SaaS CMS has officially launched! Learn more now.

Search with FilterOnReadAccess returns no items


I am using Episerver Find to generate a list of pages where a property matches a specific value. This is not a problem and I get a correct search result.

However, to respect page access rights, I also tried adding the FilterOnReadAccess method to the filter chain. Then I get no results from the search, even though the pages have virtual roles like Everyone and Anonymous added with at least Read access checked. I have verified these roles in both CMS and Find shells, so they should be indexed alright.

I am using these versions of relevant NuGet packages:

  • Episerver.Cms: 10.10.4
  • Episerver.Find: 12.6.2
  • Episerver.Find.Cms: 12.6.2

Anything I should consider changing for the search? Any help will be appreciated.

Apr 01, 2019 12:24

Have you verified that the actual indexed documents has the correct role(s) in the RolesWithReadAccess field? Or is that what you meant with "I have verified these roles in both CMS and Find shells, so they should be indexed alright."

 "RolesWithReadAccess$$string": [

And also verified that the user (Principal) is indeed in one of those roles when performing the search?

Apr 01, 2019 16:12

Just found and fixed this issue.

It all worked fine for a logged-in user. But it turns out that the name property of an anonymous ClaimsIdentity is null when in a WebAPI and SuppressDefaultHostAuthentication is enabled. Episerver, on the other hand, expects that name to at least be an empty string. So even though the anonymous user had some of the virtual roles with read access, and should therefore be able to see the pages, Episerver would ignore those virtual roles for that filter.

Apr 02, 2019 10:46

Thanks for posting the solution 

Apr 02, 2019 10:47

It is not Episerver doing however. Aspnetidentity by default expect a cookie for logged in users, and SuppressDefaultHostAuthentication removes that cookie for Web api controllers, rendering all requests to be anonymonus

Apr 02, 2019 11:17

Hi Quan

Using SuppressDefaultHostAuthentication together with a sorted list of passive host authentication filters (including the cookie middleware), so requests are not always anonymous. 😉

The issue was that SuppressDefaultHostAuthentication makes an unauthenticated request fall back to an identity with null name, but falling back to FallbackPrincipal.AnonymousPrincipal works.

But actually, even if Name is null, it would be nice if FilterOnReadAccess would recognize Anonymous and Everyone roles, as long as IsAuthenticated is false.

Apr 02, 2019 13:06
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.