cq5 permissions problems viewing content on publish

3
votes

I'm having a very interesting problem w/ content appearing on my publish instance. Let me just run down the situation and see if anyone can help.

  1. I have an author and publish instance set up.
  2. Authors have and still do successfully replicate items from Author to Publish with no issue.
  3. All of my code base has been migrated over, my jars are fine -- i even rebuilt the individual jars in the publish instance crx just to make sure.

------- now for the issue.

I went to publish a new page and it did not show up on the publish instance. It's not a new template or component type, just another page to add to the list. These are the actions I took and what i found. I currently have 2 publish instances set up, but will refer to them synonymously as "publish" since their states appear to be identical.

  1. Activated to publish -- did not show up in publish

  2. logged into publish/crx/de/index.jsp to make sure it was replicated properly.

  3. the content did make it fine and is in the proper path in /content

  4. The ACL and access control permissions are the same as all the other content nodes of the same type. (Just to note, those content nodes are perfectly viewable).

  5. No stacktrace errors in my logs. However, when going through the dispatcher I get this error: org.apache.sling.servlets.get.impl.DefaultGetServlet No renderer for extension js, cannot render resource JcrNodeResource, type=XXX, superType=null, path=/content/XXX/jcr:content

  6. I went ahead and logged in as admin in my publish/crx/de and hit the content page in question and everything looked fine. What this means is the content is available to administrators but not anonymous users.

  7. edit: I made sure to check the anonymous context in all 3 instances -- both publish instances directly and through dispatcher.

  8. From here I figured it had to be an issue w/ the access control, but the new node has identical permissions to nodes that are available to the anonymous user context.

  9. To check if it was a matter of replication, I went and deactivated some of the other similar nodes, saw they disappeared, reactived them and saw them come back. Following this train of thought I deactived the group (old nodes + my new node) and then reactived them -- all the old nodes showed up, and still the same permissions issues w/ the new node.

Is the access control available anywhere else? I'm curious if there are other places for me to look at in order to figure out what's wrong with this piece of content.

thank you, Brodie

4
aem

4 Answers

1
votes

You can set "read" permissions for the group "everyone". Ultimately, you will want to put a dispatcher in front of your publishers, and prevent public access to your publish instances directly (preferably sitting behind a VPN).

This means that your dispatcher will be denying access to /apps anyway, and your instances will still be secure, and the ACL for the publisher won't really matter as long as an anonymous user can render the page under /content

1
votes

Have you tried hitting the page directly as an anonymous user on the publisher (bypassing the dispatcher)? That would help you rule out whether it is a dispatcher issue.

This article may also help: http://forums.adobe.com/message/4263731 It include this:

"The issue was that after creating a new site on an author instance, when viewing it on the publish site the page was not rendering correclty. The visible symptom was that initial HTML tags (for HTML, HEAD, META, and BODY) were being generated, but the content was not be filled in. I did Activate my content properly, however, because it was a new site, and I had generated new components and site templates which resided in the "apps" folder and assets in the "etc" folder, they were not available to be rendered and so the HTML page was blank (because they could not be found on the publish instance). What I did was use the "Activate Tree" under the Tools section to publish content in /content/mysite. What I missed was using the Activate Tree to publish items I had created in /etc/designs/mysite and /apps/mysite."

1
votes

So this is on solution I found, but I don't feel like it is the best solution.

The root issue was that access control was restricted on the Views of the component. This is because /apps has a default deny to read for the "Everyone" group.

I changed this, but was told that of cq5.4 this was put in as a security precaution.

So as this fixes my problem, I fear it may introduce new ones. I'd like to get some more responses before resolving this out.

-1
votes

WEN U ZIP FROM PACKAGE MANAGER FOR USER AND GROUP PERMISSIONS ADD ALL THE NODES WHICH U HAVE WITH THE NAME OF "REP:POLICY"'S AND INSTALL IN NEW CQ