I have created a node 'Site' which has a number of child nodes including 'ProtectedSubSite', which is protected using Role-based protection (Umbraco 4).
I added a page 'ProtectedPage' (which has a .NET macro in the page template) to the 'ProtectedSubSite'. When a user attempts to access http://mysite/ProtectedSubSite/ProtectedPage.aspx, they are sent to a login page (as expected).
However, if the user navigates to http://mysite/ProtectedPage.aspx then the control is displayed regardless of whether the user is logged in(!). The page should not exist at that location.
I am also using custom XSLT controls to get the content for each page (as it is a multilingual 1:1 site).
Does anyone have any idea why this might be happening or how to rectify it? Has anyone else had a similar problem?
Thanks very much for your reply, much appreciated. I am not currently using them - is it a case of using nested if statements to check both of these?
It would make perfect sense if the content was still being rendered if a user visited the exact URL of the page when they were not logged in, but this issue only seems to happen if a user enters the page URL at the root of the site.
e.g. If the user goes to http://mysite/Home.aspx to begin with, then types in http://mysite/ProtectedPage.aspx (which should not exist), then the resulting page renders the .NET control from the ProtectedPage as well as the content from the XSLT macro for the Home page.
If your template is actually called "ProtectedPage", umbraco will render that template. It's like the altTemplate system, but without you having to add ?altTemplate=xxx
That's great, thank you Sebastiaan. The templates are indeed named the same as the pages.
Does anyone know how to prevent this though? There may be potentially sensitive information being rendered by controls on a template, so if possible I would like to stop umbraco from rendering templates.
So the problem is that you don't want the homepage content rendered, right? I think it would be best if the Home page just never rendered anything but the protected page control and after login redirects to a new node that is not Home.
I believe that if you access a template by /TemplateName.aspx, it will say that the current page is the home page, so it's only a problem for this specific page.
Ideally I don't want anything to be rendered when someone tries to access a page template (/TemplateName.aspx) - it should send them to the pagenotfound page (because it isn't actually a content node).
I don't know of any way to disable this functionality. If you REALLY want to do something about it, you could create a usercontrol that checks if the page exists in the Umbraco nodetree and send to 404 when needed.
Public access issue
Good morning everyone,
I have created a node 'Site' which has a number of child nodes including 'ProtectedSubSite', which is protected using Role-based protection (Umbraco 4).
I added a page 'ProtectedPage' (which has a .NET macro in the page template) to the 'ProtectedSubSite'. When a user attempts to access http://mysite/ProtectedSubSite/ProtectedPage.aspx, they are sent to a login page (as expected).
However, if the user navigates to http://mysite/ProtectedPage.aspx then the control is displayed regardless of whether the user is logged in(!). The page should not exist at that location.
I am also using custom XSLT controls to get the content for each page (as it is a multilingual 1:1 site).
Does anyone have any idea why this might be happening or how to rectify it? Has anyone else had a similar problem?
Thanks in advance!
Hi ioan
are you using the "HasAccess" and "IsLoggedOn" in your XSLT files? If not I think that is why the content is being rendered.
/Jan
Hi Jan,
Thanks very much for your reply, much appreciated. I am not currently using them - is it a case of using nested if statements to check both of these?
It would make perfect sense if the content was still being rendered if a user visited the exact URL of the page when they were not logged in, but this issue only seems to happen if a user enters the page URL at the root of the site.
e.g. If the user goes to http://mysite/Home.aspx to begin with, then types in http://mysite/ProtectedPage.aspx (which should not exist), then the resulting page renders the .NET control from the ProtectedPage as well as the content from the XSLT macro for the Home page.
ioan
If your template is actually called "ProtectedPage", umbraco will render that template. It's like the altTemplate system, but without you having to add ?altTemplate=xxx
In fact, you can access any template by going to http://mysite/TemplateName.aspx
That's great, thank you Sebastiaan. The templates are indeed named the same as the pages.
Does anyone know how to prevent this though? There may be potentially sensitive information being rendered by controls on a template, so if possible I would like to stop umbraco from rendering templates.
So the problem is that you don't want the homepage content rendered, right? I think it would be best if the Home page just never rendered anything but the protected page control and after login redirects to a new node that is not Home.
I believe that if you access a template by /TemplateName.aspx, it will say that the current page is the home page, so it's only a problem for this specific page.
Thanks again.
Ideally I don't want anything to be rendered when someone tries to access a page template (/TemplateName.aspx) - it should send them to the pagenotfound page (because it isn't actually a content node).
I don't know of any way to disable this functionality. If you REALLY want to do something about it, you could create a usercontrol that checks if the page exists in the Umbraco nodetree and send to 404 when needed.
Thanks very much, Sebastiaan. Looks like I'll have to follow your advice and create a usercontrol.
I just learned from Niels that you can go into config/404handlers.config and you can remove this line:
So no need to write a custom handler. :-)
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.