Problems with user permissions

Enonic version: Enonic XP 7.8.5
OS: Pop!_OS 20.04 LTS

Greetings!
I and my team were trying to prevent external users from accessing our test servers’ live mode. Basically, block live mode access (and return a 401) for non-logged-in users.

I removed the ‘Everyone’ and ‘Anonymous’ roles in ‘Edit Permissions’ tab in the site content and after publishing it, we noticed that nobody could access the site’s live mode anymore.
My user has more than enough permissions to access the content, but they still get a 401 :slightly_frowning_face:


Are we doing something wrong here?

Setting permissions on a site itself might not be enough. Check if your site has fragments with insufficient permissions. Or if a page template itself has insufficient permissions. Or if controller of the page is trying to access some other content which current user doesn’t have enough permissions for.

Also, there’s a simpler way to achieve what you want: remove all permissions and allow it for the Authenticated role.

Our currently recommended way of doing this in a test environment is to block access in network layer, i.e. by configuring your webserver to block access.

Another quickfix is to prevent google from indexing test environments is setting this header in your webserver: x-robots-tag noindex, nofollow

This approach will work permanently vs changing permissions on data that might be frequently updated/refreshed from production.

As for setting permissions, I would like to remind that basic access permissions can be controlled from the project settings:

NB! Remember that after changing permissions, content must be published for the new permissions to propagate to the live content