Multisite isolation in Sitefinity API
When configuring modules per site in the Multisite Management UI, the administrator can specify how the module data sources will be shared across the sites or whether to create a new data source for the module.
As a developer, you work with the Sitefinity API which expose the manager class under each module. For example, for the News module there is a
NewsManager class. The manager works with providers, which are the data sources of the module. For an overview of the concepts, see Provider model.
In Sitefinity CMS versions before 14.0, Sitefinity API allows instantiating a manager that works with a provider that is not configured to be shared with the current site. It is possible to retrieve data from non-shared data source in the UI or using REST API via query string parameter when the name of the data source is known.
The following code demonstrates how to get all data sources (even non-shared ones):
RECOMMENDATION: The performance of the code below does not scale, because it depends on the number of sites, and it causes instantiating of data providers that are not in the scope if the current site. We recommended to avoid using such code, if possible.
Тhe code абове returns all items from all sites, even those not shared with the current site.
In a setup of a virtual multitenancy where some sites belong to different organizations and each organization has its own site, it is not acceptable to allow one organization to access the data from another organization. That’s why, when multisite is active, we assume that if a data source is not shared with a specific site, it should not be accessible in the context of that site.
Sitefinity CMS 14.0 introduces a new configuration setting, available under Administration » Settings » Advanced » Multisite » Cross site data access restriction level with the default set to Restricted.
With that setting’s default configuration, the code above, when run in the context of a based on Sitefinity CMS 14.0, could throw an exception of type
MissingProviderConfigurationException for non-shared providers on
NewsManager.GetManager([non-shared-provider-name]). The exception is: "The data provider with the name of "[non-shared-provider-name]" is not accessible in the current context for "NewsManager" manager. Please check the spelling of the name and whether the provider is shared with the current site".
To avoid such exception, if you need to access the non-shared providers, use the AllProvidersAccessRegion class as follows: