This is the first time I post a question here, I hope I can make myself clear, and I sincerely hope you can help me.
The company I work with has a CMS 6 (6.1.379.0) running their Extranet; and of course lots of the pages have documents linked to them.
Today, a co-worker in Italy contacted me because these documents, linked through the pages, which are stored in PageFiles, are open and readily available (even indexed by Google) as long as one has the link. Even those pages which are unpublished, or restricted to Admin, if there are documents in them, those documents are available from outside the permission structure.
I had a look and found that the Page Files folder actually did have read access for everyone... so I edited that, took away the read access for everyone, and added only our internal AD groups which manage the access to the Extranet.
However, these documents are still accessible.
I cannot change the permissions for every particular folder in the Page Files folder, because the "change access rights" button is disabled.
What am I missing?
Thank you in advance!
The Page Files should have the same access rights as its Page. Do you see "bypassaccescheck" in your episerver.config file?
Thank you for the quick answer. No, there is no bypass in the config file, the access rights are still mapping the Page.
However, this is what I figured out yesterday: the documents which have "everyone-read" access, are linked to pages which have been removed. :) Thus, they are inheriting from the root page; which is the login page... which out of necessity is of course "everyone-read" otherwise nobody would reach it to log in in the first place.
I requested permission from my boss to conduct a cleanup of all orphaned files; backed up everything and then if someone complains that their file is gone, I can restore it... But I am guessing that they won't complain. After all, they did remove the pages. :)
Thank you again for your help!