Again, the lack of IIdentity in the API.
With identities like the WindowsIdentity, the user's username (the name property) has no use for the system. The important part is the user's token.
If you would follow the path (using Reflector) from the call to Roles.GetRolesForUser() until the reply from WindowsTokeRoleProvider.GetRolesForUser(string username), you would see the following steps:
- System.Web.Security.Roles.GetRolesForUser() gets the current user's username from the current user's identity.
- System.Web.Security.Roles.GetRolesForUser(string username) is called with the name from the previously obtained identity.
- If the default role provider is the WindowsTokenRoleProvider, WindowsTokeRoleProvider.GetRolesForUser(string username) is called.
- WindowsTokeRoleProvider.GetRolesForUser(string username) gets the current user's username from the current user's identity. If the provided username matches the name in the current identity, the token is retrieved from the identity and used to get the user's roles. If it's not a match, an exception is thrown.
Wouldn't it be better if it was just as simple as this?
- System.Web.Security.Roles.GetRolesForUser() gets the current user's identity and uses it to call WindowsTokeRoleProvider.GetRolesForUser(IIdentity user).
- WindowsTokeRoleProvider.GetRolesForUser(IIdentity user) checks if the provided user is a WindowsIdentity. If it is, the token is retrieved from the identity and used to get the user's roles. If it's not, an exception is thrown.
This enhancement could be achieved within the Orcas timeframe, just by adding a few overloads to the Roles and RoleProvider classes.
public class RoleProvider
{
// ...
/// <summary>
/// Gets a list of the roles that a specified user is in for the configured applicationName.
/// </summary>
/// <param name="user">The identity to return a list of roles for.</param>
/// <returns>
/// A string array containing the names of all the roles that the specified user is in for the configured applicationName.
/// </returns>
public virtual string[] GetRolesForUser(IIdentity user)
{
return this.GetRolesForUser(user.Name);
}
/// <summary>
/// Gets a value indicating whether the specified user is in the specified role for the configured applicationName.
/// </summary>
/// <param name="user">The user identity to search for.</param>
/// <param name="roleName">The role to search in.</param>
/// <returns>
/// true if the specified user is in the specified role for the configured applicationName; otherwise, false.
/// </returns>
public virtual bool IsUserInRole(IIdentity user, string roleName)
{
return IsUserInRole(user.Name, roleName);
}
}
public static class Roles
{
// ...
/// <summary>
/// Gets a list of the roles that the currently logged-on user is in.
/// </summary>
/// <exception cref="T:System.Configuration.Provider.ProviderException">Role management is not enabled.</exception>
/// <exception cref="T:System.ArgumentNullException">There is no current logged-on user.</exception>
/// <returns>
/// A string array containing the names of all the roles that the currently logged-on user is in.
/// </returns>
public static string[] GetRolesForUser()
{
return Roles.GetRolesForUser(Roles.GetCurrentUser());
}
/// <summary>
/// Gets a list of the roles that the currently logged-on user is in.
/// </summary>
/// <param name="user">The identity to return a list of roles for.</param>
/// <exception cref="T:System.Configuration.Provider.ProviderException">Role management is not enabled.</exception>
/// <exception cref="T:System.ArgumentNullException">There is no current logged-on user.</exception>
/// <returns>
/// A string array containing the names of all the roles that the currently logged-on user is in.
/// </returns>
public static string[] GetRolesForUser(IIdentity user)
{
// ...
roles = Roles.Provider.GetRolesForUser(user);
// ...
}
}
Then, the existing providers could be optimized according this new arhitecture.
If you agree with me, vote in my suggestion.