ACL setting on XPage not working as expected - xpages

I am trying to restrict access to an xpage. In the acl of the application I have Manager access. When I try to decrease the access level for myself via the acl property of the xpage to "NOACCESS" I still gain access to the xpage as I would normally do. I would have expected to gain no access at all:
<xp:this.acl>
<xp:acl>
<xp:this.entries>
<xp:aclEntry type="ANONYMOUS" right="NOACCESS"></xp:aclEntry>
<xp:aclEntry type="DEFAULT" right="READER"></xp:aclEntry>
<xp:aclEntry name="Malin Andersson/O=banken"
right="NOACCESS" type="USER">
</xp:aclEntry>
</xp:this.entries>
</xp:acl>
</xp:this.acl>
Am I doing something wrong?

Write the entry with your name first.
Only the first entry that matches the user by name, group or role is used.
DEFAULT applies to everyone and "wins" in your case.
(see Mastering XPages: A Step-by-Step Guide to XPages Application Development and the XSP Language (2nd Edition) page 1043)

Related

Disable exporting data from the user interface

Can we disable exporting data from the user interface actions in Kentico Managing form data?
Regards,
SA
Try setting the ShowObjectMenu property of the UniGrid to false. Detailed documentation available here.
The UniGrid definition should be the one found in this file (can't verify it as I currently don't have access to a Kentico instance): CMSModules\BizForms\Controls\BizFormEditData.ascx
Not all objects, pages, etc have the permissions available/coded to allow this restriction that I'm aware of within the user interface. Take a look at the post I wrote on restricting download/export of anything out of Kentico.
Short story is you set the permissions at the IIS level on /CMS/CMSSiteUtils/Export directory to not allow the user running IIS app pool to access that directory. This directory is where all exports, no matter what, get sent to.

Liferay Web content display, disable default permissions for Guest/Site member

I've previously added filters to JournalArticleLocalServiceImpl Class before calling addArticleResources() method and setting the addGuestPermissions boolean to false to disable default permissions for Guest/Site member roles on WEB CONTENT.
The change reflects on control pannel--> Web content, but not on WEB CONTENT DISPLAY PORTLET.
What needs to be done to disable default gues/site member permissions on Web content display
liferay version: 6.1.2
If I understand you correctly, you have an article which does not have guest view permission. When you add it to a Web Content Display Portlet, the portlet's permissions are unchanged?
In case this describes your situation: Note that this is completely expected: The portlet is configured to show any article. When the portlet is "protected", this has nothing to say for the article. A read-protected article on the other hand would leave an empty portlet, e.g. the article would not be shown, despite the portlet's permission.
If this does not describe your situation, please describe with more detail

'Admin' user getting redirected to $$LoginUserForm

I have a user, Admin Mustermann/magerman, who is defined as an Editor Person in the ACL of my application and who has the role [Admin].
After logging in I can see that that user has the role [Admin].
but whenever I try to access my admin.xsp page, I am getting redirected to the $$LoginUserForm of my database.
The admin.xsp Page is controlled by the following ACL Access:
<xp:this.acl>
<xp:acl>
<xp:this.entries>
<xp:aclEntry
type="DEFAULT"
right="NOACCESS">
</xp:aclEntry>
<xp:aclEntry
type="ROLE"
right="EDITOR"
name="[Admin]"
fullName="Admin">
</xp:aclEntry>
</xp:this.entries>
</xp:acl>
</xp:this.acl>
I've also tried with the following syntax:
<xp:aclEntry
type="ROLE"
right="EDITOR">
<xp:this.name><![CDATA[[Admin]]]></xp:this.name>
<xp:this.fullName><![CDATA[[Admin]]]></xp:this.fullName>
</xp:aclEntry>
but to no avail.
Update:
I'm no longer sure it has something to do with the ACL entries on the XPage itself. Once I removed them, I land to the page but the XPages Debug Toolbar shows that I am now 'Anonymous'.
I should also mention that I'm using two directories for authentication (with directory assistance).
I don't know if this is related, but the XPages Debug Toolbar is sometimes also unresponsive (i.e. I click on the headers but nothing happens).
Is there a way of letting me track the whole authentication procedure that my server is doing? The server log is not very talky.
I wonder why you set ACL options to your XPage at all. I never used it and when I did (when I started with XPages) I always faced problems as those entries disturbed the general ACL settings when they should refine them. Never used them later.
If you want to restrict access to a special page you can workaround it with doing some scripting in the beforePageLoad event. Check roles and access and - if needed - redirect to another page.
Duh.
My 'Internet Website'/ domcfg.nsf setup was not correctly set up.
It's all well explained by John Daalsgard in this question:
Lotus Domino Internet site document.
Ironically, I have commented this as well, so I can't even pretend that I didn't know it.

Site members/visitors get access denied error page because of webpart

I`v developed custom webpart. I can add it to page and site owners can view page with no problems.
However Site visitors/users get redirected to access denied error page. Sure, I must be doing some stuff normal users are not allowed to.
But the thing that bugs me is that when I place breakpoint in webpart constructor or even variable declaration it won't get hit! (If i try to view page with limited privileges). But in my browser, I get the access denied page. However, if I close that webpart, I instantly have access to that page and everything is OK.
What's the catch here? I was hoping I could catch exception with debugger to see which statement is guilty one, but it seems webpart doesn't execute any code and I get that exception.
Edit: Sorry, turns out debugger now hits those breakpoints. Don't know what changed, because symbols were loaded.
What is the trust level at your Sharepoint site ? You might want to give Fulltrust temporarily to see if you have any access problems.
If yes, then you might have a Code Access Security (CAS) problem on your hands. My first instinct is that your assembly does not have neccessary privilages to run correctly for normal users.
You can configure it using custom CAS entry in the manifest.xml for the webpart, e.g. if you are calling external resources then you might have to configure System.New.WebPermission and define which url you are allowed to access. You can find more info on this at the U2U site.
Also what does your webpart do ? If you are trying to access resources which normal users don't have access to (e.g. a list in some site) then you have to use the SPSecurity.RunWithElevatedPrivilages method, so that you have the neccessary privilages (be careful to create new Site instance within that method so that the Context populates correctly).
Found the solution.
Turns out that i wanned to determine if user belongs to a specific group by trying to access that group users. As this was impossible if a user doesn't have such a permissions, it was throwing some kind of internal exception with message
"Unable to evaluate expression because
the code is optimized or a native
frame is on top of the call stack."
Anyways, i now learned to loop through SPUser.Groups (SPGroupCollection) and check if we have a matching group rather than enumerating group principals and seeing if he's inside.
You need to give permission(update personal webpart) to the visitor group. However, it is not recommended. If you want you can create a separate permission level and associate it with the visitors group.
Cheers!!

Why does HttpContext.Current.User.Identity.Name return the wrong username when used in a webpart?

In a Sharepoint web page I am having a problem identifying the logged in user!
The Masterpage contains a normal ootb control that displays the username
<%# Register TagPrefix="wssuc" TagName="Welcome" Src="~/_controltemplates/Welcome.ascx" %>
.....
.....
<wssuc:Welcome id="explitLogout" runat="server" />
This always displayed the correct logged on user.
However if I call
HttpContext.Current.User.Identity.Name
from within a webpart then In 1 or 2 % of cases I will get the incorrect name returned.
This gives me a page that will have the correct username at the top, and the incorrect one in the webpart. Other methods of getting the name in the webpart return the same incorrect name. If the name checker webpart is on the same page multiple times then very rarely the second copy of the webpart will have the correct name or a third incorrect identity!
The identities are stored in Active Directory, and the users authenticate against and ISA server, users are not on the same domain as the SharePoint infrastructure. The sharepoint farm is rather complex with the ISA servers, four web front ends, an apps server and finally a database server.
Has anyone had this happen before? or have any clue as to the direction I should take to investigate the problem!
The servers are running IIS6 on server 2003. Sharepoint is at SP2 but without the latest bunch of patches.
Additional:
Output Cache is enabled. Authenticated Cache Profile is "Intranet"
The settings for that profile are as follows
Title Intranet (Collaboration Site)
Display Name (BLANK)
Display Description Optimized for collaboration sites where authoring, web part cusomization, and minor version are enabled.
Perform ACL Check Yes
Enabled Yes
Duration 180
Check for Changes Yes
Vary by Custom Parameter (BLANK)
Vary by HTTP Header Browser
Vary by Query String Parameters (BLANK)
Vary by User Rights Yes
Cacheability ServerAndPrivate
Safe for Authenticated Use Yes
Allow writers to view cached content (BLANK)
SharePoint runs under the application pool account. You need to use
SPContext.Current.Web.CurrentUser.LoginName
to get the current user.
This was a while ago and I am sorry for not reporting back our solution... and now I don't remember clearly what it was! Something to do with Donut Caching that we had misunderstood.
http://blogs.catapultsystems.com/tlingenfelder/archive/2011/03/24/sharepoint-caching-techniques.aspx

Resources