Prerequisites
10.0.0 (20210301) Angular .Net Core Multitenancy
I am receiving reports from my super users (those who have access to impersonate tenant accounts) that sometimes they lose their access to administrative menu pages, such as the "Tenants" and "Maintenance" menus. The menus disappears from the navigation tree, and even if the user types the administrative page address directly into the address bar, they are bounced as if they do not have permissions. I have traced this back to, when the user is impersonating a tenant account, the server application has been recycled. The user then "returns to my account", and they are still logged in, but they have lost their claims to administrative permissions. There is no way for the user to fix this - no amount of logging in and out, clearing cookies, etc, will fix it.
The only fix I have found, is to ask the user to log out, then recycle the application pool again - as you can imagine, this just raises the risk of it happening to another user.
Please advise,
thanks and regards,
5 Answer(s)
-
0
Hi @hra
We got a similar report before but couldn't reproduce it with the latest version. Could you check if this is the same error https://github.com/aspnetzero/aspnet-zero-core/issues/3638#issuecomment-791324556 ?
Thanks,
-
0
hi,
yes, that looks like the same issue I'm having. I also found those 2 actions (editing the user permissions, or recycling the application pool) were the only solutions.
Of course, neither are really acceptable for my production customers...
Is there some part of the authentication token/crypto that is generated on app-start? If so, it would explain why recycling the server breaks active session tokens - i.e, theyre not expired, but essentially become corrupted...
I can reproduce this issue consistently. I can share a screen recording with you (privately) if you wish.
-
0
Hi, I have tracked down the issue.
After restarting the application server, and clicking "return to my account", all caches are empty - and the RoleManager will repopulate the cache with the admin user role permissions (role 1). The Role Manager calls "PermissionManager.GetAllPermissions(true)", and you can see that AbpSession still contains all the information for the impersonated account - rather than the impersonator account.
This fails to return the permissions on the Host side, and hence, a much smaller permission set (50, instead of 70-something) - but you can clearly see that this permission set is assigned in the cache to cacheKey "1@0".
This is what "GetAllPermissions" should look like...
Because these corrupt permissions are then stored in the cache, this explains why the application must be reset, or permissions changed (to trigger repopulation of the cache).
I guess the real question is - why is AbpSession still returning "MultiTenancySide == Tenant" after returning back to the Host account?
-
0
Hi @imscagdas,
I have created a PR in AspNetBoilerplate which fixes the issue for me. Please review.
UserManager and PermissionManager appear to use different techniques to determine the active MultiTenancySide - by copying across the UserManager technique to PermissionManager, it appears to resolve the issue.
Thanks and regards,
https://github.com/aspnetboilerplate/aspnetboilerplate/pull/6116
-
0
Thanks alot @hra. Since we can follow the progress in pr, I am closing this.
