In our sitecore based website, we have custom sitecore modules for the use of sitecore administrators. Inside each module we do a credential check to see whether the current user is a sitecore user.
using Sitecore.Security.Authentication;
if (AuthenticationManager.GetActiveUser().Domain.Name != "sitecore")
{
//not permitted to use the admin module
}
This check allows the administrators to use the custom module as long as they are logged into the sitecore portal. But the problem is whenever they use the sitecore "Preview" feature to preview some item, currently active user gets changed to "extranet\Anonymous". From this point onwards, our custom module thinks that the user is not a sitecore admin, and denies access to the module.
How to overcome this problem? We need this security check for our admin module as well as the preview feature.
Thanks in advance!
PS. Saw this on known issues when investigating further. http://sdn.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%206/ReleaseNotes/KnownIssues%20Recommended/Users%20in%20Preview%20mode%20do%20not%20have%20access%20to%20restricted%20pages%20unless%20they%20log%20in%20on%20the%20website.aspx
The Preview application browses the site in the context of the extranet\anonymous user to show how the site looks/behaves for website visitors by hiding secure content etc. To perform the checks you are after in your module you could use Sitecore.Publishing.PreviewManager.GetShellUser() combined with Sitecore.Context.PageMode to get the logic you are looking for.
Related
Our team at 18F is working on requirements to obtain an Authority to Operate (ATO). We use Wagtail for our CMS and we currently have the need to log Admin actions. Django should provide this functionality (and should write logs to the table django_admin_log). However it seems that Wagtail is not logging any Admin actions to that table. We really need this capability, is there a configuration we are missing to make this happen, or is a code change/modification needed. Thanks for any assistance.
At the moment, Wagtail do not record user's activity in the admin UI, but there is a feature request for this.
You can submit a pull request to add this functionality, if you wish.
When I access my site that's being managed by Sitecore, it's redirecting me and asking for Sitecore credentials. I have no idea why but obviously the main site should be viewable to public without needing creds.
Thanks.
This could be from your sitecore cookie still in page editor mode, To fix this add this query string to your URL:
?sc_mode=normal
This will update your cookie and no reddirect to login anymore
Assuming that you have a combined CM/CD environment and that this is specific to your computer or other authors' computers, it is likely that Sitecore is picking up on the fact that you were using the Page Editor in a previous session. When you are using Page Editor Sitecore will drop a cookie called website#sc_mode and set it to "edit". If you return to the page with that cookie set it will push you to the Login Page as it things you are attempting to edit that page.
To resolve this try clearing your cookies or using a browser in Incognito mode/Private Browsing.
If this is happening to other users I would suggest following Martijn's advice in the other Answer and checking your site definition.
Check your site definitions in the web.config and/or the sites.config in the /app_config/include/ folder. Most of the times there is some misconfiguration there.
Check the security roles set on your site pages. If for some reason access has been denied to the 'extranet/anonymous' user you won't be able to browse without being authenticated.
We have two Sitecore 6.5 sites defined within one Sitecore instance so our structure is
/sitecore/content/Site1/sitecore/content/Site2
If a user selects a site in the Sitecore backend, and then Publishes the site, will Sitecore then publish just the selected site or both the sites within the Sitecore instance?
Out of the box Sitecore will publish everything from both sites on a "site publish"- you can resolve this by:
Dead simple approach: just do an "item publish" on the desired site root and include subitems.
Configure a custom publish target as described by John West: http://www.sitecore.net/Community/Technical-Blogs/John-West-Sitecore-Blog/Posts/2011/05/All-About-Publishing-Targets-in-the-Sitecore-ASPNET-CMS.aspx
If you have 2 sets of users, i.e. one role for each site with the correct read/write permissions set, then you could restrict what gets published using security.
In config set Publishing.CheckSecurity to true
If you set Publishing.CheckSecurity to true, then members of the
Sitecore Client Publishing role must have both read and write access
in order to publish an item. If you additionally set the
Publishing.RequireTargetDeleteRightWhenCheckingSecurity setting in the
web.config file to true, then the user must have delete access in the
item in the target database to publish a deletion.
Of course, if a user belongs to both roles then that still means both sites will be published, you can just publish an item and sub-items
Use Default or Custom Access Rights to Control Whether Users Can Publish an Item
Publishing Security Basics
I've seen a similar question asked a few times, but usually it is from people trying to find out which Page is currently accessing their Tab app. (Which you can do by inspecting the signed_request.)
I'm trying to build a UI that will show the user all the Pages that he/she is an Admin of, and then display which of those Pages have my Tab app already installed. I'd like to make a FB graph API call to either a) get the list of Pages that have my Tab app installed or b) get a yes/no answer for whether a particular Page has it installed. Is this possible?
As a fallback, I will make a table in my database to track Page IDs whenever a Page views my Tab (using the aforementioned signed_request) but this won't be as good, because it won't know when someone has uninstalled the Tab from a Page.
To be complete (for future readers): this does not require manage_pages. You can also use the FB app's token. Also see: Check if page tab app is still installed
In the general case, 'no', without keeping track on your side via the signed_request but if you're already obtaining manage_pages access from the user it's pretty trivial to check if a particular app (i.e, yours) is installed on the page
See the page documentation for details, relevant part:
You can test if a specific app is installed on a page profile tab by issuing an
HTTP GET to PAGE_ID/tabs/APP_ID. If the app is installed, this will return the
following fields:
(you'll need the page access token from the user's /accounts connection for that call
In the last year we've had a couple of incidents where a user accidentally unpublished the 'Home' item (which is the root item in our site), before publishing it to our 'Live' database, which removed it from the site.
What is the best way to prevent important content from being unpublished from a production Sitecore web site?
Your "easy" security options are to either protect the Home item itself from editing, or to restrict access to publishing options. Using standard Sitecore security, disable write access on Home for a particular user role, or disable read access on the Publishing Restrictions chunk or button in core (/sitecore/content/Applications/Content Editor/Ribbons/Chunks/Publish Restrictions/Change).
If you really don't need anyone besides admins editing the Home item, you can also Protect the item from the Configure ribbon.
If you'd like to just disable publishing restrictions on Home, that could be more complicated. Your best approach would likely be to extend the SetPublishing command. The following is untested:
Extend Sitecore.Shell.Framework.Commands.SetPublishing
Override Execute(CommandContext)
Check context.Items[0] to see if it's your home page (GUID or Template ID check if multi-site). If so, abort. If not, call base.Execute(context). (You could also add a check for Sitecore.Context.User.IsAdministrator if so desired.)
Replace item:setpublishing command in Commands.config.
Reference Sitecore.Shell.Framework.Commands.SetPublishing in your favorite decompiler as needed.
You can also just mark the home item as protected. You can double-check but I believe that prevents any mod/del of an item. In the Configure tab, see Protect Item button