Permission Checking in Kentico Media Libraries not working

Edward Surjadi asked on November 2, 2016 08:22

I have a page in Kentico that displays list of documents which are uploaded from Media Libraries. (I created custom webpart that pulls the list of documents by querying Media_File table and generate permanent URL using /getmedia/GUID).

The problem is the link is not secured, so If I have the URL (e.g. /getmedia/ABCD), even after I am logged out from the site, I can still download the file which is not allowed by our security dept.

So, I have followed the steps to secure the Media Libraries here https://docs.kentico.com/display/K9/Securing+media+libraries The 2 main settings that i did are: 1. Set the Settings -> Content Management -> Media Libraries -> Check file permission to be ticked 2. Set the Media Libraries -> Edit -> Security, set the "See Library Content" Permission to NOBODY (so that no one can download the file, this is for testing)

However, I'm still able to download the file when I'm not logged in to the site.

Anyone can guide me on how to investigate? It seems the module that does the permission checking is not running at all.

Correct Answer

Edward Surjadi answered on November 3, 2016 14:49

Hi Trevor,

I have found the problem. In kentico, there is a pre-defined user named "public" (you can see this in Users application). This "public" user is used by Kentico to represent public anonymous user (i don't know why). Accidentally, this public user was set to Global Administrator in my site, hence all the permission checking was overridden. Once i set this role to "None", the permission started to work!

So, the library files that i have secured to Authenticated User, can't be download without logging in into the application. How did i find this solution? I tried reading the assembly using dotPeek (disassembler) in CMS.MediaLibrary.GetMediaHandler.cs --> MediaLibraryInfoProvider.IsUserAuthorizedPerLibraryInternal()

So, thank you for your valuable input!

0 votesVote for this answer Unmark Correct answer

Recent Answers


Trevor Fayas answered on November 2, 2016 17:04

You said you put in a custom webpart, does that custom webpart have code to check security?

0 votesVote for this answer Mark as a Correct answer

Edward Surjadi answered on November 2, 2016 22:37

Hi Trevor,

The webpart is used in a page. The page is secured for authenticated users only. So, only logged-on user can access the page (fine). The page display a list of files from the media library like this:

  1. File Description 1

  2. File Description 2

  3. File Description 3

    The problem is once user clicks a link and keep the link in the history, after the user logged out from the site, the link "/getmedia/GUID1/filename1" is still accessible, which is what i want to prevent.

    Currently, once user have the link user can download the file even without login.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on November 3, 2016 01:03

In the media library you are securing, make sure you set the items across the top (create file, folder, delete, modify, etc.) to "Authorized Roles". Then tick the "See library content" box next to the role you want to have "read" access. This should "secure" your files as you want.

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on November 3, 2016 01:04

The below page references a "use secure link" in the original media library web part, you probably need to render the links using the format that this would generate which will probably then take into account user login status.

https://docs.kentico.com/plugins/servlet/mobile#content/view/1310858

0 votesVote for this answer Mark as a Correct answer

Edward Surjadi answered on November 3, 2016 01:33

Hi Trevor, Good idea, I was trying to produce the same list using the original Media Library (called Media Gallery), but i was getting this error (maybe this way i was never bothered to use it and instead creating my own webpart)

<span title="Message: [TempITemplate.Template]: http://server/CMSVirtualFiles/Transformations/=vg=3ecbe682-c04f-42e1-9a17-2e6becf09b01/Community.Transformations/MediaLibrary.ascx(6): error CS0234: The type or namespace name &#39;ResHelper&#39; does not exist in the namespace &#39;CMS.GlobalHelper&#39; (are you missing an assembly reference?)

Exception type: System.Exception

Message: http://server/CMSVirtualFiles/Transformations/=vg=3ecbe682-c04f-42e1-9a17-2e6becf09b01/Community.Transformations/MediaLibrary.ascx(6): error CS0234: The type or namespace name &#39;ResHelper&#39; does not exist in the namespace &#39;CMS.GlobalHelper&#39; (are you missing an assembly reference?)

Exception type: System.Web.HttpCompileException Stack Trace: at System.Web.Compilation.AssemblyBuilder.Compile() at System.Web.Compilation.BuildProvidersCompiler.PerformBuild() at System.Web.Compilation.BuildManager.CompileWebFile(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate) at System.Web.UI.TemplateControl.LoadTemplate(VirtualPath virtualPath) at CMS.Controls.TempITemplate.get_Template() " class="TransformationError">[TempITemplate.Template]: http://server/CMSVirtualFiles/Transformations/=vg=3ecbe682-c04f-42e1-9a17-2e6becf09b01/Community.Transformations/MediaLibrary.ascx(6): error CS0234: The type or namespace name 'ResHelper' does not exist in the namespace 'CMS.GlobalHelper' (are you missing an assembly reference?)

Am i missing some files here?

0 votesVote for this answer Mark as a Correct answer

Edward Surjadi answered on November 3, 2016 01:53

Nevermind my last post, i managed to produce the link using the original webpart following the article you sent, i can validate that the links are same

~/getmedia/d8010d04-54ae-46cc-b7a1-5002a7b8895d/filename

So i'm pretty sure my webpart generates the secure links.

Brenden, i have set the Media Libraries i want to secure to NOBODY for Create File, Create folder, Delete file, delete folder, modify file, modify folder, see library content. So basically i want to test if the permission check is really happening by refusing every request to this file. But it just didnt work.

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on November 3, 2016 02:57

Okay so looking closer, the Media Library webpart only shows the folders and checks security if you have access to the folder...looks like there's nothing in the transformation that changes the file link.

I'll try to later tonight or sometime early tomorrow to take a look at the getmedia code, there may need to be modifications to do a check of security. There may not currently be as that many resources use the getmedia page and i can imagine it would create some overhead to check every getmedia request. But if indeed there is no code there, you'll be faced with either adding the check or modifying the transformation your webpart uses and point the files to a new page where the logic would be coded.

0 votesVote for this answer Mark as a Correct answer

Dcode warner answered on May 3, 2017 17:47

@Trevor Fayas Did you ever found a solutions for this question. I'm facing the same scenario.

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on May 3, 2017 17:51

The "Answered" question does contain the solution, the documentation was correct in his case, it was just that he accidently had the public user set as a global administrator, so the public user always had permission.

You can see if that's your case as well, otherwise follow the same steps he did:

https://docs.kentico.com/display/K9/Securing+media+libraries The 2 main settings that i did are: 1. Set the Settings -> Content Management -> Media Libraries -> Check file permission to be ticked 2. Set the Media Libraries -> Edit -> Security, set the "See Library Content" Permission to NOBODY (so that no one can download the file, this is for testing)

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.