It is registered as bug

#122394: Anonymous user can still access to productListing page when Everyone role is removed in MVC You will find the bug on location (http://world.episerver.com/Support/Bug-List/)

Regards
/K

Hi

Is the listing page a cms page that lists catalog content, or a node/category in the catalog that lists the content? Because explicit access rights on catalog content is not currently supported, so if it the latter then I'm afraid this is as designed.

Regards

Per Gunsarfs

Thanks your response. I also investigated that before raising the support ticket. You are right in thinking, Listing page is a cataog node inheritied from IContent and its not a PageData. As security related interfaces have not been implemented for catalog content therfore Those settings are not working.

Security/Rights is an important feature for contents. In theory EPiServer should suport security for all type of content types that comes from EPiServer. If we are intorducing some custom content types than ofcourse responsibility doesnot go to EPiServer. I will highly recommend to add this feature to all type of contents including media contents. Although I could try those Interfaces but using MVC Authorize action filter fulfils my requirements. 

Regards
/K

Per, Does this mean, this bug will be cosed as designed?
Regards
/K

Yes, this bug has been closed as designed, although I would argue that the correct reason is that it is a feature request.

Access rights on individual catalog item has never existed, not on the detail level of CMS content. Adding it would require a bit more than just trivial work, so it needs to be prioritized against all other improvments we want to make. But if it's something that you as partner developers has a strong need for, that would obviously increase the priority. Although, that would have to go through our product management team.

Regards

Per G

Hi Per G,

I understand what you are saying and you are absolutly correct in a sense, I personally try to work with that but find the things complex therfore I am going to use Authorize attribute in my MVC controllers after considring the budget.

But as a client I will consider this a bug not a feature there are follwoing reason (Client doesnot understand technical reasons, He will like to have all features on his site also that he can find in the demo).

If we install EPiServer Commerce Sample Demo from EPiServer Deployment Center, as Demo is based on webform and related classes are implementing security therefore If our client Remove the EveryOne Read Right from Admin section, He will not be able to view below pages

Product Listing Page
http://comtest.development.local/en/departmental-catalog/Departments/Fashion/Tops/Tops-Tunics/

Product Details Page
http://comtest.development.local/en/departmental-catalog/Departments/Fashion/Tops/Tops-Tunics/Tops-Tunics-CowlNeck/

I will be thankful if you could review this and could add as a feature. Ideally I will like an interface in Online Center Admin section where an Editor or admin could set same level of security on all objects inheriting IContent regardless those are PageData or XYZ.

Regards
/K

I'll forwards this to the relevant people.

Thanks for the feedback.

Regards

Per G

Hi guys,

I am also having a question from a customer that needs to set access rights to commerce entities.

Their thought was to set a market filter on a category node, but this is not possible.

i also think that access rights is something that should be available for commerce content.

Regards

Håvard

Hi,

We have plan for that, but unfortunately we are spending time to work on other features with higher priority.

We don't compromise on quality, and access rights, by no doubt, is a big feature, then I don't expect it to happen anytime soon.

/Q