Multisite isolation in Sitefinity API

When configuring modules per site in the Multisite Management UI, the administrator can specify how the module data sources will be shared across the sites or whether to create a new data source for the module.

As a developer, you work with the Sitefinity API which expose the manager class under each module. For example, for the News module there is a NewsManager class. The manager works with providers, which are the data sources of the module. For an overview of the concepts, see Provider model.

In Sitefinity CMS versions before 14.0, Sitefinity API allows instantiating a manager that works with a provider that is not configured to be shared with the current site. It is possible to retrieve data from non-shared data source in the UI or using REST API via query string parameter when the name of the data source is known.

The following code demonstrates how to get all data sources (even non-shared ones):

RECOMMENDATION: The performance of the code below does not scale, because it depends on the number of sites, and it causes instantiating of data providers that are not in the scope if the current site. We recommended to avoid using such code, if possible.

Тhe code above returns all items from all sites, even those not shared with the current site.

In a setup of a virtual multitenancy where some sites belong to different organizations and each organization has its own site, it is not acceptable to allow one organization to access the data from another organization. That’s why, when multisite is active, we assume that if a data source is not shared with a specific site, it should not be accessible in the context of that site.

Sitefinity CMS 14.0 introduces a new configuration setting, available under Administration » Settings » Advanced » Multisite » Cross site data access restriction level with the default set to Restricted.

With that setting’s default configuration, the code above, when run in the context of a based on Sitefinity CMS 14.0, could throw an exception of type MissingProviderConfigurationException for non-shared providers on NewsManager.GetManager([non-shared-provider-name]). The exception is: "The data provider with the name of "[non-shared-provider-name]" is not accessible in the current context for "NewsManager" manager. Please check the spelling of the name and whether the provider is shared with the current site".

To avoid such exception, if you need to access the non-shared providers, use the AllProvidersAccessRegion class as follows:

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?