"Access was denied to page 110. The required access level was "Edit, Publish"."
I used the exakt same code from a post back scenario and that worked out fine.
Here's the code from my web service:
PageData pdReadOnly = DataFactory.Instance.GetPage(new PageReference(pageRef)); PageData pd = pdReadOnly.CreateWritableClone(); int noItems = pd.GetProperty<int>("num"); noItems++; pd.Property["num"].Value = noItems; int ratingOld = pd.GetProperty<int>("tot"); int rating = ratingOld + Convert.ToInt32(ratingValue); pd.Property["tot"].Value = rating.ToString(); double averageRating = 0; if (rating != 0 && noItems != 0) averageRating = (double)rating / (double)noItems; pd.Property["avg"].Value = averageRating; DataFactory.Instance.Save(pd, EPiServer.DataAccess.SaveAction.Publish);
Use the code below before saving the page (web service doesn't have rights to save the page)
EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal("administrator");
I tried the following instead and that worked
However does this mean that I can decide what access level is required??? seems very strange....
i also tried as described by Marek, but unsuccessfull. Should I connect the principal to the page or datafactory in some way?
It means that you can override the required access right when saving the page. So then it's up to you and your implementation to secure this function (by securing the web service etc.)
To elaborate this a bit: There's nothing wrong with overriding the access rights for publishing the page, in fact I think that is rather common. In your situation the only thing your method/webservice can do is to update the rating of the page, so that should be OK, shouldn't it? Of course there are still security considerations to this, for example what might happen if someone externally calls your webservice to spam the rating system. Also, I don't know where you get your page reference from, but it might be possible to use your webservice to publish a page that is not published, which isn't your intention so in that case it's "wrong" to override the access rights, at least in this way.
Ok, got it. I was taking for granted that the security rules were already "written in stone" but thinking about what you just explained Magnus it makes perfect sence. I will also take the security issue into consideration.
Thanks for the swift replies