The Sitecore security model has not changed substantially since Sitecore 4. And yet I still find myself struggling every time I have to set up a website that require login, or where users require special access rights to parts of the content.
As always, Sitecore provides you with a platform, not the solution. This gives you the flexibility to choose the setup that’s right for you. So this article gives you the hints you might need to set up your own protected website.
SETUP: HOW TO ENFORCE LOGIN ON YOUR SITE
Enforcing login is done in the <sites> section of your Sitecore.config:
<site name="website" rootPath="/sitecore/content/*******" startItem="/Frontpage" loginPage="/Login" requireLogin="true" ... ... </site>
The loginPage determines the path to the login page, and the requireLogin=true determines that the site is not accessible at all without login. Set requireLogin to false, but keep a path to the loginpage if only some pages are protected using a login.
REMEMBER: Your login page cannot have special rights. Everyone needs to have access to the login page.
CASE 1: EVERYONE WITH THE RIGHT LOGIN HAS ACCESS TO EVERYTHING
In this case, all you need is to set requireLogin=true, and set loginPage=[some login form], and you are all set.
This happens because Sitecore have per default given “Everyone” read access to the entire Sitecore solution. “Everyone” is a system role that describes every user.
CASE 2: NOT EVERYONE HAS ACCESS TO EVERYTHING
If a section of your website require a certain role to be access, you need to:
- Tell Sitecore that “Everyone” does not have access.
- Give read access to the specific role.
In this example, I break the “Everyone” inheritance by introducing a system folder:
On the “profile” folder, I deny read access for “Everyone“, both for the folder and all descendants.
Then, for each item, I specify which roles have read access:
MORE TO READ: