Access trouble when saving PageData object via web service

Vote:
 

Hi

I am calling a webservice through ajax using a javascript client side and receives the following error when trying to save the page:

"Access was denied to page 110. The required access level was "Edit, Publish"."

I used the exakt same code from a post back scenario and that worked out fine.

Here's the code from my web service:

            PageData pdReadOnly = DataFactory.Instance.GetPage(new PageReference(pageRef));
          
            PageData pd = pdReadOnly.CreateWritableClone();
            int noItems = pd.GetProperty<int>("num");

            noItems++;
            pd.Property["num"].Value = noItems;

            int ratingOld = pd.GetProperty<int>("tot");
            int rating = ratingOld + Convert.ToInt32(ratingValue);
            pd.Property["tot"].Value = rating.ToString();

            double averageRating = 0;
            if (rating != 0 && noItems != 0) averageRating = (double)rating / (double)noItems;
            pd.Property["avg"].Value = averageRating;

            DataFactory.Instance.Save(pd, EPiServer.DataAccess.SaveAction.Publish);

            return noItems.ToString();

#40787
Jun 17, 2010 9:14
Vote:
 

Use the code below before saving the page (web service doesn't have rights to save the page)

EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal("administrator");

 

#40790
Jun 17, 2010 9:30
Vote:
 

I tried the following instead and that worked

DataFactory.Instance.Save(pd, EPiServer.DataAccess.SaveAction.Publish,EPiServer.Security.AccessLevel.Read);

However does this mean that I can decide what access level is required??? seems very strange....

#40791
Jun 17, 2010 9:43
Vote:
 

i also tried as described by Marek, but unsuccessfull. Should I connect the principal to the page or datafactory in some way?

#40793
Jun 17, 2010 10:04
Vote:
 

It means that you can override the required access right when saving the page. So then it's up to you and your implementation to secure this function (by securing the web service etc.)

Edit:

To elaborate this a bit: There's nothing wrong with overriding the access rights for publishing the page, in fact I think that is rather common. In your situation the only thing your method/webservice can do is to update the rating of the page, so that should be OK, shouldn't it? Of course there are still security considerations to this, for example what might happen if someone externally calls your webservice to spam the rating system. Also, I don't know where you get your page reference from, but it might be possible to use your webservice to publish a page that is not published, which isn't your intention so in that case it's "wrong" to override the access rights, at least in this way.

#40797
Edited, Jun 17, 2010 12:28
Vote:
 

Ok, got it. I was taking for granted that the security rules were already "written in stone" but thinking about what you just explained Magnus it makes perfect sence. I will also take the security issue into consideration.

Thanks for the swift replies

#40828
Jun 18, 2010 9:07
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.