401 errors for attachments with page level security

CSS Team asked on February 24, 2022 15:51

Hi everybody!

I am currently facing the following problem: With page-level-security activated and configured, I get 401 errors, if I try to resolve attachments via /getattachment/[guid]/[name_of_file] url. If I deactivate page-level-security, this url works and the attachment, e.g. an image is showing up in the browser.

I can reproduce the error using LearningKit-Core and a blank 'NewSite' installation.

Is anyone facing the same issue? Maybe you have a working sample, that I can use..

Thanks and best regards!

Recent Answers

Brenden Kehren answered on February 24, 2022 20:44

Do you have your StartUp.cs file configured to handle those error codes? If not, you'll need to do so, something like this:

app.UseStatusCodePages(async context =>
{
    var response = context.HttpContext.Response;

    switch (response.StatusCode)
    {
        case (int)HttpStatusCode.Unauthorized: 
            response.Redirect(URLHelper.AddParameterToUrl(ResHelper.GetString(ContentItemIdentifiers.LOGIN), "returnurl", context.HttpContext.Request.Path));
            break;
        case (int)HttpStatusCode.Forbidden:
            if(String.IsNullOrEmpty(context.HttpContext.User.Identity.Name))
                response.Redirect(URLHelper.AddParameterToUrl(ResHelper.GetString(ContentItemIdentifiers.LOGIN), "returnurl", context.HttpContext.Request.Path));
            else
                response.Redirect(ResHelper.GetString(ContentItemIdentifiers.PAGE_PERMISSION_DENIED));
            break;
        case (int)HttpStatusCode.NotFound:
            response.Redirect(ResHelper.GetString(ContentItemIdentifiers.PAGE_NOT_FOUND));
            break;
    }
});
1 votesVote for this answer Mark as a Correct answer

CSS Team answered on February 28, 2022 10:17

Hi Brenden,

thanks for your answer.

I think I did not make myself clear enough: I get access denied errors although a user is already logged in. It seems, that the getattachment proxy is not checking on user credentials. At first I thought its a mis-configuration, so I used the LearningKit to register and log in a user. Afterwards I configured page level security for that user and a certain page and tried to fetch attachments from that page and still got 401.

Can you reproduce this behavior?

1 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on February 28, 2022 13:30

If you're still getting 401/unauthorized errors, then the user is NOT logged in. The "getattachment" method used S page level security and authorization to determine access. I'd check your authentication process.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.