Skip to content
April 12, 2011 / kiranpatils

Publishing Security Basics

Challenge:

If You have MultiSite Sitecore solution in which you are having two Sites SiteA and SiteB. Both has different Media Library/Consider any section. Now you have created two users, let’s say for an instance USERA — Who has access of SiteA and USERB – Who has access of SiteB.

So far so good, Both can see add/edit/delete/publish their items only, and things are going smooth! Now, the problem comes here. Suppose USERA publishes root item with sub items which he/she don’t have rights and it gets published. e.g. USERA Publishes MediaLibrary with SubItems which contains SiteA as well as SiteB.

Basically, It should not allow to do so, because USERB is in half way of his work and wanted to publish something tomorrow morning 7 AM which was bit confidential!

How to enable user role based publishing, means When UserA publishes something which he/she don’t have rights should not get published. Good question right? Let’s see it’s good answer as well 🙂

Solution:

It’s also Sitecore Hidden Game! In Web.config check for Publishing.CheckSecurity – By default it is false. Set it true. If you want to solve above problem.

Little Bit theory on Publishing Settings

By default, membership in the Sitecore Client Publishing role controls whether a user can access UI features which enable them to publish. The value of the Publishing.CheckSecurity setting in the web.config file defaults to false, and any member of the Sitecore Client Publishing role can publish every item in the Master database, including items to which they do not have read or write access. If you set Publishing.CheckSecurity to true, then members of the Sitecore Client Publishing role must have both read and write access in order to publish an item. If you additionally set the Publishing.RequireTargetDeleteRightWhenCheckingSecurity setting in the web.config file to true, then the user must have delete access in the item in the target database to publish a deletion.

Even if you set the Publishing.CheckSecurity setting in the web.config file to true, Sitecore does not disable publishing commands in the user interface when the user does not have access to publish the selected item. If Publishing.CheckSecurity is false, these commands publish the selected item and optionally its descendants; if Publishing.CheckSecurity is true, the commands publish only the descendants of the item to which the user has appropriate rights.

So, After setting Publishing.CheckSecurity to true our problem get solved and we all were happy :). But life is not as easy as it seems to be! 🙂

We got another Challenge. Let me tell you brief of the challenge.

We have bit customized the Recycle [Soft delete] and Delete [Hard delete] functionality. Few users have Recycle rights But Don’t have Delete rights.

So, what happens when those users Recycle any item from Master DB and publishes a parent of that item then it won’t get deleted from Web DB. Do you know why? [Yeah, How would you know :)]. If you have read above theory [Which we usually avoid to read! 🙂 If you have then I really appreciate!] Let me paste the reason:

If you additionally set the Publishing.RequireTargetDeleteRightWhenCheckingSecurity setting in the web.config file to true, then the user must have delete access in the item in the target database to publish a deletion.

So, Now this time Publishing.RequireTargetDeleteRightWhenCheckingSecurity –Which defaults to true was causing problem. So, solution was simple we made it false. [Please do check its importance before doing it!]

So, finally we are happy now! 🙂 And hope you too!

Happy Publishing! 🙂

Advertisements

One Comment

Leave a Comment
  1. Clem / Mar 10 2017 5:59 pm

    Some considerations. Subitems are not published even if user has read/write on parent and sub items. In addition, all publishing targets are updated. User cannot select publishing targets so previewing results is not possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: