User access to Catalog UI but not CMS edit?

Vote:
 

Hi all

I would like to create a user/login to our Episerver solution. This user should be able to access the Catalog UI interface, but the user should not be able to access the CMS editor and not be able to edit CMS pages.

I have created the CatalogUI role in our solution, and created a virtual role in web.config:

This allows the a user with the CatalogUI role to access the Catalog UI interface. Good. But if I only grant the user the CatalogUI role, the user is unable to login.

I have fixed this by adding the CatalogManagers virtual role to the list of allowed roles for the EPiServer location:

  
    
  ...
      
        
        
      
    
...
    

Now the user can login, but he can access the CMS editor. However it looks as if the user can only browse the CMS editor and not actually modify anything.

I would prefer if the user was unable to open the CMS editor at all, so I tried to deny the user access to the EPiServer/CMS location:

  
    
      
        
        
      
    
  

I can't open the CMS editor, and I can still access the CatalogUI but I get an error about access to things under EPiServer/CMS/Stores not being allowed. Then I gave the user access to this path:

  
    
      
        
        
      
    
  

Ok, now I can access the CatalogUI and browse the catalog structure. I can't open the CMS Editor. Fine. But when I try to open an item in the Catalog UI, I start to get all kinds of JavaScript errors. As far as I can see, it is because the Javascript uses different things under EPiServer/CMS where my user is forbidden.

Now I'm stuck. What can I try next? It looks as if I can't block access to the CMS editor by blocking access to the path EPiServer/CMS.

Is this as far as I can get? It looks as if I now have a user that can access the Catalog UI but the user can also access the CMS editor, even though the user doesn't have permission to change anything in the CMS editor?

Regards

Anders

#178225
May 05, 2017 8:10
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.