Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • isamochernov 2 posts 22 karma points
    Jun 14, 2010 @ 18:44
    isamochernov
    0

    Integrated protection and access by template alias

    On our site we have a set of user personal pages with access restricted by integrated Umbraco role based protection. It works well, but we've found that the pages can still be accessed if you know the page template name.

    For example, we have a page normally viewed by the path '/mysite/uploadimage.aspx' - which is restricted and that is fine. The page is assigned a template with the alias 'uploadimage' and that means anybody can access the page using the url '/uploadimage.aspx' - bypassing the integrated role protection.

    In one of the recent posts in the forum I have found this is by design. But still here is the problem: what should be the proper way to restrict access to the user page.

    umbracoReservedPaths in web.config does not seem to work; using a guid as the masterpage name is not an option; checking access within the page kills the simplicity of the integrated protection. May be we should correct it in the Umbraco source code?

  • Morten Bock 1867 posts 2140 karma points MVP 2x admin c-trib
    Jun 14, 2010 @ 19:25
    Morten Bock
    1

    There is a two fold solution to this.

    You are correct that it is baked into the core, so we need to do a bit of a workaround.

    First, in the /config/404handlers.config file, comment out this line:

    <notFound assembly="umbraco" type="SearchForTemplate"/>

    That will remove the handler that makes the /anypage/forbiddentemplate.aspx syntax work. However, they would still be able to write /anypage.aspx?altTemplate=forbiddentemplate

    To prevent that, create a urlrewriting rule to redirect any url using "altTemplate" (any casing) to the front page, or where ever you want the user to go.

  • isamochernov 2 posts 22 karma points
    Jun 14, 2010 @ 22:32
    isamochernov
    0

    Thanks.It works.

    I just had to remove the SearchForTemplate line. Commenting produced an UE at the following line (Umbraco v 4.0.4.1):

    umbraco.requestHandler..ctor(XmlDocument _umbracoContent, String url) in d:\TeamCity\buildAgent\work\7380c184e9fcd3ea\umbraco\presentation\requestHandler.cs:230

Please Sign in or register to post replies

Write your reply to:

Draft