Skip to main content

ServiceAuthorizationManager in Sitecore Powershell Extension

Everyone loves using Sitecore PowerShell Extension i.e. SPE due to the flexibility it allows to work with Sitecore. Those who are working on SXA must be already aware that SPE is a prerequisite to SXA. In fact SXA has many inbuilt scripts which help in managing the SXA tenant and sites. These SXA scripts are accessible through Scripts item that appears in an item's context menu. 
Note - Context menu is menu that opens up when you right click on an item (as in snapshot below).

So far so good! One day we realized in our live environment that even content authors can access the Scripts item in context menu and they have complete access to SXA scripts like Remove Tenant, Remove Site, Add Site Language etc. We realized this could create potential problems on live environments. Just imagine a scenario about an unaware content author who encounters these options and decides casually to check that what can Remove Tenant script do. Scary, right!

So I started working on finding a way to hide the Scripts item that appears in an item's context menu, at least for content authors as we don't want them to have privileges to execute scripts. 

Solution
One of the easy ways was to go to core db and delete the item responsible for displaying Scripts in the context menu. Or we could have gone to individual SXA scripts and set rules on them to be enabled for admin users only. But we are soon going to upgrade from SXA 10.1 to 10.2 and SXA 10.2 stores these items as resource files on file system (learn more about it here). We didn't want to do any edits/deletes to such items that are managed in resource files unless we fully understand its impacts.

I researched little bit more on how to hide the Scripts item in context menu and found many developers in community recommending to create custom rules in sitecore/system/settings/Rules. One will have to create a custom rule first and then execute those rules in command logic of the Scripts item. This seemed to be a longer route for such a small ask. (more about it described in https://sitecore.stackexchange.com/questions/7795/hide-context-menu-item-based-on-logic)

To find an easier way to hide Scripts item, I started looking into Spe.Client.Commands.MenuItems.ScriptLibraryMenuItem file which implements the command that gets executed when a user clicks on Scripts item in context menu. That's where I learnt about Spe.Core.Settings.Authorization.ServiceAuthorizationManager.

What ServiceAuthorizationManager does?
ServiceAuthorizationManager has methods like IsUserAuthorized(), TerminateUnauthorizedRequest(), etc. which can be used to check if a user or role is authorized to access a specific service. Its GetServiceAuthorizationInfo() checks the configs using Factory.GetConfigNode("powershell/services/" + serviceName + "/authorization") to look for the authorization level of the user.
In our case of executing scripts by Scripts item, the service name is "execution". So it looked at below config in Spe.config file to see who all can access Scripts item in context menu - 
<execution enabled="true" requireSecureConnection="false">
<authorization>
<add Permission="Allow" IdentityType="Role" Identity="sitecore\Sitecore Client Users" />
<!-- "Magic" role that catches all users in Sitecore with Administrator privileges -->
<add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
</authorization>
</execution>

In this config, you would see that any one with role sitecore\Sitecore Client Users has authorization to the Scripts item. This allows even the content authors to access it.

So, I created the following patch which will delete the entry allowing sitecore\Sitecore Client Users to access the Scripts item in context menu and make it exclusive only for admins.
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:security="http://www.sitecore.net/xmlconfig/security/">
<sitecore role:require="Standalone or ContentManagement" security:require="Sitecore">
<powershell>
<services>
<execution enabled="true" requireSecureConnection="false">
<authorization>
<add Permission="Allow" IdentityType="Role" Identity="sitecore\Sitecore Client Users">
<patch:delete />
</add>
</authorization>
</execution>
</services>
</powershell>
</sitecore>
</configuration>


Doing this removed Scripts item from item's context menu :)

This re-establishes my belief that sometimes same end result can be achieved by implementing a much smaller change than what most others have done in past if we take a little longer to research alternate path to solve a problem.

Note - If you have any custom functionality for content authors which depend on powershell script execution, then they may get impacted with this change if they use ServiceAuthorizationManager.

Hoping to hear what you think about this! Thanks!
Labels:

Popular posts from this blog

Sitecore PowerShell Script to create all language versions for an item from en version

  We have lots of media items and our business wants to copy the data from en version of media item to all other language versions defined in System/Languages. This ensures that media is available in all the languages. So, we created the below powershell script to achieve the same -  #Get all language versions defined in System/Languages $languages = Get-ChildItem /sitecore/System/Languages -recurse | Select $_.name | Where-Object {$_.name -ne "en"} | Select Name #Ensuring correct items are updated by comparing the template ID  $items = Get-ChildItem -Path "/sitecore/media library/MyProjects" -Recurse | Where-Object {'<media item template id>' -contains $_.TemplateID} #Bulk update context to improve performance New-UsingBlock (New-Object Sitecore.Data.BulkUpdateContext) { foreach($item in $items){    foreach($language in $languages){ $languageVersion = Get-Item -Path $item.Paths.Path -Language $language.Name #Check if language versi
Read more

Export Sitecore media library files to zip using SPE

If you ever require to export Sitecore media files to zip (may be to optimize them), SPE (Sitecore Powershell Extension) has probably the easiest way to do this for you. It's as easy as the below 3 steps -  1. Right click on your folder (icons folder in snap)>Click on Scripts> Click on Download 2. SPE will start zipping all the media files placed within this folder. 3. Once zipping is done, you will see the Download option in the next screen. Click Download Zip containing the media files within is available on your local machine. You can play around with the images now. Hope this helps!! Like and Share ;)
Read more

Make Sitecore instance faster using Roslyn Compiler

When we install the Sitecore instance on local, the first load is slow. After each code deploy also, it takes a while for the Sitecore instance to load and experience editor to come up. For us, the load time for Sitecore instance on local machines was around 4 minutes. We started looking for ways to minimize it and found that if we update our Web.config to use Roslyn compiler and include the relevant Nugets into the project, our load times will improve. We followed the simple steps - Go to the Project you wish to add the NuGet package and right click the project and click 'Manage NuGet Packages'. Make sure your 'Package Source' is set to nuget.org and go to the 'Browse' Tab and search Microsoft.CodeDom.Providers.DotNetCompilerPlatform. Install whichever version you desire, make sure you note which version you installed. You can learn more about it  here . After installation, deploy your project, make sure the Microsoft.CodeDom.Providers.DotNetCompilerPlatform.d
Read more

Experience of a first time Sitecore MVP

The Journey I have been working in Sitecore for almost 10 years now. When I was a beginner in Sitecore, I was highly impressed by the incredible community support. In fact, my initial Sitecore learning path was entirely based on community written blogs on Sitecore. During a discussion with my then technology lead Neeraj Gulia , he proposed the idea that I should start giving back to developer community whenever I get chance. Just like I have been helped by many developers via online blogs, stackoverflow etc., I should also try to help others. Fast forward a few years and I met  Nehemiah Jeyakumar  (now an MVP). He had a big archive of his technical notes in the form Sitecore blogs. I realized my first blog dont have to be perfect and it can be as simple as notes to a specific problem for reference in future. That's when I probably created my first blog post on Sitecore. At that time, I didn't knew about the Sitecore MVP program. Over the years, I gained more confidence to write
Read more

Clean Coding Principles in CSharp

A code shall be easy to read and understand. In this post, I am outlining basic principles  about clean coding after researching through expert recommended books, trainings and based on my experience. A common example to start with is a variable declaration like - int i  The above statement did not clarify the purpose of variable i. However,  the same variable can be declared as -  int pageNumber The moment we declared the variable as int pageNumber, our brain realized that the variable is going to store the value for number of pages. We have set the context in our brain now and it is ready to understand what the code is going to do next with these page numbers. This is one of the basic advantages of clean coding. Reasons for clean coding -  • Reading clean code is easier - Every code is revisited after certain amount of time either by the same or different developer who created it. In both the cases, if the code is unclean, its difficult to understand and update it. • To avoid s
Read more