Why can't users in the "Visitors" group access my SharePoint 2010 publishing site. It works when i promote them to the "Members" group

5
votes

When I place a test AD account in the Visitors group they are unable to view any pages on my new intranet site. The users receives the "Error access denied" sharepoint screen and indicates that the account was able to authenticate, but that some authorisation rule is permitting it from viewing the page.

When i remove then and place them in the Members or Owners groups they are able to view the pages as well as perform the expected functions like editing content and creating subsites.

Interesting, while in only the Visitors group, users can view the "All Site Content" page that is located here: /_layouts/viewlsts.aspx but not /pages/default.aspx.

Has anyone experienced this before?

Environment info: 1 Web application, 1 Site collection using the Publishing Portal template. A few custom master pages, lots of custom page layouts and user controls. All deployed via features. Sharepoint 2010 Standard edition, 64bit running on Windows Server 2008 against SqlServer 2008 Enterprise Edition. Authentication is against AD, not any other forms auth providers etc.

3
securitysharepoint-2010

3 Answers

5
votes

One likely reason for such behavior is that it tries to access a resource on a page which might not have been published to a major version. For example, if versioning was turned on on images library and an image's version is 0.1, if that image was used on version 1.0 (published) of the page, the server would deny access to the visitor and ask for credentials.

Make sure following:

  1. At least one major version of the page exists (page was published at least once)
  2. All resources (images, movie files etc) used on the page are published (to major version)

You can use "Draft Check" button on Page Tab of the Page's ribbon to check the unpublished resources that are used by the page.

2
votes

I had the same issue and I've finaly found out how to do this:

If you check OOB group access, you can find that Visitors group has limited number of pages where it has granted access.

  1. Navigate to /yourweb/_catalogs/masterpage. Here you'll find many .aspx files (including default.master).
  2. Open this default.master`s permissions and you see it inherits from Master Page Gallery.
  3. Click this permissions inheritance and you can see that Master Page Gallery permissions are not inherited from site collection permissions.
  4. Give here the Contribute permissions to Style Resource Readers (or modify it as you'd like) and all users will have access to this web with no permissions to edit etc..
0
votes

I had a similar issue and the thing I noted in your Environmental comments was the custom master pages. Go to your Site Settings and ensure that your custom master pages have been published. If you need to publish them also check the corresponding html pages after they have been published as they may need to be republished also.

This worked for me.