+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Page Permissions

Page Permissions

18 posts, 0 answered
  1. Daniel L
    Daniel L avatar
    26 posts
    Registered:
    06 May 2006
    11 Mar 2008
    Link to this post
    I have a Subscribe page which I want anonymous users to view, but not my subscriber role.

    In the page properties I have "show on menu" and "allow anonymous access". In the permissions tab I broke inheritance and set my subscribers role to Deny View. I don't have any checkboxes checked for any of the other roles (including Everyone). However, the page still shows for Subscriber roles, even though I have the View permission set to Deny. Even if I set Everyone to Deny View, the Subscribe page is still visible at all times. Does anyone know what I'm doing wrong here?
  2. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    12 Mar 2008
    Link to this post
    Hi Daniel L,

    If I understand you correctly, you want the page to be hidden for the Subscribers role in your site map menu. So if somebody enters your site, they see the "subscribe" link only if they are not subscribers. With the basic Sitefinity page settings this is not possible, but you can achive it with just a few lines of code.

    The default behavior is that for every page first the "show in navigation" property is checked, if it is set to true, the "anonymous access" is checked and only if it is set to deny, roles are considered. In your case if you set "deny anonymous access", whatever you do, unauthenticated users won't be able to visit this page.

    In the attached file you'll find a custom sitemap provider that overrides the method "IsAccessibleToUser" and performs the needed check in order to filter only users that belong to the "Subscribers" role. You can further extend this functionality if you like.

    In order for the example to work properly, you have to change the name of the default site map provider in your web.config:

    <siteMap defaultProvider="CmsSiteMapProvider" enabled="true">  
        <providers> 
            <clear/> 
            <add name="CmsSiteMapProvider" description="Displays Cms Pages" type="CustomSiteMapProvider"/>  
        </providers> 
    </siteMap> 

    Then add the attached class to your app_Code folder. Finally, you have to create the
    "Subscribe" page, set "show in navigation" to true and "anonymous access" to allow. Having this done, users in the "subscribers" role won't be able to see it in the navigation controls.

    Please have in mind that despite the changes, they will be able to visit the page as it is not forbidden. If you need to deny access to a page and not just exclude it from the site map, please contact us again and we'll be happy to provide a solution.

    All the best,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    12 Mar 2008
    Link to this post
    Hello Daniel L,

    Here is the attached class.

    All the best,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  4. Steve
    Steve avatar
    6 posts
    Registered:
    13 Aug 2012
    18 Mar 2008
    Link to this post
    Hi Yasen - we have a similar but somewhat different issue that is very important to us right now, just having launched this site a few months ago.  We have a support oriented site where customers who are currently on a support plan can get updates and slso support information including some fairly sensitive information.

    The 'support' section is the site was designed to be avialable only to logged in customers who have a 'current customer' role - we set it up to deny anonymous access (which works) but customers who are  not currently paying support fees but are logged in and do NOT have the 'current customer' role can get to these pages if they bookmarked them.

    We tried creating a role of 'upaid current customer' and denying access to them that way but obviously that does not work.  I typed with the idea of placing the login info for these customers in a table and writing a control that would check to see if they are in that table and redirecting them back to the home page but I'm not sure if that would work well and circumvents our original understanding of the 'deny view' option, which seems somewhat pointless to have at this point - how would that be used?

    At any rate, is there any way we can make this work?  We are setting the roles for these users with our own software based in information in our support database, so it's simple for us to remove the 'current customer' role and add the 'unpaid current customer' role if it worked!

    Any help would be appreciated!

    Regards,

    Steve Ledbetter
    RFMS
  5. Daniel L
    Daniel L avatar
    26 posts
    Registered:
    06 May 2006
    18 Mar 2008
    Link to this post
    Thanks Yasen! That gave me exactly what I needed.

    Now can you take a look at www.gcworld.biz. For some reason when the homepage loads it treats me as if I"m a logged in user (notice the Logout link at the top). Once you click on The Greensheet link, it treats you as a logged out user and prompts you to login. What could be causing this problem?
  6. Daniel L
    Daniel L avatar
    26 posts
    Registered:
    06 May 2006
    19 Mar 2008
    Link to this post
    You can disregard my previous issue. the problem i was having was caused by page caching. why does the page cache the navigation and login objects? it was making all my site visitors looked like they were logged in.
  7. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    21 Mar 2008
    Link to this post

    Steve,
    We have tried your scenario but couldn't see the behaviour you've described. Can you elaborate a little more, what do you ween by "
    they bookmarked them", do you mean you bookmarked them in your browser? We suppose that the page is cached by the browser and probably this is causing the problem.

    Daniel,
    We also think that the navigation and the page are cached by the browser. If you have any other information, you are welcome to share it.

    Sincerely yours,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  8. Daniel L
    Daniel L avatar
    26 posts
    Registered:
    06 May 2006
    21 Mar 2008
    Link to this post
    Georgi,

    My first thought was that the browser was caching the page, but i visited it from several different browsers and computers and got the same result. As soon as I turned off page caching this went away. The Login status control showed "Log Out" and links in the menu bar were visible when they should only be visible to logged in users. This is on Sitefinity 3.1 SP2 Standard Edition. Again, as soon as I turned off the page caching the problem went away. Are you able to replicate this issue?
  9. Steve
    Steve avatar
    6 posts
    Registered:
    13 Aug 2012
    21 Mar 2008
    Link to this post
    Thanks Georgi - here are more details on what this is doing for us:

    We created a page, set anonymous access to deny, all roles except 'unpaid current customer' are set to allow 'view',  the unpaid current customer role is set to 'deny'.

    I created a user whose only role is 'unpaid current customer'. As long as he is not logged in to the site, he cannot access this page.  As soon as he logs in, all you have to do is type in the full url to the page and it loads - it is set not to show in navigation at all.

    I have tried this with Internet Explorer, Mozilla, and Safari with the same result and tried it from multiple workstations.  This page has a custom written function that returns a value from the database base on user input and it works correctly under the cirsumstances described above so my gut feeling is that the page is not being cached.

    If I understand you correctly, you are saying that with a page that has 'deny view' set for a role should not allow access to that page at all by a logged in user who has the role that it is set to deny viewing the page. Is this right?

    I believe our software was modified to integrate with online store software by using the password set in the store database to validate the user - this was done to allow us to control some other features based on login.  Is there something in this method that could cause sitefinity to ignore a deny view on a page based on a role?  What might I look for to see if the problem is on this end?

    Thanks for your help!

    Regards,

    Steve Ledbetter
    RFMS

  10. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    25 Mar 2008
    Link to this post
    Daniel,
    Actually, it is safe to cache only the static pages in your site. For our cache it is not possible to cache some controls and not to cache others. There is a way to achieve this with the included in ASP.NET standard cache and substitution technique. We had to clarify earlier that only static pages should be cached.

    Steve,
    Could you try to :
    • stop the cache;
    • ensure that your role provider is the default one. You can set this in your web.config, and the easiest way to do it is to name it "Sitefinity"
    • Is you still experience the problem, make sure that roles and permissions are correctly stored in your database.The tables you need to check are :
      sf_PagePermissions - table relating pages with roles and permissions, the values for allow and deny fields are constructed like this: 
      View = 1
      Create = 2
      Modify = 4
      If you have granted the View and Modify permissions for instance, the value in allow will be 1 + 4 = 5
      for the given page.

      telerik_Roles, telerik_Users - tables with users and roles that you are probably not using, having in mind the customizations you mentioned about membership.
    If you still experience problems after that, we suggest you send us a Sitefinity project with a database where we can see this in action, so we can debug it locally and see what is going wrong.

    Sincerely yours,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  11. Steve
    Steve avatar
    6 posts
    Registered:
    13 Aug 2012
    26 Mar 2008
    Link to this post
    Thank you for the suggestions, Georgi - I have turned off all cacheing on the IIS server (I assume that is what you meant) and it did not make a difference.  The default provider in the web.config file is already 'Sitefinity'.

    We do use the telerik files for access control to pages (at least that is our desire!)  - as far as I can tell the integration to the store software is only to synch the passwords as we use the store software to provide program updates to paid customers.

    Here are the entries for the page in question from the sf_pagepersmissions file (the PageID is the ID of one of the pages we are trytin to deny access to the 'UNPAID CURRENT CUSTOMER' role)

    639E5565-2558-4D5C-BCF6-CB5B4D54A7B4   Current Customer   /   1   510
    639E5565-2558-4D5C-BCF6-CB5B4D54A7B4   Documentation   /   485   26
    639E5565-2558-4D5C-BCF6-CB5B4D54A7B4   RFMS Admins   /   239   0
    639E5565-2558-4D5C-BCF6-CB5B4D54A7B4   RFMS Support   /   1   510
    639E5565-2558-4D5C-BCF6-CB5B4D54A7B4   U npaid Current Customer   /   0   511

    The 'Current Customer' and 'Unpaid Current Customer' roles were configured in Sitefinity but I insert thenminto the files for users based on their current status in out internal database (either they are paying current support fees and should have access, or not paying currently (Unpaid Current Customer) and we wish to deny them access to the pages.

    I don't have a 'project' for the site but I would be happy to provide the website files and a copy of the database if that would suffice to look at, or  to arrange to give someone from your company access to the server.

    Thanks for any assistance you can give u s- this is a crucial feature for us!

    Steve Ledbetter
    RFMS
  12. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    26 Mar 2008
    Link to this post
    Hi Steve,

    We cannot see anything wrong from the table.

    Of course, you are welcome to send your project files and the database for additional investigation. Just put your project and a database backup in a zip file, open a new support thread and attach the archive. You may exclude the /bin directory and the RadControls, but don't forget to include any custom controls and templates that you have.

    Thanks for your cooperation in advance. 

    Greetings,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  13. Steve
    Steve avatar
    6 posts
    Registered:
    13 Aug 2012
    25 Apr 2008
    Link to this post
    Hi Georgi - sorry to be so long in getting back but things have hectic.  I have had the chance to do some more digging.

    We are on 3.0 SP2, NOT 3.1 SP3m.  I was finally able to to get 3.0 installed and running and was able to duplicate this issue in the TUI sample website by  creating a new role, creating a new user with this role, setting a page to deny view to this role and to deny anonymous access.

    The page did not appear on menu - typing in the address of the page allowed me to view it with no problems tho - the exact problem we are having.  This does NOT occur in the 3.1SP2 sample website I have installed.

    Based on this, it appears to be a problem with 3.0SP2 and not our integration.  Is there any possibility of a patch or fix for this in this version?  Upgrading to 2.1sp2 or 3.2 would be wonderful for us but will be a challenge because of the integration with our exommerce module.

    Thanks for your help!

    Regards,

    Steve Ledbetter
    RFMS
  14. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    30 Apr 2008
    Link to this post
    Hello Steve,

    This is not a bug - this is by design in Sitefinity 3.0. We understand that this is important for everyone, so we have created a KB article describing how to achieve this functionality in Sitefinity version 3.0. You can find it here

    Don't hesitate to contact us if you have other questions.

    Greetings,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  15. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    07 May 2008
    Link to this post
    Hello Georgi and SF Team,

    We're using 3.2 SP1 with a custom role provider (also membership and profile) for our site and all authenticated users are able to view "restricted" pages.  I've set the page properties to deny anonymous and the permissions have been set to deny this role.  The pages don't appear in the sitemap navigation, however I'm able to navigate to them directly by typing the url into my browser.
     
    I've compared our implementation to the the MSDN examples and everything appears fine.  Which method do you use in the RoleProvider to determine page permissions?  Is it IsUserInRole or GetUsersInRole?

    IsUserInRole
    http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.isuserinrole.aspx

    GetUsersInRole
    http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.getusersinrole.aspx

    Thanks in advance!
    J
  16. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    10 May 2008
    Link to this post
    Hi Jason M,

    We replied to you in the support thread you opened about the same issue, but I'll post the answer here as well, so it is available for anyone else.

    Please confirm that you have set the Deny Anonymous property in the page options. Can you also try using the default membership and role providers? You can do this by reseting the membership and roles sections in the web.config and then trying to reproduce the odd behavior.
    We use both the methods in Sitefinity, but specifically in this case, we use the GetRolesForUser method and then permissions are accumulated for the returned roles.

    Regards,
    Georgi

    Sincerely yours,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  17. Asit
    Asit avatar
    87 posts
    Registered:
    07 Nov 2009
    10 Nov 2010
    Link to this post
    Hi,

    I want to show all pages in menu always, if user is logged in or not.
    if not logged in clicking the menu item it should redirect to log in page.
    How can i achieve this?
  18. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    10 Nov 2010
    Link to this post
    Hi asit pani,

    1. Show in Navigation for these pages should be set to true.
    2. If the use is authenticated he/she should have permissions - View for these pages.
    3. If the user is not authenticated you can force "redirect to login" by checking  Page.User.Identity.IsAuthenticated inside OnPreRender event of your control.

    Regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
Register for webinar
18 posts, 0 answered