We have created a site that needs to have most of the pages locked down to anonymous users. The only pages they should be able to access are:
Login
Reset Password
Account Validation
Page Not Found
Privacy Policy
T & Cs
The startItem of the website has been set to "/Home" as all of the other pages included those that are allowed anonymous access are below.
This node has had "extranet\Anonymous" read removed and then we allow read access of the specific pages that we want them to have access to.
What we have found is that if we request a Url such as: www.domain.com/page-i-cant-get-to then Sitecore will redirect you to the url set in the loginPage attribute on the site, which is correct.
However if I request www.domain.com I get a an error saying "The layout for the requested document was not found.
If I do login, then go the same Url, everything is fine.
I've stepped through the ExecuteRequest pipeline and have found when requesting www.domain.com/page-i-cant-get-to the Context.Item is null, so it's passed into the HandleItemNotFound(args) method.
If we request the root page, then this is set to be the root sitecore node ID {11111111-1111-1111-1111-111111111111} and so passes over the HandleItemNotFound and into the HandleLayoutNotFound(args)
I tried using the "requireLogin" attribute, but then I can only get access to the loginPage and not any of the other pages I want to allow anonymous access to.
I have also tried changing the startItem to be the login page, but then all the Urls for the pages are in an incorrect structure.
Is anyone able to shed any light on how this should be done?
Thanks in advance
Why don't you try leaving anonymous user with read permission on the home item and then deny the pages(items) you want to block?
Related
At the moment I use the facebook api to read out the posts of public pages via //posts. I use this data to show on a display in the store the latest facebook post that the store placed on their page.
we have a lot stores that use this, but of most pages I don't have an access token so I use the app access token to read it. However I did receive a warning that I need to request the "Public page content" permission. So I requested it but denied with message "We determined that your app's use case for this permission is invalid, or it's not needed to support its core functionality."
I think I needs this permission, I also think this is an allowed use case.
I did explain why I needed the permission, and uploaded a screencast of how the screen looks like.
Am I missing something? or do I not need the permission to read public posts of a page? (Wish the explanation was better why the permission was denied)
I'm setting up a private wiki under a subdomain of a domain my company uses for wikis on AWS. I just purchased the MediaWiki instance from the AWS marketplace and have been working to just get the wiki up and running including setting up the admin account passwords, installing a Let's Encrypt cert for HTTPS, and disabling access to anonymous users. I was testing to verify that this works when I ran into an issue: upon successful login, a blank "Log in" page is shown instead of redirecting to the original destination.
So first I go to https://private.example.com/index.php/Main_Page and get a "Login required" page with a link to log in. This is expected.
When I click on the link, I get sent to https://private.example.com/index.php?title=Special:UserLogin&returnto=Main+Page&returntoquery= with the title "Log in" and the log in form, which looks good so far.
However when I enter in the admin username and password and submit, I expect to be redirected back to https://private.example.com/index.php/Main_Page with the content visible, but instead I get redirected to https://private.example.com/index.php?title=Special:UserLogin&returnto=Main+Page with the title "Log in" and no body. I've tried this on a different browser to see if it is some sort of caching issue, but I get the same results there too.
Since I've done almost nothing, I don't know what I could have done to cause this. Is there a configuration that I either failed to setup correctly or perhaps corrupted that might cause this? Could it be related to the wiki having a subdomain URL?
This may be caused by the $wgServer variable in LocalSettings.php (likely located at /var/www/mediawiki/LocalSettings.php) not being set (or set properly). I.e. the redirect won't work if it's empty, e.g.:
$wgServer = "";
So in your case it would need to be set like this:
$wgServer = "https://private.example.com";
I.e. the scheme and domain of your site.
I am using onRequest() to validate the access level of a user and if the user has the privilege to access the page then include the requested template. If he doesn't, I redirect to the last active page or default page. The last active page has been stored in session scope.
I am trying to show a message for unauthorized access on the redirected page.
Simplest solution will be to add a url parameter to the redirected page.
Is there any other approach for this?
Since you store the "last active" page in the session scope, you could easily store the "redirection message" in the session scope as well.
Problem with links that pull their state out of the session is that they become unstable when there is no session (timed out, for example). The next time the link gets reloaded (browser restore, for example), the page has no context to display.
Therefore, storing the state in the URL is not a bad thing. Either that or you go with the session and explicitly write your code so that it handles the "no session" condition sensibly.
EDIT: Note the comment by #Mark about the dangers of XSS. While that can be mitigated by proper use of HtmlEditFormat() and URLEncodedFormat(), there is a general danger of people abusing the feature to construct URLs that make your page show inappropriate messages. Using error codes instead of clear text messages in the URL is highly advisable. It also results in shorter URLs and it is internationalization-friendly.
After the user has logged in; I have security on page 1 (homepage) of an Apex application which prevents unauthorized users getting any further. Once the user has logged in, it goes away to an apex authorization group and checks whether their name is in the group. If it isn't, it says...you shall not pass.
However if an authorized user copy's the web address of page 3 (view employee salaries), and gives it to an unauthorized user, they can use it, it redirects them to the login page, they login, and there in to that page!
To get round this as a temporary measure i setup each page to have the same authorization group as on page 1. This works but surely there must be a simpler way to manage this?
E.g. User enters the web address, it redirects them to the login page and once they are logged in it doesnt work as they are not part of the group?
I think I found a solution; there is a something called 'Deep Linking' under the security tab in the Application's properties. I have now checked this to disabled and it always redirects the user back to the homepage.
The correct method is indeed to set up authorization schemes on objects that have to be screened off. In apex 4.2 however (I believe - don't think this was in 4.1) you can go to "application properties > security" and there is an "authorization" section there where you can set up a global authorization scheme.
According to the documentation I must remove an apprequest when a user has accepted it. There is however a problem with this.
When I accept an apprequest, I will be redirected to my app. But in the url parameters only the apprequestid(s) are included. The userId of the current user is unavailable.
My app doesn't require authentication so I can't access the current users data.
How do I remove the apprequest for this user when I don't have acces to the userdata or accesstoken as described here:
The old method of the apprequest allowed me to extract the userid from the requestid. This is not possible anymore.
you have to have authentication to "tamper" with user data - that includes app invitations.
However with an App Access Token you might be able to delete the post without authenticating your user (you'll still have to aquire their UID - possibly from the signed_request . You can read at this link about app login and how to retrieve the correct access token.