|Subject:||strange security role issue|
|Posted by:||jrl (email@example.com)|
|Date:||Sun, 09 Mar 2008|
I have a (development) website, where I have used role based security, and a
sitemap with SecurityTrimingEnabled as True. In this situation, I have
sections of the site which are accessible or not, depending on the role a
user is in.
I use the create user wizard to allow an internet visitor to create a user
account. The wizard works fine, but how can I put an extra little task into
the wizard's process? I'd like the wizard to send the administrator an
email, to alert that there is a new user, who needs to have the role set. (I
can handle the email part, but I don't know where to call this extra task,
within the wizard's sequence) This is the first part of the question.
The second part, is that I've noticed a strange behavior in the role that a
newly created user gets. When I view the new user roles in the Web Site
Administration tool, it says that the user does not belong to any roles.
This is what I expect. However, when I log in as that new user (with no
roles) I find that I have access to the whole navigation tree. Since
securitytriming is enabled, I should only be able to see areas of the site
that are visible to all. Instead, I can see areas that are normally only
visible to the administrator role users. This is obviously very bad!
How can I ensure the role that new users get when the wizard creates the
user? Is there a step needed to define their role, or why is their unset
role allowing them to see administrator content?