Content item permissions and projection

Topics: Core
Aug 5, 2012 at 7:33 PM
Edited Aug 5, 2012 at 7:34 PM

I've enabled Orchard.ContentPermissions module to control permissions per content items.
So I can restrict certain roles from viewing content item on front-end. It works OK when user navigates to the restricted item: 
Cannot view content. Current user, %user%, does not have ViewContent permission.

However, when I create projection with all protected content items - user can see the content item in the projection, while he doesn't have view permission for it. He cannot navigate to it from projection, but still he can see it.

Is it possible to filter out the restricted items from projection, so that user could see in the projection  only items he has permission to view?

Aug 8, 2012 at 5:42 PM

I've just encounted the same thing - a page which is restricted, but satisfies the query of an unrestricted projection, and since the user has access to the projection, they can see the summary display of the page.

Not sure whether this is by design, but it feels like a bug to me (unless we're both missing something!)

The question is what the correct behaviour should be - you obviously would rather they were filtered out; personally I'd rather it denied access to the whole projection.

Aug 8, 2012 at 5:47 PM

I've created an issue for this at