Kentico 9 ui permissions regarding the media library - kentico

is it possible to allow read access only to the media library? I'm setting a role and with the Media Library module, I've only set the Read permission to Allow, but a user with that role still sees the upload button. Am I looking at the wrong module?

If you go to the specific Media Library and then edit.
Then you will see the list of files within the media library.
On the left-hand side, there will be '...', hover over this and then click on Security.
Here you can specify which role you want to perform what action in that specific Media Library.

Did you configure Permissions and UI Personalization?

So in this case, I removed access to the media library. It forces editors to add images as attachments, which was my end goal. Reason being, sync only works with published content, and won't migrate files from one server to another.

Related

How add custom css file in style library in modern sharepoint communication site

I am customizing share point modern site. when iam uploading css file in styles library its showing deneid message but i am site owner andenter image description here i have full control right also.
Have you checked you permission in the style library? And also ensure custom script has been enabled in the current tenant.

Kentico permanent link vs direct path

I'm working on some site that all links (dynamic + hard-coded) to media library are permanent links (with getmedia...), which made it so hard to locate the exact folder of the files and update them. I've asked some developer and heard that permanent links are more secure as the system can check who have access to download the materials. Is it a fair statement and why/why not? Thanks for your input!
This is not a fair or correct statement. Access is set at the individual medial library directory, not an individual file level.
For example, if you have an Images media library which has no security behind it, you can access it directly with a URL of:
/site/media/images/logo.png or /getmedia/<guid>/logo.png
and the image will display without issue.
Now you have another media library called "Secure_Files", if you attempt to access:
/site/media/secure_files/file1.pdf
You'll get an error or a login page because the security is set on the
/site/media/secure_files directory.
Here is the documentation on securing media libraries.
By default, Kentico does not check the See library content permission for visitors on the live site. If you wish to require users to have this permission to view media library content, you need to enable the following settings in the Content -> Media category of the Settings application:
Use permanent URLs
Check file permissions
See the note at the very bottom of this documentation page.
Permanent Link is made up of:
/getmedia/
Guid ID
Image Path
.aspx
Eg: /getmedia/C73B5-6A0-4F6-878-3C29D792014/IMG_3860.jpg.aspx
Direct Path is made up of:
/
Site Name
Media Library Folder Name
Image Path
Eg: /google/media/Blog-images-from-Kentico-Cloud/IMG_360.jpg

In Plone is it possible to remove certain stripped and nasty tags for manager role only?

I'd like to side-step some of the security filtering done by Plone but only for people with manager or site admin roles. I want regular members to be able to add content but that content should still be filtered. Specifically at this moment I'm looking at allowing iFrames for manager role but this question is also more generic. The access to Plone that I'm referring to is a person editing a site page through Plone's standard editing system, TinyMCE.
If you look at the TinyMCE code you'll see that it load some configuration from the server. through the safe_html tranform inside the portal_transforms tool (
see https://github.com/plone/Products.TinyMCE/blob/11b957652846679cf7f441cc956730bd6fc92f87/Products/TinyMCE/utility.py#L499).
You can simply patch the getValidElements method above (adding here some user permission checking before removing/adding stripped tags) but it's not enough: this will simply change TinyMCE behavior (client side) but an evil user can access your site with TinyMCE disabled (really simple to do, just disable JavaScript in the browser), then upload a custom HTML without those filters.
So: the best thing to do is to customize the safe_html transform with the same permission checking. The simple way to add new stuff here withouy monkey-patching is to register a new plone.outputfilters adapter as described here: https://pypi.python.org/pypi/plone.outputfilters#adding-a-custom-filter
Simply patching safe_html will not work for several reasons:
html is not only filtered on save but also on display. That means that admins would see your iframe but normal users would not.
The filter is only executed once at the first display and then cached for one hour. Adding code that distinguishes between roles would have no effect on the second visitor.

add custom webpi feed programmatically

Is it possible to add custom feed programmatically to Web Platform Installer? I tried adding the feed manually and found that the feed location is stored in `%APPDATA%\Microsoft\Web Platform Installer\web.preferences file. However the file seems somewhat cryptic and I would not like to modify it manually. Is there any API for that?
Update: even if this web.preferences file could be edited it is not the way to go as it is user specific file and I need system wide configuration.
Based on this link,
Sorry, there isn't a way to do that currently (for security reasons,
we don't allow an untrusted feed to be loaded without the user's
consent)
Once the feed is added via the Options dialog, it does persist between
sessions
I think we can't add custom feed without intervene from user. Maybe you can use WebpiCmd.exe
that can be configured programmatically via scripts.
C:\Program Files\Microsoft\Web Platform Installer>WebpiCmd.exe /List /Feeds:http://yourcustomwpifeed.co.id/customFeed.xml
A little late, but maybe it may interest others. You can modify the file %APPDATA%\Microsoft\Web Platform Installer\webpi.preferences. Yes, it is a little cryptic, but here's my post about how to do it.
The file webpi.preferences is user-specific. If you want to set settings for all users, all I can think of is to write a bootstrapper application that first modifies webpi.preferences (using the code in the post) and then runs WebPlatformInstaller.exe.

Display document only to user who uploaded it in sharepoint

I have a specific requirement where-in I want only the uploader of the document and a specific team to be able to view it in list / library. 1) is it possible? 2) If yes, how...?
Ok. So I was able to resolve my issue with the steps mentioned below. Soon will be documenting it in form of a blog and share it:
Created the document library and modified the default view to only show documents that were created by/modified by [Me].
Added a new web page to the library and gave exclusive rights to access that to a certain set of users.
Restricted all users from creating a view with the help of creating special permission level where user only had access to upload or delete a document but not creating/updating/deleting lists/views. Also disabled private view creation.
Hope this may be helpful to others too who are looking for restricted views / disabling view creation.
You need to set item level permission through event handler:
http://www.chakkaradeep.com/post/SharePoint-ndash3b-Setting-Item-level-permission.aspx
http://msdnvietnam.net/blogs/quang/archive/2009/07/02/sharepoint-eventhandler-set-item-level-permission.aspx
#Ashish, in SharePoint 2007 GUI you cannot make a query that will show documents that belongs to a specific group, however CAML specification supports it (Membership tag), it wasn't documented until SP2010, but it works on SP2007 (i'm using it)
However this involves custom coding and this doesn't assign permissions automatically, it just enables you to filter documents by groups.
For a solution without custom coding you could consider making a seperate folder/list for every person/group and set permissions to folder/list accordingly. This will also help performance - it's better to have permissions set on high-level container than having fine grained permissions (i'm just assuming that, because i read everywhere that mass fine-grained permissions are bad for performance)
You may use current user filter web part to filter the document by whom logged in into the sharepoint site by passing the value Dispaly Name

Resources