Sitecore Security Acronyms – ar|au|pe|pd – What Do They Mean?

If you’ve ever explored the SharedFields table of the Sitecore content database, you might have noticed occasionally seeing field values like this:

ar|sitecore\Sitecore Client Maintaining|pe|+item:create|+item:delete|+item:publish|+item:write|pd|+item:create|+item:delete|+item:publish|+item:write|

You may also notice that the FieldId you see in rows that contain that value is always the same. It’s the __Security field of course, which is a shared field used across all Sitecore items. Makes sense, we are querying a table called SharedFields.

So what does this field value mean? To find this out, I simply checked the value of the __Security field on the item specified in the row. You may have to check Standard fields in the View tab to see this field. Scroll down to the Security field section and expand it, and you will see the permissions that role has to this item. You can also see the original string if you check Raw values in the View tab.

To understand what the four individual acronyms mean, I had to do some educated guessing based on how the permissions appear in Access Viewer:

  • ar – Permission applies to a role
  • au – Permission applies to a user
  • pe – Item-level permissions
  • pd – Descendant-level permissions

Additionally, a + sign in front of an item:action means permission was granted. A – sign means permission was denied.

I didn’t really have to know this, I was just curious. Hopefully this explains it for others out there too. If you have any additional information to share, please leave a comment!

 

Advertisements

#dotNETConf, Day 1 – Summary

Day 1 is in the books! I’ll admit I didn’t see everything, only certain sessions, but I thought I’d share what I got out of the free, virtual .NET conference hosted by Microsoft on Channel 9.

Keynote – Scott Hunter

I loved the Keynote; they got right to the heart of what’s new and cool with .NET, specifically explaining what .NET Standard is, how .NET Core is evolving and such. They went over the new templating engine – how you can use dotnet new in a console to create a new project without the need for Visual Studio. That command will show a list of available projects you can create. You would then run dotnet new Console, for instance, to create a new C# Console application.

One really cool thing they showed was the ability to edit a .csproj file without having to unload the project. I am LOVING these quality of life improvements Microsoft has been rolling out! In fact, last week I learned that in Visual Studio 2015 you can evaluate lambda expressions in a Watch window, which blew my mind, so I can’t wait to start using the newer versions of this great IDE.

Scott then showed Razor Pages, which as Razor views with .cshtml.cs code behind files included. Pretty cool, seems like MVC for Slackers basically. Probably not for me personally. Then, he showed Application Insights and Snapshots in Azure, which can provide detailed information about errors the application ran into. Good stuff.

Mobile .NET – Miguel de Icaza

Miguel showed a really cool feature of Visual Studio for Mac, where you can specify code to be run live. Meaning any change you make to the code will automatically propagate to the mobile phone / front end without having to save the file. He also shared something called the Embedinator-4000, which basically turns any .NET library into a native library, and it supports a range of things:

embedinator4000.png

Visual Studio 2017 & C# 7.x – Mads Torgersen

New notable features are available in VS 2017, including:

  1. Code Styles – setting code standards in the IDE. VS will tell you when you deviate from the standards you set up.
  2. Live Unit Testing – as you are writing a class, or a controller, you can have a unit test running and providing pass/fail information as you type
  3. Smudges – small dots under a class name that might indicate suggestions – one example:

smudge.png

.NET Foundation – Jon Galloway

This session explained what .NET Standard is and how they are improving it. I thought .NET Standard meant .NET Framework before I attended this session. .NET Standard is a set of APIs that all .NET platforms have to implement (including .NET Framework). It’s a specification, not a thing you install, and it’s primary use is code reuse across all platforms that use it. The higher your .NET Standard version, the more APIs you get; the lower the version, the more platforms support it. Jon demoed a web application that shows which APIs are available in which .NET Standard versions; I don’t think it’s live anywhere, but looks pretty useful.

Diagnostics 101 – Jon Skeet

The purpose of this task was to inform people how to diagnose and troubleshoot programming issues better, before posting on Stack Overflow. That’s something I was guilty of when I first starting writing code so I can relate. The ones I got the most out of:

  • Divide and Conquer – Reduce the size of the codebase you’re looking at when trying to solve a problem. Essentially, he’s saying that you need to do some trial and error, eliminate some pieces of code that you think may be where the bug is hiding, and keep doing that until you uncover the bug. It’s common sense to me.
  • Challenge Assumptions – Your code is probably wrong. Question everything. This is basically what happens to me every time I start writing a Stack Overflow question. There are so many questions I started that I didn’t end up submitting because I realized what the problem was while I was typing it into the site, it’s incredible.
    • Things to be skeptical of:
      • Your code
      • The debugger’s immediate window – if it seems off, don’t trust it
      • In Watch, beware of the debugger’s string repesentation

Summary

Overall, really good first day. Not sure how much I’ll be tuning in for Day 2, unless I have absolutely nothing else to do.

#MKEDOTNET 2017 was a blast!

This past Saturday I attended MKE DOT NET for the third time. MKE DOT NET is a .NET developer conference based in the Milwaukee area. The previous two years the conference was held in a hotel in Pewaukee. This year, they changed things up a bit and hosted it at Potowatomi Casino near downtown Milwaukee. Getting there was a bit difficult because there were a lot of closed off streets, but once I got there it was really nice.

Keynote Speaker: Maria Naggaga

Lots of people are interested in developing in .NET, but the main complaint was that it’s too difficult to learn. Maria presented some up and coming options to make .NET easier to learn for people who are currently developing in other frameworks and languages, like Python or Ruby for example.

First, she listed off some recommended code school sites. This was helpful for me because I’ve been trying to get my brother into coding with .NET and C#. Sites included Free Code Camp, Code School, Treehouse, and Javascript.com. Next, she showed an upcoming version of docs.microsoft.com, which will include everything in the current Docs site, but added a Run button for every code snippet. That part wowed me; I know one of the big annoyances with developers learning .NET was having to install Visual Studio to do any coding, so this goes around that. Great job MSFT!

After the keynote, I attended several sessions. I will list out the sessions which I got the most out of below:

Hardening Your ASP.NET Core Applications – Brice Williams and Robert Hansen

This session went over securing ASP.NET Core applications. Brice and Bob showed how to enforce HTTPS on a site at the global level or controller level. Additionally, they went through some common security risks, such as Cross Site Scripting (XSS) and Cross Site Request Forgery ( CSRF), and how to counteract those in your application. One cool thing I learned was that Javascript UI frameworks like React or Angular will do the HTML encoding for you as a way to protect against CSRF. The most important point made was to not create a security system yourself; it is extremely difficult and there’s probably a system available that someone else made that would work for you.

Cool SQL Server Features Every Developer Should Know About – David Berry

This presentation went over some new features in SQL Server 2016:

  1. Temporal tables – Every time a row is changed, SSMS keeps a snapshot of the old row values. This allows us to see what the value in a column was at any given date and time. The history table is created and maintained automatically by SQL Server, removing the need for us to write triggers.
  2. JSON Support – Allows you to store JSON data in a VARCHAR() data type. There are some new functions that go along with this, such as JSON_VALUE to get a value from a JSON object,  and JSON_QUERY to pull out an entire array or object.

David also showed Windowing Functions, which was actually released with SQL Server 2008 and later. “Group By on steroids”, Windowing Functions can partition and aggregate data by different criteria in the same statement. One example was the RANK() function, which can find the highest value, partitioning over various columns, and provide a rank for each row. I really need to look into these functions more…

Building Reusable UI Components in ASP.NET Core MVC – Scott Addie

.vbhtml files exist. It’s true. That wasn’t the point of this talk though. Scott showed us a brand new feature in ASP.NET Core V1 called Tag Helpers. Using this feature you can express server-side processing via HTML elements. An example would be:

<hand player="John">

Hand is the class, Player is a property of Hand. Tag Helpers are really cool for a few reasons:

  1. They offer great IntelliSense support.
  2. They eliminate context switching between HTML and C# that you would get with Razor.
  3. They were designed with testing in mind.

One other cool thing I learned is the C# nameof() feature, which can  be used to avoid hard coding class name strings. Usage: i.e. nameof(MyClass) would output “MyClass” as a string.

Conclusion

This event keeps getting better every year. Particlarly, the SQL Server Features and UI Components sessions amazed me! I learned a lot of cool things in this conference, and made note of a lot of things to look into so that I can learn more. Thanks Centare for hosting another great MKE DOT NET!

How to Disable or Enable a Field in SPEAK

I’m not sure if Sitecore Rocks is the only way to do this, but I recently had to enable a disabled field of a SPEAK form. I figured you would be able to change field settings  in the content editor of Core, but I couldn’t find any way to do it from there. This post will describe how to change field properties through Sitecore Rocks; if there is another way to do this, please let me know through the comments. In my case, I was using SPEAK 2 with Sitecore 8.1.

  1. Open your instance via Sitecore Rocks and navigate to your app’s task page in the Core database.
  2. Right click the Item and select Tasks -> Design Layout.
  3. You should see some fields under Renderings and Placeholders. Double click the field you wish to edit.
  4. On the right, a properties dialog will appear.
    1. To disable the field – which will prevent text entry and make the background gray – set IsEnabled to False, IsReadOnly to True and add disabled=disabled to the  Parameters field.
    2. To enable the field, set IsEnabled to True, IsReadOnly to False and remove the disabled=disabled parameter.

Hopefully this helps other SPEAK developers out there! Feedback is appreciated.

Executing a mass check-in of locked items in Sitecore

Recently I was tasked with finding a way to check-in all locked items in a client’s Sitecore environment. Since Sitecore allows you to lock items for editing to prevent concurrent modifications, and some users never removed their lock, we had a frequent problem with items that were locked by users that did not even work there anymore.

The method of accomplishing this was pretty clear from the get-go. It was time for another Sitecore PowerShell Extensions script!

Creating our Script

I knew PowerShell was the answer, but I wasn’t too well versed with it yet. Sitecore PowerShell Extensions (SPE) is pretty powerful though, since you can access the Sitecore item API through it just as you would through code, so I knew it wouldn’t be that hard once I got through the necessary hiccups.

The logic:

  • Start in the context of the master database.
  • Loop through every item in the content tree, recursively.
  • Then, loop through every version of the current item, since it’s possible that only some of the versions of an item will be locked.
  • Check if the item is locked. If so, open it for editing and unlock it. Then close it for editing.

The script:

<# .SYNOPSIS Check in all locked items in master. .BY Paul Aldrich .DATE 5/3/2017 .UPDATE LOG #>
Write-Host "Starting work in the context of the 'master' database."
Set-Location -Path master:\content
$itemsProcessed = 0;
$itemsUnlocked = 0;
foreach ($item in Get-ChildItem . -Recurse)
{
   foreach ($version in $item.Versions.GetVersions())
   {
      $itemsProcessed = $itemsProcessed + 1;

      <# For any item in the content node, check if locked. If so, check it in. #>
      if ($version.Locking.IsLocked())
      {
         Write-Host "Unlocking item"
         $version.Editing.BeginEdit();
         $version.Locking.Unlock();
         $version.Editing.EndEdit();
         $itemsUnlocked = $itemsUnlocked + 1;
      }
   }
}
Write-Host "The script has completed."
Write-Host ("{0} items have been processed." -f $itemsProcessed)
Write-Host ("{0} items were locked and are now checked in." -f $itemsUnlocked)

The script should be pretty straightforward, but let me know if you have any questions in the comments.

Completion

This was a really simple, yet powerful script to make, and the best part is its reusability. Don’t forget, you can check your work by running the Locked Items script that comes with SPE and search for locked items by user.