search

OrchardCMS / Orchard

Orchard is a free, open source, community-focused Content Management System built on the ASP.NET MVC platform.
https://orchardproject.net
BSD 3-Clause "New" or "Revised" License
2.38k stars 1.12k forks source link

Different cache key by role #8509

Closed ElenaRepository closed 2 years ago

ElenaRepository commented 3 years ago

We wanted to propose a feature to enable for managing front-end edit content.

From our tests, we noticed that in the case of active caching.

User A has the role of Administrator User B has the role of Editor,Moderator

In the case where user A logs in, and immediately after user B logs in, user B will see all the front-end edit links of user A

If user B clicks to edit the content, the message "there is no permission to edit the content" will be correctly displayed.

As a fix we can add a flag to the outputcache settings. If the flag is active add the user role to the cache key, this way we can have a role specific cache. Cache eviction can be done when editing or deleting a role by referring to the role added to the cache key this way if permissions are changed a new cache key is created.

sebastienros commented 3 years ago

Caching and authenticated users don't work well together. There is an option in OC to enable caching for authenticated users but it means that all users will share the cache, so in your case this option is not compatible. So either you need to disable the option and lose cache for authenticated users, or have it disabled dynamically by your feature when some "edit links" are rendered. Check if there is an extensibility point in the caching filter to do that dynamically and not just with the setting.

MatteoPiovanelli-Laser commented 3 years ago

I renamed the issue to better explain what we are proposing.

The issue we are seeing is in the case where authenticated users, depending on their roles, need to see different "stuff" in the frontend. One example of such cases is the one described by Elena., but there are others: suppose for instance that there is a Layer that is active only for a specific role (e.g. "VIP") per https://github.com/OrchardCMS/Orchard/blob/d51418b2c11d4f3c02a8440e49e983b9bf53e374/src/Orchard.Web/Modules/Orchard.Roles/Conditions/RoleCondition.cs#L12 Users with the "VIP" role would have to see different things on their pages than users without it.

One way to do it would be to implement https://github.com/OrchardCMS/Orchard/blob/10963275c355c23a6e67f365add4d0888770d36f/src/Orchard.Web/Modules/Orchard.OutputCache/ICachingEventHandler.cs#L6 The KeyGenerated implementation would basically add a list of the current user's roles to the cache key. We would do this in a new feature in Orchard.Roles. This new feature will need to depend on Orchard.Roles and Orchard.OutputCache, at least. The feature would also need to handle evicting cached content when the permissions for a role change. (There are likely several other conditions where authenticated cached content should be evicted, but those are likely out of scope and hard to detect reliably without basically not caching anything.) (Some of the things we are discussing solving here can be handled with a donut / donut-hole cache strategy, but I think that is generally fiddlier to set up, and as such would end up putting more of a burden on the people configuring the tenant, rather than on the server's memory.)

HermesSbicego-Laser commented 2 years ago

Closed via #8510