Integrated protection and access by template alias
On our site we have a set of user personal pages with access restricted by integrated Umbraco role based protection. It works well, but we've found that the pages can still be accessed if you know the page template name.
For example, we have a page normally viewed by the path '/mysite/uploadimage.aspx' - which is restricted and that is fine. The page is assigned a template with the alias 'uploadimage' and that means anybody can access the page using the url '/uploadimage.aspx' - bypassing the integrated role protection.
In one of the recent posts in the forum I have found this is by design. But still here is the problem: what should be the proper way to restrict access to the user page.
umbracoReservedPaths in web.config does not seem to work; using a guid as the masterpage name is not an option; checking access within the page kills the simplicity of the integrated protection. May be we should correct it in the Umbraco source code?
That will remove the handler that makes the /anypage/forbiddentemplate.aspx syntax work. However, they would still be able to write /anypage.aspx?altTemplate=forbiddentemplate
To prevent that, create a urlrewriting rule to redirect any url using "altTemplate" (any casing) to the front page, or where ever you want the user to go.
Integrated protection and access by template alias
On our site we have a set of user personal pages with access restricted by integrated Umbraco role based protection. It works well, but we've found that the pages can still be accessed if you know the page template name.
For example, we have a page normally viewed by the path '/mysite/uploadimage.aspx' - which is restricted and that is fine. The page is assigned a template with the alias 'uploadimage' and that means anybody can access the page using the url '/uploadimage.aspx' - bypassing the integrated role protection.
In one of the recent posts in the forum I have found this is by design. But still here is the problem: what should be the proper way to restrict access to the user page.
umbracoReservedPaths in web.config does not seem to work; using a guid as the masterpage name is not an option; checking access within the page kills the simplicity of the integrated protection. May be we should correct it in the Umbraco source code?
There is a two fold solution to this.
You are correct that it is baked into the core, so we need to do a bit of a workaround.
First, in the /config/404handlers.config file, comment out this line:
That will remove the handler that makes the /anypage/forbiddentemplate.aspx syntax work. However, they would still be able to write /anypage.aspx?altTemplate=forbiddentemplate
To prevent that, create a urlrewriting rule to redirect any url using "altTemplate" (any casing) to the front page, or where ever you want the user to go.
Thanks.It works.
I just had to remove the SearchForTemplate line. Commenting produced an UE at the following line (Umbraco v 4.0.4.1):
is working on a reply...