1-888-365-2779
+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Security problem

Security problem

2 posts, 0 answered
  1. Matt
    Matt avatar
    9 posts
    Registered:
    11 Feb 2008
    15 May 2008
    Link to this post

    I am having a problem securing pages within a simple site.

    I create a simple site with the following simple structure, using just the default site setting and single membership/role providers:

    index.aspx
    public.aspx
    privatepage.aspx
    veryprivate.aspx
    login.aspx

    All the pages are visible to annonymous apart from privatepage.aspx and veryprivate.aspx.

    The logon page was created by simply dragging in the logon control from the available login controls within the admin system onto a new page.

    I have two users, administrator and bob. bob is not a member of any roles, he's just a test user.

    After denying anoymous access to the two private pages i do not initally give the role 'everyone' a view permission. So at this point nobody should view these pages.

    If i now view my site my navigation shows links to three pages

    index.aspx
    public.aspx
    login.aspx

    this seems fine. If i try to access one of the private pages directly I am redirected to the page :

    http://localhost/Mysite/sitefinity/login.aspx?ReturnUrl=%2fMysite%2fprivatePage.aspx

    If i now log on with the account bob I receive the error '
    This type of page is not served.
    '
    This is fine as have not given 'everyone' permission to access this page.

    However if i instead visit 'login.aspx' and use the login usercontrol to login with the same account 'bob', I can access any of the private pages.

    It seems if i use the /sitefinity/login.aspx page to login evrything works as expected, but if i use a page created in the cms which contains the login control i seem to have the ability to access any page i like, regardless of permissions.

    I also noticed if i return to the admin and give one of the private pages 'everyone' view permission, when  i then log into the site through the /sitefinity/login.aspx page , this page is now added to my navigation. I will now see:

    index.aspx
    public.aspx
    privatepage.aspx
    login.aspx

    however if i login using the login.aspx page with the account bob i still only see the links in the navigation:

    index.aspx
    public.aspx
    login.aspx

    however i can still access both privatepage.aspx and veryprivatepage.aspx
    if i type them in directly.

    Is this a bug with the login usercontrol or am i using it incorrectly somehow?

    Sorry for repost , posted same query in the bug section a few days ago, but not received any replys.

  2. Nikifor
    Nikifor avatar
    232 posts
    Registered:
    18 May 2013
    15 May 2008
    Link to this post
    Hi Matt,

    Please find the answer to your question in the other forum thread opened by you: Security problem
    This one will be closed for better tracking purposes.

    Regards,
    Nikifor
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
2 posts, 0 answered