Versions Compared

Version Old Version 1 New Version Current
Changes made by

Catherine Foss

Catherine Foss

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Test user:

cdamember2021@gmail.com

Dentistsatcda1!

Issue summary:

Files and pages that are restricted to users based on permissions are not working as expected. Users are only able to access protected files content if they are already logged in to the site.

Update 11/17

Test on http://sandbox.cda.org using Easy DNN News tokens to control the URL seems to work as expected

Files will need to be hidden until user is logged in

https://cdaorg-my.sharepoint.com/:p:/g/personal/svpowerplatform_cda_org/EXm_-kivdIZFrWCK4kATBDEB_QoZWR5psc8QN111C0M5SA?e=U5gvjL

Update 11/9

The problem has to do with a lack of URL encoding on the DNN side. It's not a problem for Aptify.

Here is what's being used to send the user over right now:

https://www.cda.org/member-login?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0

You can clearly see that there are TWO query strings in the URL. That is what's confusing things.

If we encode the returnurl value in the query string first - beofre it is encoded again by Aptify - everythingworks:

https://ebusiness.cda.org/ebusiness/login?isCDA=1&ReturnURL1=https%3A%2F%2Fwww.cda.org%2FLinkClick.aspx%3Ffileticket%3DOnt4-l_m5Bg%253d%26amp%3Bportalid%3D0

LinkClick.aspx

That's what's making life a little harder, because that's an additional redirect being thrown in the mix. You pass that thing a query string, which gets rolled into the Aptify querystring too.

So you end up with a query string parameter that contains a query string... breaks all but the most clever URL parsing routines

https://www.cda.org/member-login?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0

"?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0" is a query string value

"fileticket=Ont4-l_m5Bg%3d&portalid=0" is a query string paremeter INSIDE the other query string parameter

The way to get around it is to double encode the query string that's inside the other query string

So....

https://ebusiness.cda.org/ebusiness/login?isCDA=1&ReturnURL1=https%3A%2F%2Fwww.cda.org%2FLinkClick.aspx%3Ffileticket%3DOnt4-l_m5Bg%253d%26amp%3Bportalid%3D0

You now see there is only one "?" and only one query string. The embedded query string doesn't appear until AFTER it's been decoded at the landing spot

...

10 Lb Analysis: I was reviewing this with Mark and he suspects (based on how the redirects are working) the issue is related to the SSO module (ICPC-TE-SsoXP)…The problem for this access appears to be revolving around the SSO/IDP not honoring the ReturnURL redirect with DNN.

Additional areas to address:

In putting selected materials behind a login for the House of Governance page, some users had trouble viewing gated content due to:

  • Having multiple user accounts (there is no validation/verification required for an account so a user can have accounts with different permission levels)

  • There are settings in Aptify that were not configured properly and prevented users from viewing content on our site

Miro macro
accessLinkhttps://miro.com/app/live-embed/o9J_llkqRi0=?boardAccessToken=4ezm6t0LLPuvMmo8XLHFLPvzImfzvqyY&autoplay=true

Related reported bugs:

https://californiadentalassociation.atlassian.net/browse/WPD-2096

https://californiadentalassociation.atlassian.net/browse/WPD-1978

https://californiadentalassociation.atlassian.net/browse/WPD-2130

...

Work Required to Fix:

  • DNN platform upgrade with replacement of the current identity provider module

  • Implement B2C for http://cda.org

  • CSS changes in current Resource Library templates to show/hide resource sections based on user permissions (Instead of locking down entire pages, the preference was to show a summary of a resource to all members but require login to view documents and details)

Steps to Recreate the Error:

Expected Result:

  1. Un authenticated user clicks on a protected file

  2. Login screen appears

  3. Upon successful login, the requested file displays

...

  1. Unauthenticated user clicks on a protected file

  2. Login screen appears

  3. Login is successful, but an error screen appears stating that the resource has been removed

...

Link should be:

https://www.cda.org/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3D&portalid=0

In a screen share with Ashley Jaros, we confirmed that she did have the correct permissions to view the file and ensured the file itself did not have issues by doing the following:

...

We also confirmed that this is happening to files in different folders, so it is not isolated to a specific file or folder, and other internal users have had the same experience so it is not isolated to a specific user.

Screenshare of issue:

https://cdaorg-my.sharepoint.com/:v:/g/personal/catherine_foss_cda_org/EbG3vy3FMr1BoiSR4hObYAABbMQY1kxXCIvZUzLEzgSn8Q

To replicate issue:

  1. Ensure you are logged out of website

  2. Go to this link: https://www.cda.org/Home/Advocacy/Advocacy-Overview/Policy-Resources

  3. Click “CDA Policy Archive” in the right sidebar

...