My requirement is that all users must log in to use/view content on my orchard site, apart from a 'Get Help' page.
So I went into the roles, and took 'View front end' away from anonymous users, which then promptly started asking everyone to log in.
I then created a new content type, called insecure page, put some random text in there and linked it to a menu item. Then I went back to the roles, and gave the anonymous user all permissions to that new type, logged out and attempted to view it, but was prompted
to log back in first.
I'm not sure what I've missed here - but if I put the view front end option back on for the anonymous role, people can see things without logging in, which I don't want them to do.
May 30, 2016 at 3:49 PM
Edited May 31, 2016 at 1:09 AM
I'm not entirely sure, but I think you probably need to use one of these additional (but not on by default) core modules:
Content Item Permissions
I'm sure that somehow you can use the functionality in one of these to either restrict "everything" except your help page (probably undoing your need to use the (extreme?) removal of "view front end" from anonymous) OR keeping
what you've done but adding the exception for anonymous... like I said I'm not sure about this either but I think that's the direction you need to look.
I have not quite been able to figure out what logic its applying - haven't quite got my head around the permissions heirachy... but basically if you go to a content type - eg: pages, and choose "Secure Content Items" (which appears once you enable
this module) it allows the "Users > Roles" page to list all your pages (fairly unmanageable list once you do this... no filter?, so search for your page name using CTRL+F maybe?) and MAYBE you just check the "view page by others"...
if I figure it out I'll update this - otherwise someone else may clarify how it works...
Appears to me to be SOMETHING like "everything is OFF until its ON", implying to me that you are right in removing "View front end site" to remove "everything" and then just checking this box on ONE page should do the trick but
I can't get it to work... :( So there must be something else to it...
... UPDATE - after thinking about this for a while, there is probably an easier solution (haven't tried, but here goes):
Since I CAN get the "content type" to be securable, just create a new content type called "unsecured pages" give it everything that a Page has...
go into Users > Roles and make theses :
View front end OFF?
View CONTENT TYPES by others ON?
Unsecured Pages - view by others ON...
I think that would probably work...
Jun 1, 2016 at 6:38 PM
Edited Jun 13, 2016 at 4:28 AM
Possibly - I've had some success with this:
(for Anonymous Role)
"view front end" is the wrong approach perhaps?
try leaving this on, and turning off "View all content" (under Contents Feature)
AND THEN follow my suggestion to "create a new content type called "unsecured page" and then go back into Roles and tick the "view unsecured page by others"...
hopefully that does the trick... but you probably need to make this the home page of the site... and then have some kind of redirect to "not this unsecured page" when folks sign in... or make the text generic so that its still acceptable as a signed
in user... not sure what the best way to do either is...
NOTE: *** there seems to be a lot of caching going on around this, so experimenting is confusing... not sure what the best solution to this is... ***