Security Concepts / Content Permissions

Topics: Core, Troubleshooting
Jul 20, 2015 at 9:09 AM
Edited Jul 21, 2015 at 9:32 AM
I'm having trouble correctly applying the concepts regarding Security in Orchard

It seems that anonymous users (Anonymous role) are able to access -all content- through the Item controllers Display action at /Contents/Item/Display/[id].

This allows for browsing User content items and it makes the ContentItem Permissions module rather unusable unless you uncheck the "View All Content" permission for the Anonymous role...

Unchecking the "View All Content" permission creates a plethora of other actions you have to take, which seem very illogical, especially to someone who is new to Orchard. I'm not new anymore, but I'm still having a hard time getting all functionality to work properly after I uncheck this permission. For instance the Navigation feature; I need to perform the following actions to get a working menu:
  • Make Menu ContentType Creatable (to have it show up when editing Anonymous role as "Edit Menu Content" permission
  • Make Menu Widget Creatable (same reason)
  • Make different MenuItem ContentTypes Creatable (same reason)
  • Check "View Content By Others" for above ContentTypes for Anonymous role
  • Add ContentItem permissions part to each of the above contenttypes
  • For Menu Widget, check "Enable ContentItem Permissions" and "View Content By Others"
  • For Menu ContentItem, check "Enable ContentItem Permissions" and "View Content By Others"
  • Per MenuItem, check "Enable ContentItem Permissions" and "View Content By Others"
It starts getting worse when I have different ContentTypes with a Menu part so I can add ContentMenuItem menuitems...

Is this the correct way to go?

Also: if i uncheck the "Creatable" option for a ContentType, the specific permissions for a role aren't enforced anymore...
I was under the impression that the "Creatable" flag for a ContentType was solely to have it show up under the "New" menu in the admin backend ( However this doesn't seem the case...


Consider the following example for a custom ContentType: "Homepage":
  • "View All Content" is NOT allowed for anonymous users
  • I make it creatable so I can check "View Homepage By Others" and "View Own Homepage" under Anonymous role
  • I create a ContentItem instance for the Homepage ContentType and mark "Set as homepage" under AutoroutePart
  • I don't want editors to have "Create new Homepage" in the admin panel, so I uncheck "Creatable" for the "Homepage" ContenType
I now assume that Anonymous users can view the homepage, but this is not the case, the specific permissions "View Homepage by others" and "View own Homepage" are no longer in effect... It seems to fall back to "View all Content" which isn't allowed for Anonymous users, thus they cannot view the homepage

Am I missing something here?

Sidenote: I did get everything to work using ContentItem permissions (instead of ContentType permissions through the Role editor) for ContentTypes which aren't Creatable.
Jul 28, 2015 at 6:28 PM
This issue seems to have been resolved in Orchard 1.9 where ContentTypes have a new "Securable" flag. Nice!