0

I'm setting up a secure area of a site and I'm curious about how Kentico (version 11) checks permissions. According to the documentation -

Check page permissions Indicates if the website should check the user permission settings of pages and apply them. The following values are possible:

  • All pages - permissions will be checked for all pages on the website.
  • No page - permissions will not be checked for any pages.
  • Secured areas - permissions will be checked only for pages that are configured to require authentication.

This seems to indicate that if a page is set to require authentication, the page permissions will be checked. However, if my site is set with Settings -> Security & Membership and set Check page permissions to Secured areas, members in Groups that don't have permissions are able to access the page.

If we edit the settings to Settings -> Security & Membership and set Check page permissions to All pages, the users are appropriately denied access.

We would prefer not to check page permissions on every page for performance reasons. I can create a control to check the permissions of the page but I was curious if there was some reason why setting the page to require authentication and checking permissions for secured areas doesn't work the way the documentation indicates it would.

sween_sp
  • 113
  • 5

1 Answers1

1

I can guarantee you from a performance standpoint you won't notice a difference. If you want it to check permissions, you WILL NEED to have that site/global setting checked, there is no way around it.

If you have that global setting checked and it's denying access to everyone, then you don't have your permissions set properly at the root level. At the root level, there should be no permissions set. Then at your /members-only page, add the role "Authentiated users" and below that box, then check the Read box under the Allow column. This is the simplest setup for permissions you can have for a test case.

Brenden Kehren
  • 5,919
  • 16
  • 27
  • Thanks for the reply.So based on your experience - this part of the documentation is not correct - Secured areas - permissions will be checked only for pages that are configured to require authentication? We have to set it to check all pages if we want to check permissions – sween_sp Mar 18 '19 at 15:15
  • The most common setup we use is to set the Settings to "Secure areas" and simply flag a node or parent node requiring authentication. If you have pages where individual pages need special permissions, then you will need to use the "All Pages" setup. In most cases, you can set permissions at the parent and let it flow through the children so "All pages" won't be needed. – Brenden Kehren Mar 18 '19 at 18:50
  • Actually, it is checking permissions if the setting is set to Secured areas and the Page is set to Requires Authentication. The problem is that it is allowing any authenticated users access to the secure page regardless of whether or not they are in the role added in the users and roles box with the read permission set. If we explicitly Deny other Roles they will get the access denied page appropriately. We don't want to have to deny all of the other roles so we will just handle it in code. – sween_sp Mar 18 '19 at 20:14
  • You need to configure the page level permissions - it can be tricky and sometimes you need to do it the opposite way, negate your statement. If you do not set the page level permissions, then the level up permission are applied, in this case the Content module or page type permissions. So, you may want to e.g. deny access to everyone on the parent page and then go to the certain pages, break the permissions inheritance and allow some permissions to desired users or roles. – jurajo Mar 19 '19 at 06:36
  • Unfortunately, as soon as you mark a page as requires authentication, even with page permissions checked set to All pages and denying access to Everyone at the parent, any authenticated user gets access to the page unless we explicitly deny the permission for the other roles. – sween_sp Mar 19 '19 at 13:43
  • Looks like this is the same issue we are seeing and Kentico indicated you have to customize - https://stackoverflow.com/questions/36197165/kentico-8-page-access-deny-for-all-users-except-a-role?rq=1 – sween_sp Mar 19 '19 at 14:37