Allow anonymous accces option on Enhanced Permissions Macro

Description

As a user of Enhanced Permissions Macro would like the ability to add anonymous users view of an excerpt.

The use case is to have an excerpt on a page that is otherwise locked down to logged in users, then make an include on a page that is available to anonymous users.

Freshdesk Tickets

None

Create a Support Ticket

Activity

Show:
Ture Hoefner
October 14, 2020, 7:49 PM

We have determined that this poses a security risk and will not be implementing it. See the previous comment about excerpting content for anonymous users using pages that are accessible by anonymous users.

Ture Hoefner
May 14, 2020, 8:02 PM

A feature like this would have to be opt-in by the admin user, using a new toggle on the MultiExcerpt admin tool. Allowing anonymous access to restricted content via a MultiExcerpt Enhanced Permissions (MEEP) macro implies responsibility to the content contributors to never put any sensitive information in the body of a MEEP macro. The same responsibility exists today with the use of a MEEP and a list of allowed users/groups but the consequences of a mistake are much larger if it is exposed to anonymous users.

Our recommendation for this use-case (expose content to pages accessible by anonymous users) is to only include content on anonymous-access pages by excerpting content from a page that is, itself, accessible by anonymous users. If that content is needed on a restricted page then use a MultiExcerpt Include to get it there. Use another MultiExcerpt Include to expose it on an anonymous page. Do not use a restricted page as the original source of any content that is to be exposed anonymously.

Out of Scope

Assignee

Unassigned

Reporter

Leslie Gilbert

Labels

None

Product

None

Priority

Major