P
Paul
I have an intranet site that uses authentication mode="Windows" with
identity impersonate="true". I recently implemented a site search
feature that uses server.execute to retrieve dynamic content for the
search. Unfortunately, Server.execute retrieves pages that the user
can not access. The pages appear in the search results with the found
terms highlighted in context. Rut-roh! So much for security. When the
user clicks the link to see the page located by the search, they get
the custom access denied page, but they've already seen some content
that they were not authorized to see.
The work arounds I have come up with are not elegant.
identity impersonate="true". I recently implemented a site search
feature that uses server.execute to retrieve dynamic content for the
search. Unfortunately, Server.execute retrieves pages that the user
can not access. The pages appear in the search results with the found
terms highlighted in context. Rut-roh! So much for security. When the
user clicks the link to see the page located by the search, they get
the custom access denied page, but they've already seen some content
that they were not authorized to see.
The work arounds I have come up with are not elegant.