Permission Issues for Protected Files and Content

Owned by Catherine Foss (Unlicensed)
Last updated: Nov 18, 2021
4 min read

Test user:

cdamember2021@gmail.com

Dentistsatcda1!

Issue summary:

Files and pages that are restricted to users based on permissions are not working as expected. Users are only able to access protected content if they are already logged in to the site.

Update 11/17

Test on http://sandbox.cda.org using Easy DNN News tokens to control the URL seems to work as expected

Files will need to be hidden until user is logged in

https://cdaorg-my.sharepoint.com/:p:/g/personal/svpowerplatform_cda_org/EXm_-kivdIZFrWCK4kATBDEB_QoZWR5psc8QN111C0M5SA?e=U5gvjL

Update 11/9

The problem has to do with a lack of URL encoding on the DNN side. It's not a problem for Aptify.

Here is what's being used to send the user over right now:

https://www.cda.org/member-login?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0

You can clearly see that there are TWO query strings in the URL. That is what's confusing things.

If we encode the returnurl value in the query string first - beofre it is encoded again by Aptify - everythingworks:

https://ebusiness.cda.org/ebusiness/login?isCDA=1&ReturnURL1=https%3A%2F%2Fwww.cda.org%2FLinkClick.aspx%3Ffileticket%3DOnt4-l_m5Bg%253d%26amp%3Bportalid%3D0

LinkClick.aspx

That's what's making life a little harder, because that's an additional redirect being thrown in the mix. You pass that thing a query string, which gets rolled into the Aptify querystring too.

So you end up with a query string parameter that contains a query string... breaks all but the most clever URL parsing routines

https://www.cda.org/member-login?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0

"?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0" is a query string value

"fileticket=Ont4-l_m5Bg%3d&portalid=0" is a query string paremeter INSIDE the other query string parameter

The way to get around it is to double encode the query string that's inside the other query string

So....

https://ebusiness.cda.org/ebusiness/login?isCDA=1&ReturnURL1=https%3A%2F%2Fwww.cda.org%2FLinkClick.aspx%3Ffileticket%3DOnt4-l_m5Bg%253d%26amp%3Bportalid%3D0

You now see there is only one "?" and only one query string. The embedded query string doesn't appear until AFTER it's been decoded at the landing spot

 

 

10 Lb Analysis: I was reviewing this with Mark and he suspects (based on how the redirects are working) the issue is related to the SSO module (ICPC-TE-SsoXP)…The problem for this access appears to be revolving around the SSO/IDP not honoring the ReturnURL redirect with DNN.

Additional areas to address:

In putting selected materials behind a login for the House of Governance page, some users had trouble viewing gated content due to:

  • Having multiple user accounts (there is no validation/verification required for an account so a user can have accounts with different permission levels)

  • There are settings in Aptify that were not configured properly and prevented users from viewing content on our site

 

Related reported bugs:

https://californiadentalassociation.atlassian.net/browse/WPD-2096

https://californiadentalassociation.atlassian.net/browse/WPD-1978

https://californiadentalassociation.atlassian.net/browse/WPD-2130

Work Required to Fix:

  • DNN platform upgrade with replacement of the current identity provider module

  • Implement B2C for http://cda.org

  • CSS changes in current Resource Library templates to show/hide resource sections based on user permissions (Instead of locking down entire pages, the preference was to show a summary of a resource to all members but require login to view documents and details)

Steps to Recreate the Error:

Expected Result:

  1. Un authenticated user clicks on a protected file

  2. Login screen appears

  3. Upon successful login, the requested file displays

 

Actual result:

  1. Unauthenticated user clicks on a protected file

  2. Login screen appears

  3. Login is successful, but an error screen appears stating that the resource has been removed

Link should be:

https://www.cda.org/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3D&portalid=0

In a screen share with Ashley Jaros, we confirmed that she did have the correct permissions to view the file and ensured the file itself did not have issues by doing the following:

  1. Logged into website

  2. Clicked on protected file

  3. File displayed correctly

We also confirmed that this is happening to files in different folders, so it is not isolated to a specific file or folder, and other internal users have had the same experience so it is not isolated to a specific user.

Screenshare of issue:

https://cdaorg-my.sharepoint.com/:v:/g/personal/catherine_foss_cda_org/EbG3vy3FMr1BoiSR4hObYAABbMQY1kxXCIvZUzLEzgSn8Q

 

To replicate issue:

  1. Ensure you are logged out of website

  2. Go to this link: Policy Resources - CDA

  3. Click “CDA Policy Archive” in the right sidebar

4. You should receive a prompt to login. Ashley had the following permissions if this helps; we may need a test user that only has the permission CDAMember (I do not have an Aptify account so I can’t replicate this exactly)

5. After logging in, an error screen should appear.

6. Return to http://cda.org and login, then follow the above steps again. This time, you should be able to view the file.

 

File location: This particular file is in the folder “Member > pdfs”

 

https://www.cda.org/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3D&portalid=0