| Author |
Messages |
|
Brandon Hartsell
Posts:5
Send A Message
 |
| 05/13/2008 9:08 AM |
|
It seems to me that content that a user doesn't have access will not show up in a search. This is good. But for Seamus it seems all content will show. The user can't click through but if the summary is sensitive then the security is lost.
Can you direct me to what I am missing?
|
|
|
|
|
Jeff Smith
Posts:91
Send A Message
|
| 05/13/2008 9:55 AM |
|
The URLs for the items that are display that should not, do they have TabId in them?
|
|
|
|
|
Brandon Hartsell
Posts:5
Send A Message
|
| 05/13/2008 9:59 AM |
|
It gives you a link and when you hover it shows you the entire path. If you don't have permissions to the tab clicking is futile. But the summary is problematic if it contains info you would rather everyone not see. Am I making sense? |
|
|
|
|
Jeff Smith
Posts:91
Send A Message
|
| 05/13/2008 10:03 AM |
|
But my question is: Is there a TabId in the URL?
Our code uses TabId and checks ModuleIds for security. If you are using human friendly urls, that could be the problem, but we need to know if TabId is in the path or not before we try to track down this issue. |
|
|
|
|
Brandon Hartsell
Posts:5
Send A Message
|
|
Jeff Smith
Posts:91
Send A Message
|
| 05/13/2008 12:25 PM |
|
The following is the code for checking security on an URL before rendering. By default the user does not have access:
Dim tabs As New DotNetNuke.Entities.Tabs.TabController
Dim objTab As New DotNetNuke.Entities.Tabs.TabInfo
objTab = tabs.GetTab(CType(GetTabID(sURL), Integer))
Dim objTabPermissions As New DotNetNuke.Security.Permissions.TabPermissionCollection
objTabPermissions = objTab.TabPermissions
For Each objPerm As DotNetNuke.Security.Permissions.TabPermissionInfo In objTabPermissions
If DotNetNuke.Security.PortalSecurity.IsInRole(objPerm.RoleName) = True Then
bTabAccess = True
End If
Next
If iModuleID > 0 Then
Dim modules As ModuleController = New ModuleController
Dim objModule As ModuleInfo = New ModuleInfo
objModule = modules.GetModule(iModuleID, CType(GetTabID(sURL), Integer))
If PortalSecurity.HasNecessaryPermission(SecurityAccessLevel.View, ps, objModule, Request.ServerVariables("REMOTE_USER")) Then
bModAccess = True
End If
If bTabAccess = True And bModAccess = True Then
bAccess = True
End If
Else
If bTabAccess = True Then
bAccess = True
End If
End If
I will double check the regular expression check for GetTabId and make sure if will work with that url, but it should as we have not seen this issue before and that is a standard DNN url. I need to also check to make sure there is not anythign that could cache this value. At one time we did cache the xml file for this, but that was before when we used xslt. A ticket has been opened up for this: http://support.venexus.com/issue/ViewIssue.aspx?id=5626&PROJID=48 |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
|
|
 |
|