I am using TYPO3 and i have a restricted area for members.
If a guest knows the URL of a restricted page in the members area, he is able to see its content. That's not the way it should be.
Do you know how to fix this issue?
If you have a restricted area, you should have at least one FE usergroup created and this usergroup should be assigned at Access tab of your members only page. If you want subpages of this page to be restricted as well, you have to set Extend to subpages checkbox on that tab.
Related
I am trying to create user rights in Typo3 7.6 so that a user can simply work as an editor. He has, for his department, a section of the page tree. In that he can almost exclusively create text & media. For a single subpage of this whole tree, it also requires the ability to create an HTML element.
From my personal logic, it would be sufficient to create a user group (A), with all the usual rights would be covered. So creating pages, texts and media. A second user group (B) then only with the explicit permission to create HTML elements. Under Access, I have selected the group in the entire page tree as a simple editor (A), under which one page may be on the HTML, but the second user group (B).
But now it seems that as soon as the user receives the group B, it is not only allowed to create HTML for the one page, but the entire page tree.
What am I doing wrong? How is that otherwise thought?
This doesn't work this way. The permissions of all groups are combined and are the same on any page.
A possible solution could be to use the extension content_defender and a different backend layout for those pages where the HTML element is allowed.
Just as a side note: Allowing an editor the HTML element is a security risk as the editor can also create JavaScript and with that can get admin permissions and other stuff. So I would be very careful with that and would avoid allowing this element for admins.
We have implemented login functionality like geometrixx site in our existing website(with close to 700+ pages).
We want to show protected pages only to logged in user, every user who is registered gets assigned a group/ CUG lets say "listed users".
now in page hierarchy I have products page and under product page I have 8 products pages.somewhere On homepage I have a nav bar component which fetches all product children pages and shows a left nav bar with 8 entries.
If I enable CUG in a way that only "listed users" should have access to 2 out of 8 product pages, any access to direct links are redirected to login page. Which is fine.
But the nav bar component which earlier used to show all 8 product pages now shows only 6 pages.
The main idea behind putting pages behind login is lead generation.So if non logged in users dont see the link itself where would they click to get redirected to login page and subsequently feel like registering with our site.
Requirement is that my existing nav bar should continue showing 8 links and on click of 2 protected page links, he should get login/ register option.
We are using most of things Out of the Box.
any pointers helping in how do we achieve this would be great help ? PS: i have given a nav bar as one such component affected in existing site like this there could be many more components fetching their content from site hierarchy and stand chance to get broken in such case.
There are two entities involved, JCR and Sling.By default any un-authenticated request is associated with a user called Anonymous, the JCR sessions will have ACL's associated with anonymous.
In JCR, if a user does not have access to nodes, that session will not see those nodes.We access the JCR via Sling ,by default if you don't have permission the request will result in a 404 error(because for underlying JCR session the resource does not exist). Sling can be explicitly instructed to request for authentication for specific paths.
The combination of these concepts are leveraged to create the CUG functionality. Sling is instructed to force for authentication for CUG enabled pages. The JCR is instructed to show these nodes only for users who have access.
When you directly request the product pages without login, it is sling that is redirecting you to login page. When your navigation component is looping over nodes to create the menu for anonymous users JCR is only showing it 6 pages as the other two are out of reach for anonymous.
The only* way to work around this is to make the Navigation component configurable. Instead of node iteration, the content author will have to configure the the url and page title so that the links show up for everyone.
You can ignore the session associated with the request and use a custom JCR session that has access to all the product pages, but that would be disregarding the ACLs and you don't want to do that .
The nav bar can pick up all child pages as per page structure. That should not restrict the page title display on the nav bar.
As for the pages the access can be controlled by template level page properties by adding the 'listed users' group over there. In the jsp you can give an initial check for the user if they are a member of 'listed users' else redirect to login page
Hope that helps
Thanks for all your suggestions
Below is how we ended up doing it.
- Protect the page you want to enable CUG with proper CUG.
- Hide the page in nav.
- Create a redirect page in same hierarchy with same title as the one you wanted to protect.redirect it to your protected page.
I want to "hide/deactivate" the table element for specific users/usergroups in the typo3 BE.
Or to be more clear: I want to ONLY allow it to ONE specific user (admin).
How can i do that?
NOTE: At the moment the table element is deactivated in the global TS-config via tt_content removeItems().
TIA
Note: I have only an old Typo3 4.3.5 installation, but I hope this hasn't changed much.
In User admin, edit group permissions and go to Access lists. At the bottom is "Explicitly allow/deny field values" where you can restrict specific content types.
With the restriction, affected users still see the restricted content element in BE, but get a message when trying to edit it.
I need for certain users to only be able to create pages in certain categories based on their permissions. One reason for this is approvals ("flagged revisions"). If a user can create content outside of any category, then it could show up live on the web site. Even thought it wouldn't initially be linked anywhere directly in an existing page (except other unapproved pages) this can still be a problem.
I can prevent the user from creating a new page in the global scope (apparently this corresponds simply to "edit" permissions as I don't see a special permission for creating new pages), and then I can grant them permission to edit pages in the category their group is authorized to edit. But I can no longer see the "Menu:Wiki:Create a Wiki Page" option, and I can't figure out how to allow the user to create a new page in that category.
I can edit the group and set the "Default category assigned to uncategorized objects edited by a user with this default group" to the desired category. When I do that, a user in that group now has a "Create a Wiki Page" option show up in the Menu:Wiki sub-menu, but clicking on that does not bring up a new page for editing; instead if just brings up a list of existing wiki pages, without the option to create a new one!
If I create a link to the new page from an existing page, I am unable to edit it in any way. Clicking the link takes me to a page which indicates that the page does not exist, but which does not provide any way to edit it. Putting the title of the page directly in the URL, as in tiki-editpage.php?page=New+Page+Name brings up a "You do not have permission to edit this page" error page. Since any new page created by the user should have the category they have permission to edit, this does not make sense unless the category isn't set until after the initial edit permission check occurs, which creates a catch-22!
How do I let the user create a new page in any of the categories they have permissions to edit in?
If Categories are not the best tool for the task that's okay too. I don't really understand the difference between Categories and Structures with regards to which is better for what I'm trying to accomplish, however it seems Categories are the more "native" feature, which is why I am trying to use them.
I want to hide a page in navigation component based on the logged in user. I have two approaches in mind. Set permissions on the page's node in CRX-DE; denying it for all users; and then allowing it for specific groups. I have been trying it; not found much success. Else; I can get the id of the logged in user in the jsp and based on the user group; I can set the page's property 'Hide in Navigation' . But I am not able to find how to set that property in jsp. Please suggest.
Edit:
I am using the default authentication.I wanted to hide a page from navigation in the default 'list' component. If I use CUG; the users belonging to that group will still be able to see that particular page's link in the list component; and would be asked for login on clicking on that page.I want the link itself to be hidden if the user belonged to a particular group
Thanks.
If you are using the default authentication features in AEM (like Geometrixx), which rely on users that exist in AEM, you can use Closed User Groups. CUG allows you to set what users or groups can or cannot see a specific page. You can see where to set CUGs in the page properties dialog for each page. I'm pretty sure CUG settings inherit down the page hierarchy as well.
Using the JCR permissions for this is a good deal more complex, because it's such a low-level architectural thing. However, for more complex solutions, sometimes it's a necessary part of the equation.
I agree with ryanluka that going for JCR permissions should be avoided when the problem can be solved by much simpler approach. I modified the list.jsp of the default list component. Extracted the login user's id using Userpropertiesutil; and based on the group; wrote the code in jQuery to remove that particular page's div from list component.