The Sitecore security model has not changed substantially since Sitecore 4. And yet I still find myself struggling every time I have to set up a website that require login, or where users require special access rights to parts of the content.
As always, Sitecore provides you with a platform, not the solution. This gives you the flexibility to choose the setup that’s right for you. So this article gives you the hints you might need to set up your own protected website.
SETUP: HOW TO ENFORCE LOGIN ON YOUR SITE
Enforcing login is done in the <sites> section of your Sitecore.config:
<site name="website"
rootPath="/sitecore/content/*******"
startItem="/Frontpage"
loginPage="/Login"
requireLogin="true"
...
...
</site>
The loginPage determines the path to the login page, and the requireLogin=true determines that the site is not accessible at all without login. Set requireLogin to false, but keep a path to the loginpage if only some pages are protected using a login.
REMEMBER: Your login page cannot have special rights. Everyone needs to have access to the login page.
CASE 1: EVERYONE WITH THE RIGHT LOGIN HAS ACCESS TO EVERYTHING
In this case, all you need is to set requireLogin=true, and set loginPage=[some login form], and you are all set.
This happens because Sitecore have per default given “Everyone” read access to the entire Sitecore solution. “Everyone” is a system role that describes every user.
Role Everyone Has Access to Everything
CASE 2: NOT EVERYONE HAS ACCESS TO EVERYTHING
If a section of your website require a certain role to be access, you need to:
- Tell Sitecore that “Everyone” does not have access.
- Give read access to the specific role.
In this example, I break the “Everyone” inheritance by introducing a system folder:
Special Roles Are Required Below this Folder
On the “profile” folder, I deny read access for “Everyone“, both for the folder and all descendants.
Everyone Denied on the Profile Folder
Then, for each item, I specify which roles have read access:
Roles Per Item
MORE TO READ:
- Setting up Security on Languages in Sitecore 6 (applies to Sitecore 7, 8 and 9 as well) by briancaos
- Security and administration from doc.sitecore.net
- Sitecore Users and C# by briancaos
Great post :-)
There is a third option for “Profile” and it’s item/pages below. In your controller add a custom authentication attribute. Like this:
Controller:
[RedirectUnauthenticatedAttribute]
public ActionResult ProfileHome()
{
return this.View();
}
Your custom attribute(from habitat):
public class RedirectUnauthenticatedAttribute : ActionFilterAttribute, IAuthorizationFilter
{
private readonly IGetRedirectUrlService _getRedirectUrlService;
public RedirectUnauthenticatedAttribute() : this(new GetRedirectUrlService())
{
}
private RedirectUnauthenticatedAttribute(IGetRedirectUrlService getRedirectUrlService)
{
this._getRedirectUrlService = getRedirectUrlService;
}
public void OnAuthorization(AuthorizationContext context)
{
if (Sitecore.Context.User.IsAuthenticated)
return;
var link = this._getRedirectUrlService.GetRedirectUrl(AuthenticationStatus.Unauthenticated, context.HttpContext.Request.RawUrl);
context.Result = new RedirectResult(link);
}
}