SiteCore Security: I do it my way

Since, I customise Sitecore even more and more, I have to work with the SecurityModel in SiteCore.
One of the main issues, when manipulating items, is the full-control access. You can get access, in your code, to nearly everything using those two code snippets:

using (new Sitecore.SecurityModel.SecurityDisabler())
{
//your code
}

or:

string userToLogin = "admin";
Sitecore.SecurityModel.DomainAccessResult result = Sitecore.Context.Domain.Login(Sitecore.Context.Domain.GetUser(userToLogin));
if (result.Success)
{
// your code

// log out for security reasons
Sitecore.Context.Domain.Logout();
}

By myself I prefer the second option. I know it’s slower(it has to contact the database, to login and create some new object in the ‘Domain-Context’), but that’s not the reason why you should choose for the other in the first place. My argument to choose for the second version is that you will use the SecurityModel in the way it is mentiont to be used. When you need such privileges ofcourse. The security disabler kicks your ass to Redmond where they also thin that by default ‘All Access / No rights defined’ is the best way to manage your security.
Ofcourse when you are manipulating your website at any page request you’ll receive it’s better to give the Extranet domain full access to your databases 😛

Last but not least, a hint, just for free: When you are using the code above, please mention that you carefully have to select your databases! Sitecore will change your current database, after logging in not directly points to the database ‘you want’. Based on the current website, the Sitecore.Context will not change till you change the current website. For more information about current databases, default sites, etc. I would suggest you to take a look at this post of Alexander Shyba, one of the Solution Consultants of Sitecore in the Ukraine.

7 thoughts on “SiteCore Security: I do it my way”

  1. Hi Alex,

    You can also use the securityswitcher (equiv. to securitydisabler), which does the same. However, it makes sure to leave the state and return to previous state:

    using (new SecuritySwitcher(“admin”))
    {
    Item item = GetSomeProtectedItem(…);

    }

    This class accepts two constructor overloads, string as username or a user object.

    Best,
    Lars Fløe Nielsen
    Solution Architect, Sitecore

  2. Can you give some inputs for implementing the login in Sitecore 6?
    Login functionaliy works fine. But the Context.User.Roles and Context.User.Domain shows null. I using this using an external login page I mean In the root outside the Layouts. It seems that something wrong with the security setting.
    Check this post in Sitecore Forum for more details.
    http://sdn.sitecore.net/forum//ShowPost.aspx?PostID=17140

    Thanks,
    Raj

  3. The company I work for builds and hosts sites for our clients using Sitecore. We want to be able to allow our clients to log into Sitecore and make changes to their own site. I’ve been experimenting with Sitecore security and I’ve noticed something strange.

    Basically, what I’m trying to do is limit the user’s ability in the Page Editor to see any site except his own. I created a single user and a single group. Then I added that user to the group. For security, I added read permissions to the “Sites” folder and denied read permissions to its descendants. I did this by setting one setting at the Sites level instead of denying Inheritance for each and every client.

    I closed that window and then got back in and noticed that the settings I had set were not set and the Inheritance setting on a couple of other sites was set to “Deny” (a setting I know I didnt make). Nobody else is making changes to the security.

    Can anyone explain to me why Sitecore seems to be losing these settings? Is this just a bug in Sitecore 6.3.1 (rev 110112). We have made some customizations, but nothing with security and what we have made is very minor.

    What’s even more odd is I set the group up and tested the user’s settings and it worked exactly like I wanted in the Page Editor. That user could only see his own sites and change his own stuff. I came into the Page Editor with that same user the next day and I noticed that I could see every other site we have. Again, no settings were changed, it’s like it’s just “forgetting” the settings. I even reset them two other times and noticed the same thing happen where it would forget the settings.

  4. Hi Randy,
    Definitely sounds like you should follow up with support on this to find out what the issue is. I would also search the release notes to see if there is a related issue that has been addressed in a later released. I do recall that there has been an issue or two with the AccessResultCache being refreshed properly. An easy way to test this in your dev environment would be to make the security change, restart the app pool and then see if the change sticks.

    But, in any case, I would encourage you to follow up with support.

    Best wishes,
    Derek

Comments are closed.