How to Restrict Users to a Specific Member Group in Umbraco and Prevent Unauthorized Saves?

Question

I'm trying to restrict users in Umbraco so that users with the "collarDatabase" role can only add members to the "Collar_Database" member group. If a user attempts to add a member to any other group, the operation should fail, and no changes should be saved. I’m using MemberSavingNotification to cancel the save if unauthorized groups are detected. The problem is that the handler triggers multiple times for the same request and the member changes are still saved even after calling notification.CancelOperation(). The UI shows first that is saved, followed by three error messages that the user is unauthorized. How can I ensure the handler runs only once per request and that the save is completely blocked if unauthorized groups are detected?

Here is my handler.cs:

using Microsoft.Extensions.Logging;
using System;
using System.Collections.Concurrent;
using System.Linq;
using Umbraco.Cms.Core.Events;
using Umbraco.Cms.Core.Notifications;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;

public class RestrictMemberGroupEditHandler : INotificationHandler
{
    private readonly ILogger _logger;
    private readonly IMemberService _memberService;
    private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;

    private static readonly ConcurrentDictionary ProcessedRequestIds = new ConcurrentDictionary();

    public RestrictMemberGroupEditHandler(
        ILogger logger,
        IMemberService memberService,
        IBackOfficeSecurityAccessor backOfficeSecurityAccessor)
    {
        _logger = logger;
        _memberService = memberService;
        _backOfficeSecurityAccessor = backOfficeSecurityAccessor;
    }

    public void Handle(MemberSavingNotification notification)
    {
        // Get a unique identifier for the current request
        string requestId = GetRequestId();

        if (ProcessedRequestIds.ContainsKey(requestId))
        {
            _logger.LogInformation("Skipping execution for RequestId {RequestId} as it has already been processed.", requestId);
            return;
        }

        ProcessedRequestIds.TryAdd(requestId, true);

        var currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;

        if (currentUser == null)
        {
            _logger.LogWarning("No current backend user found.");
            return;
        }

        _logger.LogInformation("RestrictMemberGroupEditHandler triggered for user: {UserName}", currentUser.Name);

        if (!currentUser.Groups.Any(g => g.Alias == "collarDatabase"))
        {
            _logger.LogInformation("User {UserName} is not in the 'Collar_Database' role. No restriction applied.", currentUser.Name);
            return;
        }

        foreach (var member in notification.SavedEntities)
        {
            var assignedGroups = _memberService.GetAllRoles(member.Username).ToList();

            _logger.LogInformation("Groups being assigned to member {MemberName}: {Groups}",
                member.Name,
                string.Join(", ", assignedGroups));

            // Check for unauthorized groups
            var unauthorizedGroups = assignedGroups.Where(group => group != "Collar_Database").ToList();

            if (unauthorizedGroups.Any())
            {
                _logger.LogWarning("User {UserName} attempted to add member {MemberName} to unauthorized groups: {Groups}",
                    currentUser.Name,
                    member.Name,
                    string.Join(", ", unauthorizedGroups));

                notification.CancelOperation(new EventMessage(
                    "Access Denied",
                    $"You can only assign members to the 'Collar_Database' group. Unauthorized groups: {string.Join(", ", unauthorizedGroups)}",
                    EventMessageType.Error));

                return;
            }
        }

        ProcessedRequestIds.TryRemove(requestId, out _);
    }

    private string GetRequestId()
    {
        return System.Guid.NewGuid().ToString();
    }
}

Here is my composer:

using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Cms.Core.Notifications;

public class RestrictMemberGroupEditComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.AddNotificationHandler();
    }
}

Here’s the log from when John Smith tries to add John Doe to an unauthorized group. .

{"@t":"2024-12-09T01:04:51.369Z","@mt":"RestrictMemberGroupEditHandler triggered for user: {UserName}","UserName":"John Smith"}
{"@t":"2024-12-09T01:04:51.372Z","@mt":"Groups being assigned to member {MemberName}: {Groups}","MemberName":"John Doe","Groups":"example-group, Collar_Database"}
{"@t":"2024-12-09T01:04:51.372Z","@mt":"User {UserName} attempted to add member {MemberName} to unauthorized groups: {Groups}","UserName":"John Smith","MemberName":"John Doe","Groups":"example-group"}
{"@t":"2024-12-09T01:04:51.405Z","@mt":"RestrictMemberGroupEditHandler triggered for user: {UserName}","UserName":"John Smith"}
{"@t":"2024-12-09T01:04:51.406Z","@mt":"Groups being assigned to member {MemberName}: {Groups}","MemberName":"John Doe","Groups":"example-group, Collar_Database"}
{"@t":"2024-12-09T01:04:51.407Z","@mt":"User {UserName} attempted to add member {MemberName} to unauthorized groups: {Groups}","UserName":"John Smith","MemberName":"John Doe","Groups":"example-group"}

How to Restrict Users to a Specific Member Group in Umbraco and Prevent Unauthorized Saves?

Answers (1)

Related Questions