3

What I'm trying to do now is to let only users of a specific role to access a page (and its child pages). this is what I got at the moment:

USERS

User A -> Member of RoleA, RoleB

User B -> Member of RoleB.

CONTENT TREE

  • MainNode

    • PAGE TO SECURE

    • other pages that need to be public.

PERMISSIONS ON "PAGE TO SECURE"

  • added "Role A" and check "Allow" on "full control". "Required Authentication" set to "Yes".

DESIRED RESULT

"PAGE TO SECURE" accessible only if a user is part of Role A REGARDLESS the fact is part of other roles too.

WHAT I GOT INSTEAD

  • if a user is authenticated, it can see the "Page to secure" regardless of roles.

WHAT I TRIED

  • add on permission on the page for all other roles to "Deny". since "Deny" has priority over "Allow", User A is still not allowed to see the page despite the fact that got the right role too.

  • followed the advice on this thread http://devnet.kentico.com/forums?forumid=54&threadid=23234 (is for kentico 5 but is the only thread i've found so far about this issue) to add another node and set that as a parent of the page to secure, then set deny all to this new parent node and then break inheritance and allow only the role A. this didn't work as user B is still able to access the page.

  • the above article talks about creating a custom web part. I prefer not to use this approach for such a basic feature. hope there's another way to achieve this.

Massimo Franciosa
  • 544
  • 3
  • 12

3 Answers3

4

You can't do it by permissions, beacuse the permission "Deny" has higher rank than "Allow". So when the user is in the role A and B which A has Allow and B Deny, the Deny is blocking. The only approach for this is to create your own web part, that will manage this.

Dawid Jachnik
  • 447
  • 2
  • 4
0

I'm afraid, you're wrong. I was able to set this up locally.

Here are my configuration:

Page security:

  • "My test role" has read and browse permissions
  • It does not even requires authentication, but it would also work when authentication is required

Settings -> Security & Membership

  • Check page permissions is set to "All Pages" (Secured area should also work if page requires authentication)

I'm getting access denied for anyone, who is not in "My test role".

Hope this helps

Roman Hutnyk
  • 1,549
  • 9
  • 14
  • 1
    i got exactly the same setup: if you try to get to that page with a user with another role or no role, it will still be able to access the page. – Massimo Franciosa Mar 24 '16 at 14:18
  • I'm getting access denied with a user without the role. Does your page inherit security from parents? – Roman Hutnyk Mar 24 '16 at 14:20
  • no...in fact I got the text "This page does NOT inherit permissions from the parent page.". I got only the desired role specified with read access permissions. – Massimo Franciosa Mar 24 '16 at 14:32
  • Okay, I'll go from opposite: granting one role with an access to a page and denying other is a basic security settings and there is no way for Kentico to be in the market without handling basic things. That means there should be something wrong on your side. Check event log, use debug feature to troubleshoot this. – Roman Hutnyk Mar 24 '16 at 14:51
0
  • Go to PAGE TO SECURE
  • Set Requires Autentication
  • Add Role A, and give access to the document
  • Make sure Authenticated users is not in the list (break inheritance if needed. The only thing listed should be role A)

Only people in role A will be able to access that page. If you have the role "Autenticated Users" listed with their access set to deny, that will trump your role selection.

Zach Perry
  • 746
  • 3
  • 12