I have a user, Admin Mustermann/magerman, who is defined as an Editor Person in the ACL of my application and who has the role [Admin].
After logging in I can see that that user has the role [Admin].
but whenever I try to access my admin.xsp page, I am getting redirected to the $$LoginUserForm of my database.
The admin.xsp Page is controlled by the following ACL Access:
<xp:this.acl>
<xp:acl>
<xp:this.entries>
<xp:aclEntry
type="DEFAULT"
right="NOACCESS">
</xp:aclEntry>
<xp:aclEntry
type="ROLE"
right="EDITOR"
name="[Admin]"
fullName="Admin">
</xp:aclEntry>
</xp:this.entries>
</xp:acl>
</xp:this.acl>
I've also tried with the following syntax:
<xp:aclEntry
type="ROLE"
right="EDITOR">
<xp:this.name><![CDATA[[Admin]]]></xp:this.name>
<xp:this.fullName><![CDATA[[Admin]]]></xp:this.fullName>
</xp:aclEntry>
but to no avail.
Update:
I'm no longer sure it has something to do with the ACL entries on the XPage itself. Once I removed them, I land to the page but the XPages Debug Toolbar shows that I am now 'Anonymous'.
I should also mention that I'm using two directories for authentication (with directory assistance).
I don't know if this is related, but the XPages Debug Toolbar is sometimes also unresponsive (i.e. I click on the headers but nothing happens).
Is there a way of letting me track the whole authentication procedure that my server is doing? The server log is not very talky.
I wonder why you set ACL options to your XPage at all. I never used it and when I did (when I started with XPages) I always faced problems as those entries disturbed the general ACL settings when they should refine them. Never used them later.
If you want to restrict access to a special page you can workaround it with doing some scripting in the beforePageLoad event. Check roles and access and - if needed - redirect to another page.
Duh.
My 'Internet Website'/ domcfg.nsf setup was not correctly set up.
It's all well explained by John Daalsgard in this question:
Lotus Domino Internet site document.
Ironically, I have commented this as well, so I can't even pretend that I didn't know it.
Related
I've been wrestling with uniquely restricting one page in my Kentico installation to be viewed by only two Roles, everyone else should be redirected to a page telling them they need to jump over the paywall. I've not determined the best way yet to do this. Along the way I've found that when I try to access that page from the menu at the top of the page it respects my permission by denying access. However when I use that same link from an editable web part lower in the page it seems to ignore permissions. While it looks like two questions here what I really want to know is how to deny access unless a user is in a particular role and then if denied how do I redirect them to a page to explain why they were denied. Thanks.
Try this:
From your top level page (master page), add the role "Everyone" and grant them read access. This will replicate through the rest of the pages and everyone can see everything. Yes, sounds fishy but read on...
Next navigate to the specific page you want to restrict access to. On the Security tab, click the "Change permission inheritance" link. Then click the "Break inheritance and copy parent permissions". Next select the Everyone role and check the Deny full control box.
Now add your specific role(s) and set their permissions to Read.
This should get your permissions working as you want for that page.
As for a message and redirecting if in a particular role, you could place a webpart on a page and say if they are not part of a role, just redirect them to a page using your choice of redirects. The webpart itself will handle if they are in the particular role. Keep in mind the user will have to be logged in already and/or have access to that page so no restrictions can be on that page.
Thanks for all your suggestions. Here's what I found. First, the reason the two pages were acting differently was a brain cramp on my part. I had embedded two different links. My bad!
Secondly, on security, it appears that Deny takes precedence over Allow. If the role is denied no amount of "allow" will override the denial. The way I fixed the problem was to create a zone for those who I wanted to allow access to the text and a zone or web part for those I wanted to deny. In the Zone visibility section (click the arrow next to "Visible" to enter text) I put a boolean statement:
{% CurrentUser.IsInRole("Member") || CurrentUser.IsInRole("SecondRoleToTest") #%}
This way anyone who was in either of those two groups would cause a true value to this statement and visible would equal true (notice the"!"). For the zone or web part I wanted to present to those who was not a member of either of those to groups I put the opposite of that condition
{% !(CurrentUser.IsInRole("Member") || CurrentUser.IsInRole("SecondRoleToTest")) #%}
and it would display the materials for those who were not in either of those groups. In this case the text read the equivalent of "you need to be either this or that with a link to information on how they could become this or that". Have to admit I learned quite a bit on this one. Thanks for all your help, you helped lead me to the answer.
If I am understanding you correctly, you are saying that you have locked down a page to only 2 roles? If a person clicks on a navigational link that is not in those roles, they are denied access...correct? But if a person clicks on a link from a webpart on a page, they are not denied access...correct?
Where this is unusual I am also wondering how the link is setup in the webpart? Is it just a anchor link or are you using a Kentico permalink? These should not behave any differently, but just a thought. Sounds like more than likely there is some permission that is still allowing access to the page, but without seeing your actual permissions setup it is really hard to tell you what could be causing that.
As far as redirect, by default it should redirect to a login page if you have one of those setup (you would of set that up in the Settings Tab), otherwise the access denied would just happen. You could quite easily write some custom code to redirect users who are not into a role to another page. For re-usability, you could write it into a custom webpart and have a property for the roles the users need to be in and a property for the redirect page location and then handle it from there. Doing it that way would allow you to use the same pattern on any pages you desired...but you would then need to bypass the built in security lock down stuff.
Lastly (and I don't know the classes to use) you could probably override what happens when 'access denied' occurs in accessing a page in the site..then you could do your own custom redirect. I am sure someone else can chime in with the exact class.
Currently I develop a database for another employee at my company. I have Manager Rights at the database to access everything. The administrator of the database should only be able to create/edit/delete documents. He currently got Editor-Access with selected "delete documents"-option. When he wants to delete a document on the database (i tried it with Simple Actions or with Javascript Code-both don't work) he gets redirected to the same page and nothing happens or with Simple Actions the Server-Login page shows up with the message "You don't have the permission to perform this action".
When im testing the functions with my manager access everything works fine. But when i'm changing my rank to Editor like the normal administrator of the database i also can't delete any documents. Like i already said the option in the ACL is activated.
I hope you can understand my problem and there is a solution for it. Normally that access right works fine on every other database at our company.
Another point: There are no Reader or Editor fields in the Documents. So there is no restriction with fields. Could this be the problem?
Check to see if there is some code in the QueryDocumentDelete event for the database. Perhaps that is failing and / or preventing you from deleting.
Given that you mention redirecting and server login, I presume it's a web enabled database?
In which case have you tried looking at the ACL (Access Control List) for the problem database and clicking the Advanced tab.
In there is a field Maximum Internet name and password, this is the maximum access allowed for internet users. If it's not editor, this could be the problem?
Try deleting with ?DeleteDocument URL. That way it will for sure not try to do anything else.
Check the user's access level at server with Database.getCurrentAccessLevel() and Database.queryAccessPrivileges(String name)
After the great suggestions of you all the problem was the checkbox "Allow document locking" at the database properties was enabled. That caused the problems at deleting documents. As Manager is have enough rights to go over that but for the normal Administrator with Editor Access the deletion request got blocked by the little option.
Thanks to everyone!
This is basically two question? First i was wonder how to change the page liferay redirects when a user tries to access a page that has Power User view permissions. Liferay by default points to localhost:web/guest/home where they have their login page. On my application i have a different login in page and i want to redirect to the following page. I was browsing the web and found out that by setting auth.login.site.url=/whereiwontittopoint should actualy redirect me there. However it does not. I'm using Liferay 6.0.6 Community Editions. Has anyone done this? Is this the right way or this need to be done with a hook?
My other question is the following. I want to have a custom role on some pages. And i want when a user does not have that specfic role to be redirect to a totaly different page not the default login. I'm fairly sure this can be done by using the hook on some service but for some reason i can not identify this service.
EDIT
Ok for the first question i solved the issues. For the second question the answers i got here were not what i was looking for probably because i didn't post the question correctly. This is a full scenario of what i have done and what i need to do:
First of all i changed the /web/guest path that's on every liferay page to web/somthing/ this might not play a crucial role but the problems(some of the problems) started when that happend. THe over all idea is the following. I'm using spring mvc to create the application. I have created a backend to my application from where the admin can create pages for other users to see(This is not done by going to the control panel of liferay and adding a page but through the logic of the application). Once a page is created depending on some logic i create a role for that certain page(customer role also through code not the liferay admin). Some of the users are given this role if the satisfy some criteria and some are not. Here my problem arises, once a user that is loged in to my application tries to access a page (by inputting a direct URL in the browser to the page) that requres the view permision of the role i create for that page and the user does not have the appropriate role he gets redirect to lets say localhost/web/(username)/home a personal page and for some reason on that page by default from liferay he is able to view personal data(user name) of all other users of the application. My question is how through code to handle the redirection that happens of the above scenario.
I have tried on one attempt to actualy hook the servlet.service.events.pre action and before the user access that page to check if he has the appropriate permisions and actualy change his request. So far i have some issues but i can resolve them but this approach is not what i not rly what i am looking for because this action is executed before every single request on the application( and the page handling is just small part of that application) which means i will have a lot of code executing for no reason. I was wondering if there are any ways to add where the exception will redirect when i create the role? If not what action should i hook that will help me solve this scenario but with out the unneeded extrea trafic that i am creating with hooking servlet.service.events.pre action?
For the second stuff a bit hacky way could be as follows
1) Define set of roles against which you want to check in portal-ext.properties. You can add some property like my.super.secret.roles=rolename1,rolename2
2) Add a property for a redirect page url in portal-ext.properties so that you can redirect user there.
3)Add a custom attribute for Layout named checkForSecretRoles which has to be boolean and visible on Page. This will show you a checkbox in Manage page for each page, so that an admin can easily check or uncheck the value
4)Add a condition in your theme (portal_normal.vm) to check if the page has a check for secret role and then check the users role falls in any of the roles defined in portal-ext.properties. If yes then issue a redirect to the page specified by your custom redirect page url property
For your first question, it should work -
auth.forward.last.paths=/sign-in
sign-in would be your page name
The answer for your second question is, you have to create a Hook extending Action and made the below entry in your portal-ext.properties.
login.events.post=com.liferay.portal.events.LoginPostAction,com.liferay.portal.events.CustomLandingPageAction
There is a lot of information you can found on forum about how to use this property.
for 1. set default.landing.page.path=/whereiwontittopoint in portal.properties, see Liferay Login page redirect
for 2. create a hook, set servlet.service.events.post=com.my.action.MyAction and impliment this action, at this point you can redirect user to another page.
I'm facing an extrange behavior in my Sharepoint 2077 farm:
We have configured windows integrated authentication with NTLM, and all clients authenticates correctly to the portal.
When they proceeds to "login as" diferent user, it seems to be all fine (appears user name in top of page) , but internally the page user is the old user. I know this because I have a customized web page that reads page user name and print it to the page.
after some refresh or waiting some time, the current user is applied "internally" too.
Do you know is there is any configuration option for avoid this delay?
Many thanks in advance,
any help would be appreciated.
solved there:
http://support.microsoft.com/default.aspx/kb/970814
I`v developed custom webpart. I can add it to page and site owners can view page with no problems.
However Site visitors/users get redirected to access denied error page. Sure, I must be doing some stuff normal users are not allowed to.
But the thing that bugs me is that when I place breakpoint in webpart constructor or even variable declaration it won't get hit! (If i try to view page with limited privileges). But in my browser, I get the access denied page. However, if I close that webpart, I instantly have access to that page and everything is OK.
What's the catch here? I was hoping I could catch exception with debugger to see which statement is guilty one, but it seems webpart doesn't execute any code and I get that exception.
Edit: Sorry, turns out debugger now hits those breakpoints. Don't know what changed, because symbols were loaded.
What is the trust level at your Sharepoint site ? You might want to give Fulltrust temporarily to see if you have any access problems.
If yes, then you might have a Code Access Security (CAS) problem on your hands. My first instinct is that your assembly does not have neccessary privilages to run correctly for normal users.
You can configure it using custom CAS entry in the manifest.xml for the webpart, e.g. if you are calling external resources then you might have to configure System.New.WebPermission and define which url you are allowed to access. You can find more info on this at the U2U site.
Also what does your webpart do ? If you are trying to access resources which normal users don't have access to (e.g. a list in some site) then you have to use the SPSecurity.RunWithElevatedPrivilages method, so that you have the neccessary privilages (be careful to create new Site instance within that method so that the Context populates correctly).
Found the solution.
Turns out that i wanned to determine if user belongs to a specific group by trying to access that group users. As this was impossible if a user doesn't have such a permissions, it was throwing some kind of internal exception with message
"Unable to evaluate expression because
the code is optimized or a native
frame is on top of the call stack."
Anyways, i now learned to loop through SPUser.Groups (SPGroupCollection) and check if we have a matching group rather than enumerating group principals and seeing if he's inside.
You need to give permission(update personal webpart) to the visitor group. However, it is not recommended. If you want you can create a separate permission level and associate it with the visitors group.
Cheers!!