access rights on Product Listing and Product details page are not working

Vote:
 

Hi,

On staging enviornment I want authentication first, and doesnot want EVeryOne|Read right.

I removed Every one From Home Page and all child pages Including Product Listing Pages and CMS Content pages from Admin section.

on accessing CMS Pages site redirects me to Login page but Product Listing an ddetails pages are acceible althought they dont have any EveryOne|Read rights.

Is it a bug? or am i doing something wrong?

EPiServer Commerec 8.6.1
Its an MVC application


CMS page controllere have following defination
CMSPageController : PageControllerBase
where
PageControllerBase : EPiServer.Web.Mvc.PageController, IModifyLayout

Product Listing page have following defination

public class ProductListingPageController : CatalogPageControllerBase
where
CatalogPageControllerBase : EPiServer.Web.Mvc.ContentController

Regards

Khurram

#115710
Jan 16, 2015 12:31
Vote:
 

It is registered as bug

#122394: Anonymous user can still access to productListing page when Everyone role is removed in MVC You will find the bug on location (http://world.episerver.com/Support/Bug-List/)

Regards
/K

#116382
Jan 29, 2015 12:20
Vote:
 

Hi

Is the listing page a cms page that lists catalog content, or a node/category in the catalog that lists the content? Because explicit access rights on catalog content is not currently supported, so if it the latter then I'm afraid this is as designed.

Regards

Per Gunsarfs

#116392
Jan 29, 2015 15:02
Vote:
 

Thanks your response. I also investigated that before raising the support ticket. You are right in thinking, Listing page is a cataog node inheritied from IContent and its not a PageData. As security related interfaces have not been implemented for catalog content therfore Those settings are not working.

Security/Rights is an important feature for contents. In theory EPiServer should suport security for all type of content types that comes from EPiServer. If we are intorducing some custom content types than ofcourse responsibility doesnot go to EPiServer. I will highly recommend to add this feature to all type of contents including media contents. Although I could try those Interfaces but using MVC Authorize action filter fulfils my requirements. 

Regards
/K

#116397
Edited, Jan 29, 2015 15:19
Vote:
 

Per, Does this mean, this bug will be cosed as designed?
Regards
/K

#116771
Feb 04, 2015 15:49
Vote:
 

Yes, this bug has been closed as designed, although I would argue that the correct reason is that it is a feature request.

Access rights on individual catalog item has never existed, not on the detail level of CMS content. Adding it would require a bit more than just trivial work, so it needs to be prioritized against all other improvments we want to make. But if it's something that you as partner developers has a strong need for, that would obviously increase the priority. Although, that would have to go through our product management team.

Regards

Per G

#116774
Feb 04, 2015 16:01
Vote:
 

Hi Per G,

I understand what you are saying and you are absolutly correct in a sense, I personally try to work with that but find the things complex therfore I am going to use Authorize attribute in my MVC controllers after considring the budget.


But as a client I will consider this a bug not a feature there are follwoing reason (Client doesnot understand technical reasons, He will like to have all features on his site also that he can find in the demo).

If we install EPiServer Commerce Sample Demo from EPiServer Deployment Center, as Demo is based on webform and related classes are implementing security therefore If our client Remove the EveryOne Read Right from Admin section, He will not be able to view below pages

Product Listing Page
http://comtest.development.local/en/departmental-catalog/Departments/Fashion/Tops/Tops-Tunics/

Product Details Page
http://comtest.development.local/en/departmental-catalog/Departments/Fashion/Tops/Tops-Tunics/Tops-Tunics-CowlNeck/

I will be thankful if you could review this and could add as a feature. Ideally I will like an interface in Online Center Admin section where an Editor or admin could set same level of security on all objects inheriting IContent regardless those are PageData or XYZ.

Regards
/K

#116776
Feb 04, 2015 16:25
Vote:
 

I'll forwards this to the relevant people.

Thanks for the feedback.

Regards

Per G

#116777
Feb 04, 2015 16:33
Vote:
 

Hi guys,

I am also having a question from a customer that needs to set access rights to commerce entities.

Their thought was to set a market filter on a category node, but this is not possible.

i also think that access rights is something that should be available for commerce content.

Regards

Håvard

#144412
Feb 12, 2016 11:46
Vote:
 

Hi,

We have plan for that, but unfortunately we are spending time to work on other features with higher priority.

We don't compromise on quality, and access rights, by no doubt, is a big feature, then I don't expect it to happen anytime soon.

/Q

#144413
Feb 12, 2016 12:29
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.