Question

Photo of Michael Garrison

0

Locked out of person profile security tab

1

I'm not quite sure how this happened- I'm actually pretty sure I didn't change any settings that should have had this result, but here goes.

 

I was trying to create a new block on the person profile page, which kept information like alarm system codes, key id numbers, things of that nature. But of course I only want select users to be able to view that information. So I started by creating a "password viewers" security group. Then I created the attribute category, and assigned the specific text-type attributes to it. Finally it was ready- I went to a profile page, clicked "Zones" and added a "CRM > Person Detail/Attribute Values" page block to a previously empty zone (I think I mistakenly chose to create this under "all pages using PersonDetail layout"). After I refreshed the page, the zone showed up as empty, so I could click the block configuration button and add the attribute type to be displayed.

Yay- so that worked. Then I clicked the "Security" button for that block and allowed "password viewers" to view, edit and administer the block, then BELOW that created another security entry denying view, edit and administer privelages to "all users". Again, success- when I was a part of the "password viewers" security group I could see the block. When I wasn't, I couldn't.

Then I got to thinking- it would really be better if this information was on the "security" tab rather than on the "Extended attributes" tab- it will get seen accidentally less frequently there. So I deleted the blocks from the Extended Attributes tab. So far, so good.

I went to the Security tab and, examining the layout, decided that I wanted my block to show up under security groups and logins. So I needed to move those two blocks out of C1 and up into a higher zone. I chose B2- I was going to make B3 the zone where my custom block lived. I clicked "Blocks" and chose to "Move" the two blocks (again selecting "all pages using the PersonDetail layout"- I realize now I thought that meant that was necessary to apply to more than this single user, but that it actually meant, for instance, "extended attributes" vs "security".) So now I had those two blocks on all my profile pages- extended attributes, person profile, AND security. Oops. So I created my custom block in "just this page" while looking at the security tab, in the correct zone. Cool. Then I chose to "Move" the Groups and Logins blocks back to "just this page".

But once I did so, the "security" tab disappears entirely from the sub-navigation menu! All I can see are the Person Profile, Extended Attributes, Groups, Contributions, and History tabs. And upon manually navigating to /Person/1/StaffDetails, ROCK informs me that I don't have the permissions to view that page.

Without being able to get to that page, I don't know how to check and see what security went wrong. Any idea how I can fix this issue?

  • Michael Garrison

    Michael Garrison

    I've gotten into the SQL data, and it's pretty easy to tell what changes I made to security items last night by looking at the Auth table. Since it's a small number of items and I know exactly where to check to fix things again, I manually edited the rows marked as edited by my user and set the ApproveOrDeny column to 'A'. Theoretically, that should have changed any "Deny" security items I set (thus locking me out) to "Approve" instead, and thus allow me in. However, no such luck- the "security" tab when viewing a person's profile is still unavailable. Manually navigating to the StaffDetails page still results in the security notice. Interesting.

    • Bronson Witting

      Bronson Witting

      Michael - I'm not sure exactly what security aspects get cashed, but try clearing the Rock cache and see if that helps.

      • Brandon Gamache

        Brandon Gamache

        The same thing happened to me when I was working on the External Connect page. I created a new (child) page where I was testing if only members of a group could see their group (doing this through the block settings). I believe I set All Authenticated users to allow and All Users Deny (in proper order) and for whatever reason the Connect tab is gone from the external site and each time I try to manually go to it I get the security error window. I can manually access the child pages of the Connect page, though. I check the database just as you did and switched the one record that was set to Deny to Approve and that didn't seem to correct it.

        • Photo of Rock RMS

          0

          One thing to keep in mind is that if you change security directly in the database, you'll need to clear your cache in Rock before it will see those changes ( System Info -> Clear Cache ).

          To view the security for the person profile security page, you can run the following SQL statement either from the SQL Management Studio or from the Admin > Power Tools > SQL Command option...

          DECLARE @PageEntityTypeId INT = ( SELECT TOP 1 [Id] FROM [EntityType] WHERE [Name] = 'Rock.Model.Page' )
SELECT 
	A.EntityTypeId,
	A.EntityId,
	A.[Action],
	CASE A.[AllowOrDeny]
		WHEN 'A' THEN 'Allow '
		WHEN 'D' THEN 'Deny '
	END +  
	CASE A.[SpecialRole] 
		WHEN 0 THEN G.Name
		WHEN 1 THEN 'All Users'
		WHEN 2 THEN 'All Authenticated Users'
		WHEN 3 THEN 'All Un-Authenticated Users'
	END 'Access'
FROM [PageRoute] R 
INNER JOIN [Page] P ON P.[Id] = R.[PageId]
INNER JOIN [Auth] A ON A.[EntityId] = P.[Id] AND A.[EntityTypeId] = @PageEntityTypeId
LEFT OUTER JOIN [Group] G ON G.[Id] = A.[GroupId]
WHERE R.[Route] LIKE '%StaffDetails'
ORDER BY A.[Action], A.[Order]

          If you share the results we can try to determine what is causing the issue.

          • Michael Garrison

            Michael Garrison

            Thanks so much- I didn't clear the cache so I'll try that.


            FWIW, the results of the SQL select were revealing:


            Entity | Type Id | Entity Id | Action | Access
            2 | 176 | View | Deny | All Users

            • Michael Garrison

              Michael Garrison

              Clearing the cache did not change anything (I also tried restarting the site and the SqlServer service). So I changed the rule identified in your SELECT above to "Allow" instead of "Deny" (confirmed by running the query again- this time it says "Allow All Users"), cleared the cache, restarted the site and SqlServer, still to no avail. I can't seem to get the security tab to be visible, and I find it odd that the record in question did not list a time or user who modified it. Maybe that's as it should be, but I'd have expected that if I made a change resulting in this behavior, it would have been recorded as an action of my user.
              It's still early enough in the deployment I could reinstall from scratch, if we don't want to waste time on this, but it makes me nervous that I don't think I did anything to change permissions on the page, and I don't want it to happen again... O=)

              • Michael Garrison

                Michael Garrison

                Hold the phone, something worked this time. Before rolling back and signing out, I (in order) restarted the SqlServer service, restarted the site in IIS, cleared the cache in ROCK, and then (which I hadn't done before) actually restarted ROCK from the Info dialogue where you clear the cache. Viola, the tab is back! And when I go to it and hit security, there is the permission "Allow"ing "All Users" to view the page.


                I was still confused as to how that rule was set in the first place without any record of an edit. I think the answer was revealed to me upon a visit to the rocksolidchurchdemo site- the security tab DOES have that deny permission set, but UNDER a "Allow Rock Administrators (Role) view permissions" rule, which is missing on my installation. I don't know how it got deleted, but that explains the record-less apparent rule change. I'll re-create that rule and be back on track.


                Thanks, everyone, for your help!!

                • Rock RMS

                  Rock RMS

                  FYI, it also looks like cached security is not currently being cleared when you choose the 'Clear Cache' option. We already have a fix coming for that in the next update. Until then, you would need to restart app if you change security outside of Rock's UI.