View as a Visitor Group in CMS preview mode not working

Vote:
 

I have some pages set to be visible for specific user group in the CMS. When I try to preview it using the View as Visitor group in toggle section I still see the pages that the selected role should not be seeing.

In the application UI, the content is filtered and is displayed correctly. Its only when using preview option in CMS.

Am I missing something ?

#217483
Feb 24, 2020 21:42
Vote:
 

How does you configure them? I hope you are not using the visitor group criteria. You must be using access rights to set access.

Visitor group criteria is for website visitors (frontend website, not CMS), to control who should see what content

https://webhelp.episerver.com/16-4/cms-admin/visitor-groups.htm

Access rights should be used to set Read, write, create etc permissions

https://webhelp.episerver.com/latest/en/cms-admin/access-rights.htm

#217514
Feb 25, 2020 1:43
Vote:
 

Hi,

If I understand the situation correctly, the reason you'll always be seeing the pages regardless of the visitor group selected is that you will already have permission to see that page by virtue of being a CMS admin (or editor). Impersonating a visitor group adds to the permissions you already have rather than replacing them.

If you want to use the visitor group impersonation to replace existing permissions, you'd need to write a custom filter which checks the ACLs of each content item in your list and removes any items which don't have "everyone" access and don't have access to the impersonated visitor group (as I recall, you can get the impersonated visitor group from the HttpContext.Items collection).

#217538
Feb 25, 2020 12:14
Vote:
 

So to update here. I have the visitor group created and also have set the access rights. Now in the preview when I select a visitor group that should not be seeing certain content. I find that the visitor group selection doesn't do anything. I can still see the content that shouldnt be visible to the group.

@Paul,

Could you please give me some more information on what custom filter we are talking about?

#217545
Feb 25, 2020 14:52
Vote:
 

Hi Dileep,

I think the first paragraph in your update above reinforces what I'd said above. Permissions in Episerver are additive so previewing as a visitor group wouldn't remove any permissions and wouldn't result in the removal of access to any content. You'll still be previewing with your own permissions plus those of the visitor group you're impersonating.

Presumably you're getting a list of content (e.g. pages) then filtering using something like EPiServer.Filters.FilterContentForVisitor() to remove the content items which the user shouldn't have access to? What I was suggesting was that, in addition to that first filter call, you could create your own filter method which, if you're impersonating a visitor group, will strip out any of the content which is not available anonymously unless it's visible to the visitor group you're impersonating. Something like this:

public static IEnumerable<T> FilterForVisitorGroupImpersinationPreview<T>(this IEnumerable<T> contents) where T : IContent
{
    var impersonatedVG = (System.Web.HttpContext.Current.Items["ImpersonatedVisitorGroupsById"] as string[])?.FirstOrDefault() ?? string.Empty;
    if (string.IsNullOrEmpty(impersonatedVG))
    {
        return contents; // Don't filter if you're not impersonating a group
    }

    //impersonatedVG contains the GUID of the visitor group, ACL entries contain the name so get the name from the GUID
    var vgRepo = ServiceLocator.Current.GetInstance<IVisitorGroupRepository>();
    var vgName = vgRepo.Load(Guid.Parse(impersonatedVG)).Name;

    var rtn = new List<T>();
    foreach (var item in contents)
    {
        var securable = item as IContentSecurable;
        var securityDescriptor = securable.GetContentSecurityDescriptor();

        var everyoneHasAccess = securityDescriptor.Entries.Any(x => x.Name.Equals("Everyone") && x.Access.Equals(AccessLevel.Read) && x.EntityType.Equals(SecurityEntityType.Role));
        var impersonatedVGHasAccess = securityDescriptor.Entries.Any(x => x.Name.Equals(vgName) && x.Access.Equals(AccessLevel.Read) && x.EntityType.Equals(SecurityEntityType.VisitorGroup));

        if (everyoneHasAccess || impersonatedVGHasAccess)
        {
            rtn.Add(item);
        }
    }
    return rtn;
}
#217557
Feb 25, 2020 17:54
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.