Forums (Obsolete)

Member

justin-liquidprint - 2/11/2014 5:06:31 PM

Implementing Role Based Pages

I'm trying to use the built-in Roles functionality to display whether or not a user has access to a page. For some reason, if I set 'Check Page Permissions' setting in Administrator > Settings > Security & Membership = "All Pages", the site goes into an infinite loop when trying to login. It appears to repeatedly append the No Access page in the URL request string and eventually fails because of this.

I'm just trying to control front-end page accessibility. Nothing within the Kentico CMS or page management. If there is a better approach for accomplishing this, please let me know.

Here's my scenario:
- I have a role setup
- Within the content page I want to restrict (Properties > Security) I have selected the specific role of which only users having the role should be allowed to access the page.
- On the role within the same page, I have set the Access Rights to 'Allow' for the Read right. I have not changed anything else.

At this point, I would expect to login as a user WITHOUT that role and get bounced from the page I set that permission on. However, I can't get past the login to even test it when 'Check Page Permissions' within the Administrator are set to 'All Pages' or 'Secured Areas'.

Note: I did try the approach of only using the Check Permissions option within the Editable Text Web Part within the page template. This worked. However, it's not a very elegant solution in that the user gets every other part of the page just not the content, it's just a big old white space. I either need to customize what shows up there or be able to redirect them to the access denied page.

Any thoughts or help is MUCH appreciated!

Kentico Legend

Brenden Kehren - 2/11/2014 6:23:11 PM

RE:Implementing Role Based Pages

What do you mean by "trying to control front-end page accessibility"?

If you want to restrict users/roles to pages or nodes within the site, you can do this all from the front end in the Page>Properties>Security. In there you set which roles have access to what pages and if they require authentication or SSL or not. It is as easy as you're thinking although I think you might have a few too many things going on at one time. I'd start from scratch and try it on a test page ensuring your "Check Page Permissions" should be set to "Secured Areas" before you start.

When you test, open a totally different flavor of a browser as to ensure there isn't any caching going on.


Member	justin-liquidprint - 2/12/2014 9:38:59 AM RE:Implementing Role Based Pages Hi FroggEye, Thanks for the response. This is how I understood users/roles restrictions to work as well. I scaled it back and tried again. Still no luck. When I login as a user without a role assigned to the page, the system still allows that user access. Here's some shots of my settings:

Kentico Customer Success

kentico_martind2 - 2/12/2014 10:44:25 AM

RE:Implementing Role Based Pages

Hi Justin,

The problem with the images was that you were posting an URLs to the page where image is displayed and to the images directly.

page with image: http://prntscr.com/2rtj03
vs image itself: http://img580.imageshack.us/img580/3082/j0k6.png

The forums will not allow you to display a page from another site.

Best Regards,
Martin Danko

Kentico Legend

Brenden Kehren - 2/12/2014 7:28:08 PM

RE:Implementing Role Based Pages

What is the security set like on the Franchises page? If you ONLY want one specific role to have access then you need to restrict everyone else as well. For instance, you want the View Franchise Agreement role to only access that page, check "Requires authentication = yes" (unless parent page is set to yes, then leave it). Next add the "Not authenticated users" role to the list and DENY them everything. This will not allow anyone else to access that page.

Again, set the Check page permissions to "Secured areas".

Member

justin-liquidprint - 2/13/2014 10:44:16 AM

RE:Implementing Role Based Pages

Went through the Franchises page and added all roles and set them to deny for everything, except for View Franchise Agreement, which is set to allow.

Tested the site with a user who does not have the View Franchise Agreement role. User was still able to see the page / no redirect.

Went into the Administrator and set Check page permissions to "Secured areas". And this is what I get upon

The webpage at http://---.-------.----/AccessDenied.aspx?returnurl=%2fAccessDenied.aspx%3freturnurl%3d%252fAccessDenied.aspx%253freturnurl%253d%25252fAccessDenied.aspx%25253freturnurl%25253d%2525252fAccessDenied.aspx%2525253freturnurl%2525253d%252525252fAccessDenied.aspx%252525253freturnurl%252525253d%25252525252fAccessDenied.aspx%2525225252525253d%252525252525252525252525252525252525252fDefault.aspx

I can't put my finger on the redirect loop. The only page permissions set at the top level are:
User image


Member	justin-liquidprint - 2/12/2014 5:05:24 PM RE:Implementing Role Based Pages I should add, I tried accessing the page from a separate browser with a cleared history. So I do not believe caching is the issue.