Media library security settings working on QA but not Production

Lauren Groh asked on December 27, 2022 19:25

Intended functionality: Secured PDFs should only be accessible by users with privilege level set to "none" and role set to "member" (as well as by users with privilege level set to "Global Administrator").

The issue: Client found that secured PDFs are accessible by all users, regardless of role. This issue is only found on the Production site, not on the QA site.

Here is what we know:

Media library security settings are identical between QA and Production.
Role settings are identical between QA and Production.
Test user accounts are set to privilege level "None" and role "member".
Individual PDFs have no security on them

Testing: This functionality is working on QA but not on production.

On QA: User clicks on a secured PDF. User is redirected to the login page. If user signs in with an account with the role "member" login is authenticated and PDF is displayed. If account does not have role "member", user remained on the login page and PDF access is denied.

On Production: User clicks on a secured PDF. User is redireced to the login page. No matter the account role, user will gain access to the PDF after logging in.

Screenshot: Media Library Security Settings

Kentico Support Resources we've used:

Limit Access to media libraries - Our media library security settings are set up as suggested (see above screenshot)
Permission checking in Kentico media libraries not working - Our test user accounts have privilege levels set to "none" and URLs produced by QA and Production are identical.

media libaries security pdf document

Recent Answers

Brenden Kehren answered on December 27, 2022 19:56

Can you provide what version you're on and what development model you're using?

0 votesVote for this answer Mark as a Correct answer

Lauren Groh answered on December 27, 2022 20:00

Kentico 12 & ASP.NET MVC. Thank you!

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on December 27, 2022 21:17

Two things:

Under Settings > Content > Media > General, ensure the Use permanent URLs box is checked. This is related to #2 below. If you are not using permanent URLs, then permissions cannot be checked using the GetMedia handler.
Under Settings > Content > Media > Security, ensure the Check file permissions box is checked. If it's not, then permissions won't be applied to the media library files even if you have permissions applied to the media libraries.

0 votesVote for this answer Mark as a Correct answer

Lauren Groh answered on December 28, 2022 05:11 (last edited on December 28, 2022 05:11)

Thank you for your reply, Brenden. I checked these settings on QA and Production. They are identical, yet QA media library security is working. I'm unsure if changing this global setting will affect other parts of this particular site, so I will pass this piece on to my team.

Is there anything else we might have missed? My other thought was IIS settings, but I'm unable to check those at the moment. Thanks again!

Media Settings Screenshot

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on December 28, 2022 06:22

If you're not using permanent URLs then permissions won't be checked using the system. I'd suggest checking is permissions on your servers for the media library folders and see if they are the same.

0 votesVote for this answer Mark as a Correct answer

Lauren Groh answered on January 12, 2023 21:11

Thank you, Brenden! I've been away but plan to look into your suggestion in the next few days. Would it be possible to leave this support ticket open for a while longer? Thank you!

0 votesVote for this answer Mark as a Correct answer