Old Forums
Search:
API Questions on Kentico API.
Version 5.x > API > document security View modes: 
User avatar
Member
Member
spectro-jarlen - 10/1/2011 2:00:31 PM
   
document security
I've looked all over for an answer on this, but was unable to find help.

I would like to apply security to a single page so that only one type of role can access it. All other roles would get an access denied message.

On the document, under Properties -> Security, I have added a special role I created and given it read access. I also added in "Authenticated Users", "Everyone", "Public Anonymous User (Public)" as users with all access denied (all the deny checkboxes are checked).

I created a new user that has no roles applied, just a regular user. This user is still able to see the page. How do I prevent anyone from seeing the page except for the special role I created?

Thanks for your help!

User avatar
Member
Member
kentico_michal - 10/3/2011 12:23:55 AM
   
RE:document security
Hello,

Could you please make sure that you have set also the Requires authentication property [Security tab] to true ?

Best regards,
Michal Legen

User avatar
Member
Member
spectro-jarlen - 10/4/2011 2:59:43 PM
   
RE:document security
The "Requires authentication" is set to true. When I go to the page as a public user, it prompts me to log in. This is expected behaviour. However, I only want to allow users of a specific role to be able to access the content (role = "wholesale" - a newly defined role I created). Unfortunately, any user, regardless of role, upon logging in, can see the content. Is there any way to prevent all users from accessing that page except for those users who have the role "wholesale"?

thanks!
Jarlen

Settings are:
"Authenticated Users" DENY: ALL
"Everyone" DENY: ALL
"Public Anonymous User (Public)" DENY: ALL
"Wholesale" ALLOW: READ

User avatar
Member
Member
kentico_michal - 10/15/2011 10:40:21 PM
   
RE:document security
Hello,

The problem is that the user who is assigned to Whosale role is automatically assigned also to authenticated role which is a special role. Since authenticated role has Deny permission for Read and Deny permission takes priority, all users are not allowed to see a given page. You need to set Deny for everyone on the root document of the content tree, then break inheritance on a given document and set Allow onlz for one role you need. Another way could be creating a custom web part which would check if the current user is assigned to some role and if it is not, you can redirect him to denied page.

Best regards,
Michal Legen

User avatar
Member
Member
spectro-jarlen - 11/15/2011 8:25:11 AM
   
RE:document security
Thanks for the suggestion Michal. I was able to resolve it by creating a custom web part which allows me to select which user to authorize against and which page to redirect to if the current user doesn't match the selected user. It works perfectly.

User avatar
Guest
Yasvh - 7/3/2013 9:58:21 AM
   
RE:document security
I am doing the same thing as I have created custom login form with authentication with LDAP. I am creating user in the cms and checking if the use is exist in the cms and enabled and domain user. Authentication is working fine but I would like to assign cms role and add that user to that role so only users from that role can view the page. How can I add cms role code to the custom page?

Any help will be appreciated.

Thanks,

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 7/5/2013 1:39:29 AM
   
RE:document security
Hi,

Have you tried using the user roles API for adding user to a role in your custom code? Or, you can also use this method:

CMS.SiteProvider.UserInfoProvider.AddUserToRole(...)


Best regards,
Juraj Ondrus

User avatar
Member
Member
Yash - 7/5/2013 9:41:51 AM
   
RE:document security
Hello Juraj,

I have created user role in the roles section and assigned user to that specific page and now I want to check on the page if that page has access for that user and I am using custom LDAP authentication code and redirecting user to the page they have requested. Using below code.
===
string url = QueryHelper.GetString("ReturnURL", string.Empty);

if (!string.IsNullOrEmpty(url))
{
if (url.StartsWith("~") || url.StartsWith("/") || QueryHelper.ValidateHash("hash"))
{
URLHelper.Redirect(ResolveUrl(ValidationHelper.GetString(Request.QueryString["ReturnURL"], "")));
}

else
{
URLHelper.Redirect(ResolveUrl("~/CMSMessages/Error.aspx?title=" + ResHelper.GetString("general.badhashtitle") + "&text=" + ResHelper.GetString("general.badhashtext")));
}

}
else
{
if (this.DefaultTargetUrl != "")
{
URLHelper.Redirect(ResolveUrl(this.DefaultTargetUrl));

}

else
{
URLHelper.Redirect(URLRewriter.CurrentURL);
}
}
}
=====

Where in this code I can check whether user have access to TargetUrl or not?

Thanks.
User avatar
Kentico Support
Kentico Support
kentico_jurajo - 7/5/2013 10:12:07 PM
   
RE:document security
Hi,

So, the document has some Security settings set on Properties -> Security tab, right?

In this case, you need to check the ACLs: Checking permissions API - the second sample.

Best regards,
Juraj Ondrus

User avatar
Member
Member
Yash - 7/8/2013 9:49:08 AM
   
RE:document security
Hello Juraj,

Yes I am using the Security settings set on Properites. I tried with the ACL: Cheking permissions API but didn't work as I am doing user authentication and redirect user to the default page (page from user came from) API code does not executes once user redirected to the default page.

What I want to do is once user login and authenticated, eedirect to the requested page it suppose to check the user permission on that requested page (page from user came from) and if user has permission to that page than only user will be redirected to that page else they will be redirected to other page.

I am creating editing page for the departmental users to edit the page like help request form tickets and I am using mixed mode authentication for the user administration but using form Login page to authenticate user against the LDAP and than redirect user to the requested edit page and if they don't have access they will be redirected to the other page.

What I am guessing is that as user is already authenticated against LDAP and IsAuthenticated class authenticate user they will be able to view the page.

What's the way to restrict user from viewing page in this scenario?

Thanks,

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 7/11/2013 5:16:34 AM
   
RE:document security
Hi,

It works by default the way you have described. So, the question is how are you authenticating the users - are you using custom authentication handler and whether the user exists in the Kentico DB and if the user is in given role or appropriate permissions are assigned to this user account.

Best regards,
Juraj Ondrus

Top