What controls Permission Denied at login trying to display user dashboard?

Tim Valdez asked on May 31, 2023 23:59

Kentico 11 custom MVC site. Have 2 users who are logging into the CMS and immediately getting 403 - Forbidden: Access is denied. It appears to be when their dashboard is being shown since they only get an error page. I made sure their Roles had a default dashboard set to show Pages and Media Libraries but can't think of anything else it could be. The CMS file system ACLs have not been altered and no other users seem to be affected, at least I haven't heard from anyone else. I deleted one account and recreated it and still get same error. Any ideas?

Correct Answer

Tim Valdez answered on June 1, 2023 19:55

OKAY I finally found the problem. It was some missing checkboxes under UI Personalization in those Roles that the accounts were members of. This CMS is so complex with hidden stuff everywhere........

0 votesVote for this answer Unmark Correct answer

Recent Answers

Tim Valdez answered on June 1, 2023 00:10

When I impersonate those users I get the error screen and no way to logout unless I can find the page in browser history and log back in as admin and then cancel impersonation (which seems weird but is probably due to cookies not getting cleared.)

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on June 1, 2023 05:45

I would recommend using security debug to see what permission is denied and then grant it. Do the users have appropriate privilege level assigned? Editor or higher. What are the module permissions assigned to roles? Are the users in multiple roles? If yes, and if there is a role without the permission - better safe than sorry - the user is denied. Are you also using UI personalization?

0 votesVote for this answer Mark as a Correct answer

Tim Valdez answered on June 1, 2023 17:45

Thank you for that info, I didn't know about that. I enabled All logging (quickly) and logged out as Admin and logged into one of the broken accounts. The logSecurity.log file had this at the very top:

// /CMSPages/logon.aspx?ReturnUrl=%2fAdmin%2fCMSAdministration.aspx [6/1/2023 8:34:49 AM]

    ISINSITE = True [User: JW] [Site: Wco]

    // /Admin/CMSAdministration.aspx [6/1/2023 8:34:49 AM]

    ISINSITE = True [User: JW] [Site: Wco]
    CHECKPRIVILEGELEVEL = False [User: JW]
    ISAUTHORIZEDPERUIELEMENT = 
     ISINSITE = True [User: JW] [Site: Wco]
     CHECKPRIVILEGELEVEL = False [User: JW]
    REDIRECTTOACCESSDENIED =  [User: JW] [Site: Wco]

    // /CMSModules/Admin/accessdenied.aspx?resource=CMS&uielement=Administration&hash=45tg01f3b3d1jkl3ead4e0csddfd58bdd337dacf2e4fac9e56b05 [6/1/2023 8:34:49 AM]

    VALIDATEHASH = True

I see that CHECKPRIVILEGELEVEL = False but don't know where to address it. Is this in the Users app somewhere in the person's account?

0 votesVote for this answer Mark as a Correct answer

Tim Valdez answered on June 1, 2023 18:02

Also, both broken users have the Editor privilege level in their accounts.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.