Forums

Home / Developer Network / Forums / Sitefinity Older Versions (3.x): Security > Issue with Page Permissioning on Live Site

• Raghu

  Posted on Nov 30, 2010 (permalink)

  We have following pages on the site.

  Home.aspx

  SMEs.aspx

  Contacts.aspx

  manage.aspx

  Following roles on the site (all roles have unique set of users)

  key-sf-admin -  admin group/unrestricted access

  cap-key-dev   - denied all access to all pages except view to all pages on root level

                             -  For SME.aspx “view” rights are also denied for this role.

  So cap-key-dev role should be able to view all the pages on live site except SME.aspx.

  Also note that all the pages have been marked as Anonymous access to deny.

  On Site Map level the role cap-key-dev has following rights

  View	Allow	Deny
  Create	Allow	Deny
  Modify	Allow	Deny
  Delete / Rollback	Allow	Deny
  Change Permissions	Allow	Deny
  Change Properties	Allow	Deny
  Approve	Allow	Deny
  Publish	Allow	Deny
  Modify Layout	Allow	Deny

   
  On Application level the role cap-key-dev has given following rights

  Manage users	Allow	Deny
  Manage permissions	Allow	Deny
  Manage files	Allow	Deny
  Edit templates	Allow	Deny
  CmsAccess	Allow	Deny

  
  On SME.aspx page level role cap-key-dev has given following rights

  View	Allow	Deny
  Create	Allow	Deny
  Modify	Allow	Deny
  Delete / Rollback	Allow	Deny
  Change Permissions	Allow	Deny
  Change Properties	Allow	Deny
  Approve	Allow	Deny
  Publish	Allow	Deny
  Modify Layout	Allow	Deny

   

  All other pages inherit site map level permissions for cap-key-dev role, i.e. only view rights.

  Now issue is that when any user who is part of cap-key-dev tries to view Home page on live site it shows access denied message to that user. Initially Home page was made to deny view access to cap-key-dev  role.  But later we changed the permission to allow view access to cap-key-dev.

  We refreshed browser’s cache and also restarted iis but it didn’t work.

  Can you please help me in resolving this issue, please let me know if you need more details?  Also please note that we are using custom LDAP based membership and role providers.
  
  Thanks and Regards,
  Raghu Lohe

  Reply

• Radoslav Georgiev Radoslav Georgiev

  Posted on Nov 30, 2010 (permalink)

  Hello Raghu,
  
  Thank you for using our services.
  
  Can you please check if you have previously had broken permission inheritance of the Home.aspx page so that users from cap-key-dev? Can you try making this page inherit permissions from the Sitemap root (its parent page) and see if the permissions error will be thown? Do other pages throw the site throw the same exception for this group.
  
  All the best,
  Radoslav Georgiev
  the Telerik team

  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

  Reply

• Raghu

  Posted on Dec 2, 2010 (permalink)

  I did exactly the same as per your suggestions but it didn't work.
  
  First I tried with breaking inheritance from Site map for home.aspx and later I made the page inherit from site map and checked it's access. It is not accessible to cap-key-dev where it suppose to be.
  
  Other pages are not throwing any exception when cap-key-dev accesses them.
  
  Thanks,
  Raghu
  

  Reply

• Radoslav Georgiev Radoslav Georgiev

  Posted on Dec 2, 2010 (permalink)

  Hi Raghu,
  
  Is it possible that you have set deny view permission to everyone role?
  
  Best wishes,
  Radoslav Georgiev
  the Telerik team

  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

  Reply

• Raghu

  Posted on Dec 6, 2010 (permalink)

  hi Radoslav,
  
  On Site Map level role everyone has following setting
  
  

  View	Allow	Deny
  Create	Allow	Deny
  Modify	Allow	Deny
  Delete / Rollback	Allow	Deny
  Change Permissions	Allow	Deny
  Change Properties	Allow	Deny
  Approve	Allow	Deny
  Publish	Allow	Deny
  Modify Layout	Allow	Deny

  
  Also for Home.aspx role everyone has the same setting as above.
  
  Thanks,
  Raghu
  
  

  Reply

• Ivan Dimitrov Ivan Dimitrov

  Posted on Dec 6, 2010 (permalink)

  Hello Raghu,
  
  There are two possible reasons for this behavior
  
  1. There is some permission inheritance or permissions set over everyone role which applies over all other custom roles you have created
  
  2. The user you use belongs to two or more roles and in one of this roles you have denied the view access. In this case deny permission has higher priority than view.
  
  Best wishes,
  Ivan Dimitrov
  the Telerik team

  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

  Reply

Home / Developer Network / Forums / Sitefinity Older Versions (3.x): Security > Issue with Page Permissioning on Live Site