Login should not redirect to AccessDenied.aspx

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
3/27/2018 2:52:50 AM
Gravatar
Total Posts 537
feet planted firmly on the ground

Login should not redirect to AccessDenied.aspx

Maybe not exactly a bug, but undesirable behaviour...

As an unauthenticated user, try to visit a bookmarked URL that is protected  > /AccessDenied.aspx  (so far so good).

Click "Sign in" link (we go to /Secure/Login.aspx?returnurl=%2fAccessDenied.aspx ) > enter credentials > redirected to /AccessDenied.aspx > highly confused user who now sends flaming emails about broken system.

I think this page should be excluded from the redirection.

Tested in 2.6.0.0

3/27/2018 8:59:29 AM
Gravatar
Total Posts 2253

Re: Login should not redirect to AccessDenied.aspx

I agree, this workflow should be much different. Do you think the access denied page is even needed? Why not just redirect to the login page with a message stating that access to the requested content is restricted? That would cut down on clicks and most people understand that they need to login to see content if a login page is presented.
3/28/2018 2:38:08 AM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Login should not redirect to AccessDenied.aspx

Not sure.  That would imply to the user that signing in will gain them access to the page they tried to visit, which isn't necessarily the case, and then you'd still need to redirect them to an accessdenied page anyway if they are authenticated but not permitted.

Do I recall that the content of the accessdenied page is configurable anyway? Does it use a resx value? If so it could easily include a link to the sign in page.

I think solving the redirect issue would be a good first step.

3/28/2018 1:39:25 PM
Gravatar
Total Posts 2253

Re: Login should not redirect to AccessDenied.aspx

Hi Crispin,

I'm looking through the code and currently you're going to get mixed results depending on what you are not allowed to see. For instance, regular CMS pages check if you can view a page, if not it checks if you are logged in, if not you get login page. If you are logged in and you can't see the page, you're redirected to the AccessDenied page.  The blog posts are the same way.  But, PageSettings.aspx checks to see if you are in a role which allows you to see the page settings page and always redirects to the AccessDenied.aspx if not; it doesn't check to see if the user is authenticated first but the methods it uses to check for role membership does but those don't redirect anything, they just provide true|false.

So, we need to go through and standardize everything. Any page like PageSettings.aspx needs to require you to be logged in before you can see them so they should check if you're authenticated before checking roles. Anything that requires login  and the user isn't logged in should redirect to the login page. 

To be clear, there isn't a security problem here. The workflow is just a mess because there is no standardization. 

I'm going to add code to the login page to check the return url and not use it if it is AccessDenied.aspx. I'm also removing the need for the EditAccessDenied.aspx page because having two is not necessary. 

You can change the content of the AccessDenied.aspx page by modifying the /Data/MessageTemplates/AccessDeniedMessage.config

Thanks,
Joe

3/28/2018 3:13:04 PM
Gravatar
Total Posts 2253

Re: Login should not redirect to AccessDenied.aspx

Hi Crispin,

We've standardized this and pushed to the repo. It'll be in the next release.

Thank you,
Joe

3/28/2018 5:17:09 PM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Login should not redirect to AccessDenied.aspx

Sounds like good overall improvements, thanks Joe.

You must sign in to post in the forums. This thread is closed to new posts.