5.0 SE - Permissions on Image Libraries and Manage Image Libraries
How to create Image Libraries special for one Role. Restrict access for all other libraries?
I have created a role 'MyRole'
I created a user 'MyUser' who can access the backen and is in role 'MyRole'
As Administrator I created a image library 'MyRoleImages' and granted permission to 'MyRole'
Logged-in in as 'MyUser' I will not see the Content - Images option
Logged-in as Admin i granted Adminstration - Permissions - Rights to Image Libraries for 'MyRole'
Logged-in as 'MyUser' I now have the option Content - Images
However two problems
1) it seem the 'MyUser' in 'MyRole' can manage all albums
a) wrong settings or would I have to remove premissions for 'MyRole' from all other and futur libraries (used to be like this for pages in 4.0)
2) as 'MyUser' I can see the link Manage ImageLibraries but when clicked get an 404 error this kind of pages not served.
Description: The type of page you have requested is not served because it has been explicitly forbidden. Please review the URL below and make sure that it is spelled correctly.
Requested URL: /Sitefinity/Content/Images/Albums
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.272
I was able to reproduce this issue. The issue comes from the permissions not set correctly for the Images and Image libraries. I logged on as the Adminstrator, went to Adminstration >> selected permissions for "MyRole" >> then changed the permissions to allow for "Image" and "Album" sections. Then I logged out and logged back in as MyUser and clicked on Content >> Images and was able to view the album and the pictures within the album.
When setting permissions there are a couple things to remember about setting permissions:
1. Make sure that the user has appropriate permissions depending on the provider- at last View permission for a given page.
2. Make sure that the user's role does not inherit permissions from another role that has deny set fro "View" right. Deny has higher priority than Allow.
Please let us know if you have anymore questions.
the Telerik team
Thank's for the feedback, also on my support ticket.
I was fearing this answer. To me this very very bad.
When I grant a role access to see libraries this role gets automatically added to the default users who can manipulate libraries.
Imagine when you have a 20 libraries and you want now a new user/role to have access to one libarary only.
a) you need to give that role permission so see libaries
b) you then have to deny his access in all other 19 libaries - meaning at the moment you have to break inheritance of this 19 libaries
What about future libaries. As soon as an admin opens a new libary he probably has to rember to revoke the rights for the one user/group!
This is simply bad.
Feature Request: When granting a user/role access to see/manage libaries the user/role should not automatically be added to the default settings but should only be able to see work on the libaries access was granted for.
Bottom line. Libraries access should work now like page (this was fixed also) Granting is the word not denying!
I have submitted a feature request on your behalf. You can follow its progress in PITS and vote for its popularity.
the Telerik team
Dear Grace thanks a lot.
I think you have perfectly described the problem: When granting a user/role access to see/manage libraries the user/role should not automatically be added to the default settings but should only be able to see work on the libraries access was granted for.
Now I just hope may will vote for it and that we will see a fixe behavior in 5.2
Please let us know if you have anymore questions or concerns.
the Telerik team
This hasn't been fixed, has it. I see that for the Documents and Files (or any tab) to show up you have to grant access to either Create New Or Manage All.
Then what? Go through each library and override the setting for the one you don't want the role to access?
Usually our clients aren't this granular but we now have a client with extensive role based editing rights down to one role can only edit a single particular file. I've spent way too much time on his already.
Sitefinity - you may have taken a few steps forward with the permissions but you also took a leap backwards... :(
I am hoping i am just overlooking something obvious!
I sure hope this will make it to 5.5 or next version.