This project is read-only.

Orchard Roles - Too Hard to Only Secure One Content Type, Alternatives?

Topics: Core, Customizing Orchard
Jul 16, 2013 at 2:58 PM
I often have scenarios where a client will want to secure a particular content type. This means I have to go to anonymous role and uncheck the "View all content" checkbox. Of course, this causes other headaches as I then need to manually enable each content type that is needed to be accessible.

If that were the only issue, no big deal. The big deal becomes when you want to enable access to blog posts. Well, they don't have that option so you need to make them "creatable" on the content type in order for them to be made accessible in the role manager. Of course, this then means users incorrectly make blog posts (and they are not connected to the blog container) - very bad.

To make it more cumbersome, I see in 1.7 (maybe earlier?) that widgets themselves are not by default accessible so I need to set each one of them as "creatable" in order to make them able to be made "View Html Widget content" for the anoymous users to see. The list goes on from here and you end up with quite a clutter of content types you don't want the user creating directly but show up in the New section of the admin.

This is not a complaint session, all of that is to set the framework for anyone to share whether there is an alternative way. In a perfect (albeit a bit more complicated) world I could simply leave the "View all content" checked and go to my 1 or 2 content items I want to not be viewable and override it on a "Hide this content" checkbox. Of course, this means we are now dealing in the negative which can be a problematic thing. Because it is so simple though, if I have to write a module, it will be the approach I use.

Another alternative is to open up ALL the content types for role management, whether they are creatable or not. This would allow everything to stay in the positive but of course would make the role manager a very long list. It might also slow down the system as it processes security for every page.

Look forward to anyones thoughts on a native solution before I tackle in code.
Jul 16, 2013 at 8:01 PM
Blog posts or widgets should clearly not be marked creatable. There are specific permissions for blog posts. Not sure what you're trying to do with widgets.
Jul 16, 2013 at 8:33 PM
Hi Bertrand, I agree, they should definitely not which is why it is causing trouble. While there are some specific permissions available for blog posts when they are not marked as creatable, there is no way to make them viewable IF .

To Repro all of this in Orchard 1.7, simply do the following:
  1. Set up a dummy blog post
  2. Set up a dummy Html Widget on the home page
  3. Go to the Roles and edit the Anonymous Role
  4. Uncheck "Allow" on "View all content" - in the "Contents Feature" section
  5. Check the "View Page by others" - in the "Page" section - so we can see our widget issue
  6. Log out of the website or open another browser where you are not logged in and visit your blog post page
  7. On the blog post page you will receive a "Cannot view content. Anonymous users do not have ViewContent permission."
  8. On the home page, you will not see any widgets, including your Html widgets and any other menu widgets you had
Summary, there is no way to enable widget view permissions or blog post view permissions without making them "Creatable" at the content type level (which we both agree is a very bad idea). Please let me know if you experience something different.
Jul 17, 2013 at 12:20 AM
Please file a bug so that we can improve the blog and widget permissions.
Jul 17, 2013 at 10:44 AM
I have filed the issue (and the code I am using to overcome the issue) here: