Technical support This forum is closed.
Version 1.x > Technical support > Security issue View modes: 
User avatar
Member
Member
ecomm - 3/22/2006 6:50:04 PM
   
Security issue
Hi
I am using the starter system, and have "public" access switched off for the "Partners" menu item and the 3 sub-menu items. I have set up a role ("clubadmin") that allows access to "All" and "Gold" partner pages - but NOT "silver".
When I attempt to access the partners pages I (correctly) am challenged with the logon page. When I logon with the "clubadmin" user the right hand menu correctly only displays the "All" and "Gold" links.
However if I roll over the "Partners" menu item, I can see all 3 sub-menu items, and when I click on "Silver" (from the sub-menu) I am allowed to see the "Silver" page - which this user should NOT be able to see.

Firstly - should I be able to see the "Silver" sub-menu item when I roll over the "Partners" menu item ?
Secondly - if so, then I should surely NOT be able to access the "silver" page when I click on this sub-menu item.

Can I prevent this ?

many thanks
ajm

User avatar
Guest
admin - 3/23/2006 2:14:30 PM
   
Re: Security issue
Hello,

this requires a little more configuration. Please see Kentico CMS Developer's Guide -> Knowledge Base -> KB0016 - Displaying menu for public or authenticated users.

Best Regards,

User avatar
Member
Member
ecomm - 3/27/2006 1:11:42 AM
   
Re: Security issue
Hi
I have followed this document - and it is certainly hidden from the treemenu on the right hand side.
But the page name is still shown on the drop-down list from the menu bar - it is this that I want to hide.

thanks
tm

User avatar
Member
Member
ecomm - 3/27/2006 12:43:19 PM
   
Re: Security issue
. . . or even if they can see it on the DD menu, disallow them from seeing it - by sending them to the logon page, perhaps,
many thanks
ajm

User avatar
Guest
admin - 3/27/2006 4:25:16 PM
   
Re: Security issue
Hello,

could you please write me if you have created the public user? If so, can you see the menu item as a non-authenticated user?

Also, could you please check if you set the CMSMenu.CheckPermissionsForUserID value in your code? You should use a code like this:

[VB.NET]

Dim userID As Integer = Functions.GetUserID
If userID = 0 Then
‘user is not authenticated – use public user’s permissions
CMSMenu1.CheckPermissionsForUserID = <put userID of user “public” here>
else
‘display content for particular authenticated user
CMSMenu1.CheckPermissionsForUserID = userID
end if

[C#]
int userID = Functions.GetUserID();
if (userID == 0)
{
//user is not authenticated – use public user’s permissions
CMSMenu1.CheckPermissionsForUserID = <put userID of user “public” here>;
}
else
{
//display content for particular authenticated user
CMSMenu1.CheckPermissionsForUserID = userID;
}

Best Regards,

User avatar
Member
Member
ecomm - 3/27/2006 4:34:25 PM
   
Re: Security issue
Hi Petr
Yes - I have a public user - and get the same problem when I log on with him. All pages should be hidden from him - but he can still see them. The rightmenu, however, is hidden as expected.
I have modified the "Partners" page as follows . . .
RightMenu.SelectNodesPath = Functions.GetPathLevel(Functions.GetAliasPath, 1) & "/%"
SignOutButton1.Visible = User.Identity.IsAuthenticated

Dim userID As Integer = Functions.GetUserID
If userID = 0 Then
'user is not authenticated – use public user’s permissions
RightMenu.CheckPermissionsForUserID = 2
CMSPageManager1.CheckPermissionsForUserID = 2
Else
'display content for particular authenticated user
RightMenu.CheckPermissionsForUserID = userID
CMSPageManager1.CheckPermissionsForUserID = userID
End If
where my public user is id=2.
thanks
ajm

User avatar
Guest
admin - 3/27/2006 4:38:13 PM
   
Re: Security issue
Thank you for the details. Have you done the same for the main menu (Header.ascx or MainMenu.master file, depending on version you are using)?

Regards,

User avatar
Member
Member
ecomm - 3/28/2006 3:30:43 PM
   
Re: Security issue
Hi Petr
OK - I can see how it works now . . .

many thanks
ajm