admin/ folder dictates what menu options are available and presented to the user on the Admin side. Users that are not a member of a particular security role will never see the menu options assigned to that role. Note that these permissions are separate from the web.config settings – someone can be denied permission to see a menu option yet still have permission to hit the sub-folder URL directly.

Third, authentication data provided via the ac_Users, ac_UserPasswords, ac_Roles, ac_UserGroups and the ac_Groups tables. These tables store the actual user account information used to authenticate to the site as well as define group membership, etc.

A fourth method, not part of the default .Net security setup, is a few custom classes and methods written by Able to assist with security in programming code.

Defining the New Role
The first step in any customized security role is identifying the specific permissions you require. In our case, we're going to make a "Warehouse Manager" or WM for short. This WM will have access to certain menu options, but not all of them.
So to begin, we have to sit down and make a list of precisely what menu options we want our new WH role to see. That seems like a lot of work, and it is. But it’s very important for a number of reasons. First, it makes you precise and security is a really good place to be precise. Second, it brings to your attention exactly what will/won’t be available to members of the new security role. This helps a great deal in getting things right the first time thus reducing the deployment time of new security roles. Finally, it is good documentation that can keep your behind out of hot water down the road should a security issue within your organization arise.
Fortunately for you, I’ve made this job much simpler for you. Attached to this post is an Excel spreadsheet detailing every existing Admin menu. This spreadsheet also gives you a complete breakdown of every default AC7 security role and what permissions are involved with that role. A spreadsheet like this comes in very handy when you want to build entirely new security roles.
Now with your trusty spreadsheet loaded up, just start a new column to the right of existing roles called “Warehouse Manager”. Beneath that new column, mark the permissions you want. Not only does this give you that great documentation we talked about earlier, it also helps you be sure of exactly what the users in that role will have access to use.

Create a new AC7 Role
Able didn’t include a fancy menu option or edit screen to create new roles. So, we’re going to add one manually. You’ll need direct access to your SQL database to complete this step.
To add a new role definition, expand your store database within SQL Server Studio Express and scroll down to the ac_Roles table. Right click the table and choose Open Table. This will let you see all the existing roles in a nice table layout. You’ll notice the very bottom row has an asterisk (*) in it and Null for all the values. That row is where we can add new records.
Move your cursor down to that asterisk row by clicking the mouse in the Name column of that row. The Null will disappear and your cursor will let you type. Go ahead and type the name of the Role you want to define, in our case “Warehouse Managers” will do quite nicely. Move over to the LoweredName column and enter the same name in all lower case i.e. “warehouse managers”. Be sure to leave the RoleId column set to Null – the system will automatically assign the next available Id value.

You’ve just created a new role – you can see this role during the next step. For now, close out of SQL Express and get ready to log back into your website Admin side.

Assigning a Group to the Role
Able doesn’t give you a way to make new roles, but you can make new Groups. And even better, these groups can be assigned to a specific Role. So we’re going to do just that for our WM role.
Log back into the Admin side and go to People/User Groups. On the right side in the Add Group section, type in “Warehouse Managers” and select the Warehouse Managers choice in the permissions list. Wait a minute – that’s our new security role!
Now that you have a security group assigned to this role, the final step is to assign users to the group. That’s easy enough to do so we’re not going to explain it here. However you want, get your new WM users assigned to the new WM group.

Modifying Folder Permissions
Now for the completely un-fun part. Remember all those menu options you selected in the Excel spreadsheet. Well each of them is stored underneath a specific folder in the /Admin/ folder of your website. These folders are named very closely to the menu options that correspond to them. People is in the /Admin/People folder. And People/Users is in the /Admin/People/Users folder. Not every single menu option is set up this way, but most are.
The reason is ASP.Net permissions are broken down by folder. So if you wanted to keep things flexible, you put different pages inside different folders and let the web.config file decide who can see them. In the case of AC7, we can let some people manage users while preventing them from managing user groups because the respective pages are kept in completely different folders. Since each folder has a separate web.config file, the permissions are managed separately.
Swell you might say, but how do I give my new WM role access to these folders? Simple: Edit the web.config file in each folder you want the WM role to be able to access. If you get confused or are unsure where a particular menu option pages are stored, look it up in the /Admin/menu.sitemap file to see the path.
Within each web.config file you’ll see a line like this:

Code: Select all

<allow roles=”System,Admin,Jr. Admin” />
To add your new role to this permissions list, simply change the line to read:

Code: Select all

 <allow roles=”System,Admin,Jr. Admin,Warehouse Managers” />
Notice how each security role is specified in the <allow roles> tag and separated by a comma? It’s that simple and all the web.config files work this way.

Assigning Roles to Menu Options
Last but not least, we need to let our WM users see menu options. Currently the WM role is not assigned to any menu choices, so a WM user who have no menu to see.
Edit the /Admin/menu.sitemap file with a text editor such as Notepad. Right away you’ll notice that all the major menu choices like “People”,”Catalog”,”Marketing” etc have a roles= parameter like this:

Code: Select all

 		<siteMapNode title="Marketing" LookId="TopItemLook" roles="System,Admin,Jr. Admin">
Simply make the same edit here like you did in the web.config file, for example:

Code: Select all

 		<siteMapNode title="Marketing" LookId="TopItemLook" roles="System,Admin,Jr. Admin,Warehouse Managers">
Do this for each menu option that the role should be able to see on the Admin side of the website. As you go through the file, be careful not to modify the structure of the XML tags. ASP.Net is very picky about this particular file and your whole Admin side will blow up if you mess it up. Backups are your friend!

Dashboard Sections
Perhaps by now you've noticed something odd about the dashboard while logged in under your new security role. The Dashboard is gone - poof - nada - zilch - not there any more. That's because the Dashboard plug ins are all hard-coded for specific user permissions. If the logged in user does not belong to the hard-coded group, the dashboard control doesn't render.
This is easily fixed by modifying the code. First, find the dashboard control you want modified in the /Admin/Dashboard folder. Edit it's .ascx.cs code file with a text editor such as Notepad. Near the beginning of the code file you'll see a line like this:

Code: Select all

        if (Token.Instance.User.IsInRole(CommerceBuilder.Users.Role.ReportAdminRoles))
Just modify that line to look like this:

Code: Select all

        if (Token.Instance.User.IsInRole(CommerceBuilder.Users.Role.ReportAdminRoles) | Token.Instance.User.IsInRole("Warehouse Managers"))
See how I've added a nice little customized test (the .IsInRole("Warehouse Manager") part) for our new security role? It's even specified by name, so you can use your own name if you like. Just be sure it's spelled PRECISELY as you created it. Each dashboard control is written a little differently, so you may have to go down further into the code file to find the line that reads if (Token.instance.User.IsInRole(..........). But it's there so keep looking - you'll find it eventually.

Conclusion
So was this more work than you thought it was going to be? Oh yeah. But with a little planning and some persistence, you've added a completely new security role to your AbleCommerce 7 install. You've also improved company security by ensuring only the necessary people see key information about your online store.
As always, never attempt changes to your website without a solid backup available. Some things can be broken in such a way that the whole site goes down. That means it's best to practice these changes on a development install or at least during an off-peak period of time for your store.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
sohaib
Developer
Developer
Posts: 1079
Joined: Fri Jan 23, 2004 1:38 am

Re: Customizing security in AbleCommerce 7

Post by sohaib » Wed Mar 11, 2009 1:12 pm

This should probably go to WIKI as well.

gunter
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 22
Joined: Thu Oct 02, 2008 9:43 pm

Re: Customizing security in AbleCommerce 7

Post by gunter » Mon May 11, 2009 2:27 am

Great post - really helpful - a small addition for people wanting to use Roles with Subscriptions

We have added another Members section to a project and we initially had some problems - this may help others if you encounter the same thing.

We wanted users to be managed by their subscriptions status and get access to specific sections of the site - in this case a subfolder - lets call it "SpecialMemberSubfolder".

Subscriptions can assign Users to Groups by default - Unfortunately the Subscriber Group drop down list will not show any Groups that have been assigned Roles - presumably so you cannot accidentally assign something like Super User to a subscription product and completely compromise your security the next time you sell this item.

The easiest way to get around this is to modify the Admin/Products/EditSubscription.aspx code
at around line 28 (BindSubscriptionGroup sub) in the you should see this (in 7.0.2):

Code: Select all

 for(int i=groupCol.Count -1; i>=0; i--) 
	{
		group = groupCol[i];			
		if(group.GroupRoles.Count > 0)
		{
			groupCol.RemoveAt(i);
		}
	}
If you replace it with

Code: Select all

 for(int i=groupCol.Count -1; i>=0; i--) 
		{
			group = groupCol[i];
		    if((group.Name.ToString() == "Super Users")||(group.Name.ToString() == "Admins")||(group.Name.ToString() == "Jr. Admins")||(group.Name.ToString() == "Catalog Admins")||(group.Name.ToString() == "Order Admins")||(group.Name.ToString() == "Website Admins")||(group.Name.ToString() == "Report Admins")){
		        groupCol.RemoveAt(i);
		    }

		}
You should find that only new Roles you add will be visible and selectable in the Product Subscriptions section.

If you wanted to make it more secure for possible future Role changes in Able you could explicitly check for your new roles only and list them as such:

Code: Select all

		for(int i=groupCol.Count -1; i>=0; i--) 
		{
			group = groupCol[i];
		    if((group.Name.ToString() != "Custom Member Role 1")&&(group.Name.ToString() != "Custom Member Role 2")){
		        groupCol.RemoveAt(i);
		    }
		}
This is probably a better method generally but would become impractical if you need to create lots of new Roles.

Once you have done this you can add something similar to the following in the web.config of any sub folders you wish to secure:

Code: Select all

<system.web>
        <authorization>
            <allow roles="Custom Member Role 1,Custom Member Role 2,System,Admin,Jr. Admin,Manage Orders,Manage Catalog,Manage Website,View Reports"/>
            <deny users="*"/>
        </authorization>
    </system.web>
hope this helps

mkent
Ensign (ENS)
Ensign (ENS)
Posts: 19
Joined: Fri Jul 10, 2009 10:30 pm

Re: Customizing security in AbleCommerce 7

Post by mkent » Tue May 18, 2010 11:52 am

How can you allow users to change passwords , but not be able to change the security group of the user?

dale.jones
Ensign (ENS)
Ensign (ENS)
Posts: 5
Joined: Thu Oct 07, 2010 11:18 am

Re: Customizing security in AbleCommerce 7

Post by dale.jones » Fri Dec 03, 2010 12:11 pm

I need to create a group of users who can log in and modify or create a new orders for customers who have already made purchases. According to the instructions in this post, I've created my new security role, created the new group, added people to it, modified the sitemap, and added the group name to the dashboard, etc. But when I log in with a user who's in the new security group, there's no Admin option available in the shortcuts menu.

Looking in the Standard Header.htm scriptlet I see that the admin menu option is turned on by this bit of code:

#if($customer.IsAdmin)
<a href="~/Admin/Default.aspx" class="admin">Admin</a>
#end

Where do I turn on the IsAdmin flag for the users in the security group?

Thanks in advance.

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Customizing security in AbleCommerce 7

Post by AbleMods » Mon Dec 06, 2010 9:00 am

The IsAdmin flag cannot be manipulated directly. Able has hardcoded what security groups switch that flag on or off.

Here are the groups that Able checks to determine _User.IsAdmin():

Code: Select all

{ "System", "Admin", "Jr. Admin", "Manage Orders", "Manage Catalog", "Manage Website", "View Reports" }
So your user account will have to be a member of one of those security roles in order for the flag to return True;
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

BYGTechnologies
Ensign (ENS)
Ensign (ENS)
Posts: 7
Joined: Fri May 18, 2012 8:27 pm

Re: Customizing security in AbleCommerce 7

Post by BYGTechnologies » Sun Dec 04, 2016 11:43 am

I added a new record in the ac_Roles table, but do not see the new entry in the Permission listbox when trying to add or edit a Group.

I am using AbleCommerce Version 7.0.91.8858.

What am I missing?

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Customizing security in AbleCommerce 7

Post by AbleMods » Mon Dec 05, 2016 2:24 am

I don't recognize that build number. Are you on Able Gold, or Able 7.x?
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

BYGTechnologies
Ensign (ENS)
Ensign (ENS)
Posts: 7
Joined: Fri May 18, 2012 8:27 pm

Re: Customizing security in AbleCommerce 7

Post by BYGTechnologies » Mon Dec 05, 2016 1:31 pm

Joe:

I rechecked, and they are on Gold. My mistake! Did I post on the wrong board? If so, my apologies (and can you show me where the equivalent post is in the Gold forum).

Thanks!!

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Customizing security in AbleCommerce 7

Post by AbleMods » Tue Dec 06, 2016 1:28 am

You posted on the right board, but this particular thread involved Able 7.x. It's your build number that is confusing. 7.0.92.* is the current build series for Able Gold. I presume 7.0.91 is a typo?

There isn't much difference with the implementation of roles between Gold and 7.x. So the document applies to both.

In your case, most likely you'll need to restart the site to see the new role available in the Groups page. In Able Gold, the list of available roles is cached. So it's possible your install won't see the new role for a period of time. Restarting the app pool will force Gold to reload everything and your new role should be immediately visible. I just tested this on a Gold R12 install and it worked perfectly.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

BYGTechnologies
Ensign (ENS)
Ensign (ENS)
Posts: 7
Joined: Fri May 18, 2012 8:27 pm

Re: Customizing security in AbleCommerce 7

Post by BYGTechnologies » Thu Dec 08, 2016 3:11 pm

Hi, Joe.

No my version is not a typo. I copied and pasted the value. Here it is again:

AbleCommerce for ASP.NET
VERSION: 7.0.91.8858
Release Label: GoldR11SR1

The new role finally did show up. Thanks for your help!

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Customizing security in AbleCommerce 7

Post by AbleMods » Thu Dec 08, 2016 3:53 pm

Glad you got it working.

I was mistaken on the build numbers, you are correct. I was thinking 7.0.92 was constant for all Gold builds. In fact, it's the 9x that is changing along with the last 4. R11 is .91 and R12 is .92.

I've been working too much in R12 this year :)
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

Post Reply