Forums (Obsolete)

Member

ecomm - 3/22/2006 6:50:04 PM

Security issue

Hi
I am using the starter system, and have "public" access switched off for the "Partners" menu item and the 3 sub-menu items. I have set up a role ("clubadmin") that allows access to "All" and "Gold" partner pages - but NOT "silver".
When I attempt to access the partners pages I (correctly) am challenged with the logon page. When I logon with the "clubadmin" user the right hand menu correctly only displays the "All" and "Gold" links.
However if I roll over the "Partners" menu item, I can see all 3 sub-menu items, and when I click on "Silver" (from the sub-menu) I am allowed to see the "Silver" page - which this user should NOT be able to see.

Firstly - should I be able to see the "Silver" sub-menu item when I roll over the "Partners" menu item ?
Secondly - if so, then I should surely NOT be able to access the "silver" page when I click on this sub-menu item.

Can I prevent this ?

many thanks
ajm


Guest	admin - 3/23/2006 2:14:30 PM Re: Security issue Hello, this requires a little more configuration. Please see Kentico CMS Developer's Guide -> Knowledge Base -> KB0016 - Displaying menu for public or authenticated users. Best Regards,


Member	ecomm - 3/27/2006 1:11:42 AM Re: Security issue Hi I have followed this document - and it is certainly hidden from the treemenu on the right hand side. But the page name is still shown on the drop-down list from the menu bar - it is this that I want to hide. thanks tm


Member	ecomm - 3/27/2006 12:43:19 PM Re: Security issue . . . or even if they can see it on the DD menu, disallow them from seeing it - by sending them to the logon page, perhaps, many thanks ajm

Guest

admin - 3/27/2006 4:25:16 PM

Re: Security issue

Hello,

could you please write me if you have created the public user? If so, can you see the menu item as a non-authenticated user?

Also, could you please check if you set the CMSMenu.CheckPermissionsForUserID value in your code? You should use a code like this:

[VB.NET]

Dim userID As Integer = Functions.GetUserID
If userID = 0 Then
‘user is not authenticated – use public user’s permissions
CMSMenu1.CheckPermissionsForUserID = <put userID of user “public” here>
else
‘display content for particular authenticated user
CMSMenu1.CheckPermissionsForUserID = userID
end if

[C#]
int userID = Functions.GetUserID();
if (userID == 0)
{
//user is not authenticated – use public user’s permissions
CMSMenu1.CheckPermissionsForUserID = <put userID of user “public” here>;
}
else
{
//display content for particular authenticated user
CMSMenu1.CheckPermissionsForUserID = userID;
}

Best Regards,

Member

ecomm - 3/27/2006 4:34:25 PM

Re: Security issue

Hi Petr
Yes - I have a public user - and get the same problem when I log on with him. All pages should be hidden from him - but he can still see them. The rightmenu, however, is hidden as expected.
I have modified the "Partners" page as follows . . .
RightMenu.SelectNodesPath = Functions.GetPathLevel(Functions.GetAliasPath, 1) & "/%"
SignOutButton1.Visible = User.Identity.IsAuthenticated

Dim userID As Integer = Functions.GetUserID
If userID = 0 Then
'user is not authenticated – use public user’s permissions
RightMenu.CheckPermissionsForUserID = 2
CMSPageManager1.CheckPermissionsForUserID = 2
Else
'display content for particular authenticated user
RightMenu.CheckPermissionsForUserID = userID
CMSPageManager1.CheckPermissionsForUserID = userID
End If
where my public user is id=2.
thanks
ajm


Guest	admin - 3/27/2006 4:38:13 PM Re: Security issue Thank you for the details. Have you done the same for the main menu (Header.ascx or MainMenu.master file, depending on version you are using)? Regards,


Member	ecomm - 3/28/2006 3:30:43 PM Re: Security issue Hi Petr OK - I can see how it works now . . . many thanks ajm