0
votes

I have written a login page, in which a Sitecore virtual user is logged in. After the successful login he is directed to the start page, which inherits from Sitecore.sitecore.admin.AdminPage. That way I make sure that the pages are only accessible if the user is logged in as a Sitecore (Virtual) User.

The problem is that the logged in Virual User cannot see any content until I assign to him the sitecore/developer role, which is not the way to go I would guess. I tried with assigning a role which grants access to the content node that I want him to see, but that doesn't work. He gets redirected back to the login page.

What am I missing?

EDIT: Here's the code of my secured page:

public partial class MainPage : Sitecore.sitecore.admin.AdminPage
{
    Sitecore.Security.Accounts.User currentUser = Sitecore.Context.User;

    protected override void OnInit(EventArgs e)
    {
        base.CheckSecurity(true);
        base.OnInit(e);
    }

    private void Page_Load(object sender, System.EventArgs e)
    { 
        ...
    }

    ...
}
3
Are you able to provide the code of the start page you say is inheriting from AdminPage? From my recollection, that AdminPage is too restrictive by default, so unless you are overriding the permission model, you are probably hitting the default behaviour of the AdminPage security model when to checks permissions. - Jay S
Added the code of my secured aspx page. - SpaceJump

3 Answers

1
votes

You will need to replace the CheckSecurity to do the security permissions check that you want. The 'true' that you are passing in means that the code will check for the Developer role (false means only admins can get in).

See this related post: https://sitecore.stackexchange.com/questions/2965/creating-a-custom-sitecore-admin-page-to-create-a-report

This is the default behaviour of the admin pages. If you want a different behaviour (i.e. a non-admin or non-developer to be able to access this page) then you probably are either inheriting from the wrong page, or you should call a different method than the CheckSecurity method to check for the role your users will have.

An example of customizing the check:

protected override void OnInit(EventArgs e)
{
    this.CheckCustomAccess("extranet\RoleName");
    base.OnInit(e);
}
protected virtual void CheckCustomAccess(string roleName)
{
    //Do your access check.
}

HOWEVER: The fact that you have users accessing this page that are neither admins or developers means you likely should not be using AdminPage as your base page. You should probably be inheriting from the Page class directly. The AdminPage will not give you any benefit as it is meant for checking security specifically for admins or developers.

In that case, you probably want to do something similar to the AdminPage logic, but only checking for the roles you want and then doing a redirect back to your extranet login if they do not have the correct permissions.

0
votes

You can try to create a custom role which inherit from sitecore/Author role, which should get the user access to the start page, then you can customize the permissions and restrictions on the new role based on the requirements you have.

0
votes

You should not need to code the security check as Sitecore will do that for you assuming you've set up permissions and roles. Assuming you have an extranet domain, create a role there that all your "registered" users should inherit automatically. That role should have access to the site while the extranet/anonymous should be denied except for the login page.

Am I missing some requirement here?