Alexey Rusakov on Sitecore development

Wednesday, August 23, 2006

I have once wrote about a rare security setup, in which there is a parent item that is less visible than a child. To recap, consider this setup:

home (allow read)
|
--news (deny read : browse only item)
|
--news_item (allow read)

Now theres another catch if you need to retrieve the 'news item' (in bold) using the api:

database.Items["/sitecore/content/home/news/news_item"] -> OK, news_item
database.Items["{id-of-news_item}"] -> OK, news_item

database.GetRootItem().Axes.SelectItems["/sitecore/content/home/news/news_item/*"] -> null
database.GetRootItem().Axes.SelectItems["//news_item"] -> null (at least on sqlexpress)
database.GetRootItem().Axes.SelectItems["//{id-of-news-item}"] -> OK, news_item

(Tested on Sitecore 5.3 beta 060731)

Peter Johansson, who has the full credit for spotting this, made the following wrapper around SelectItems to be able to query over hidden items, but still respect security in the end:

public static List<Item> SelectItems(Item RootItem, string Query)
{
   List<Item> itemsList = new List<Item>();
   if (RootItem != null)
   {
       Item[] items = null;
       using (new Sitecore.SecurityModel.SecurityDisabler())
       {
           items = RootItem.Axes.SelectItems(RootItem.Paths.Path + Query);
       }
       if (items != null)
       {
           foreach (Item itm in items)
           {
               if (itm.Access.CanRead())
               {
                   itemsList.Add(itm);
               }
           }
       }
   }
   return itemsList;
} 

As this is tested on beta version of Sitecore, I will followup if anything changes or I discover more. And now, it's time for a little vacation: see you on Monday.

Wednesday, August 23, 2006 5:49:20 PM (FLE Standard Time, UTC+02:00)

Comments [0]
Sitecore | 5.3 | Security

Comments are closed.