Permission Checking in Kentico Media Libraries not working

You said you put in a custom webpart, does that custom webpart have code to check security?

Hi Trevor,

The webpart is used in a page. The page is secured for authenticated users only. So, only logged-on user can access the page (fine). The page display a list of files from the media library like this:

1. File Description 1

2. File Description 2

3. File Description 3

The problem is once user clicks a link and keep the link in the history, after the user logged out from the site, the link "/getmedia/GUID1/filename1" is still accessible, which is what i want to prevent.

Currently, once user have the link user can download the file even without login.

In the media library you are securing, make sure you set the items across the top (create file, folder, delete, modify, etc.) to "Authorized Roles". Then tick the "See library content" box next to the role you want to have "read" access. This should "secure" your files as you want.

The below page references a "use secure link" in the original media library web part, you probably need to render the links using the format that this would generate which will probably then take into account user login status.

https://docs.kentico.com/plugins/servlet/mobile#content/view/1310858

Hi Trevor, Good idea, I was trying to produce the same list using the original Media Library (called Media Gallery), but i was getting this error (maybe this way i was never bothered to use it and instead creating my own webpart)

<span title="Message: [TempITemplate.Template]: http://server/CMSVirtualFiles/Transformations/=vg=3ecbe682-c04f-42e1-9a17-2e6becf09b01/Community.Transformations/MediaLibrary.ascx(6): error CS0234: The type or namespace name &#39;ResHelper&#39; does not exist in the namespace &#39;CMS.GlobalHelper&#39; (are you missing an assembly reference?)

Exception type: System.Exception

Message: http://server/CMSVirtualFiles/Transformations/=vg=3ecbe682-c04f-42e1-9a17-2e6becf09b01/Community.Transformations/MediaLibrary.ascx(6): error CS0234: The type or namespace name &#39;ResHelper&#39; does not exist in the namespace &#39;CMS.GlobalHelper&#39; (are you missing an assembly reference?)

Exception type: System.Web.HttpCompileException Stack Trace: at System.Web.Compilation.AssemblyBuilder.Compile() at System.Web.Compilation.BuildProvidersCompiler.PerformBuild() at System.Web.Compilation.BuildManager.CompileWebFile(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate) at System.Web.UI.TemplateControl.LoadTemplate(VirtualPath virtualPath) at CMS.Controls.TempITemplate.get_Template() " class="TransformationError">[TempITemplate.Template]: http://server/CMSVirtualFiles/Transformations/=vg=3ecbe682-c04f-42e1-9a17-2e6becf09b01/Community.Transformations/MediaLibrary.ascx(6): error CS0234: The type or namespace name 'ResHelper' does not exist in the namespace 'CMS.GlobalHelper' (are you missing an assembly reference?)

Am i missing some files here?

Nevermind my last post, i managed to produce the link using the original webpart following the article you sent, i can validate that the links are same

~/getmedia/d8010d04-54ae-46cc-b7a1-5002a7b8895d/filename

So i'm pretty sure my webpart generates the secure links.

Brenden, i have set the Media Libraries i want to secure to NOBODY for Create File, Create folder, Delete file, delete folder, modify file, modify folder, see library content. So basically i want to test if the permission check is really happening by refusing every request to this file. But it just didnt work.

Okay so looking closer, the Media Library webpart only shows the folders and checks security if you have access to the folder...looks like there's nothing in the transformation that changes the file link.

I'll try to later tonight or sometime early tomorrow to take a look at the getmedia code, there may need to be modifications to do a check of security. There may not currently be as that many resources use the getmedia page and i can imagine it would create some overhead to check every getmedia request. But if indeed there is no code there, you'll be faced with either adding the check or modifying the transformation your webpart uses and point the files to a new page where the logic would be coded.

@Trevor Fayas Did you ever found a solutions for this question. I'm facing the same scenario.

The "Answered" question does contain the solution, the documentation was correct in his case, it was just that he accidently had the public user set as a global administrator, so the public user always had permission.

You can see if that's your case as well, otherwise follow the same steps he did:

https://docs.kentico.com/display/K9/Securing+media+libraries The 2 main settings that i did are: 1. Set the Settings -> Content Management -> Media Libraries -> Check file permission to be ticked 2. Set the Media Libraries -> Edit -> Security, set the "See Library Content" Permission to NOBODY (so that no one can download the file, this is for testing)