Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

CUG access denied response code

Avatar

Level 7

Hi Team,

I have setup CUG in my local environment. I have created 2 groups and 2 users. I assigned the groups to 2 pages say page1 and page2. Now user1 accessed page1 and after login user1 is redirected to page1. Now the user1 accessed page2. He is getting "Page not found" this might be because of 404 response code. 404 is when the accessed resource (ideally page) is not available. But here it is there but the user (user1) doesn't have access to the page. We would like to display message like "Access Denied/ You don't have permission to access this page" something like this.

How can I differentiate these 2 scenarios?

Please help me in this.

Thanks,

AryA

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

CUG is implemented via groups, that means using the permissions built into the repository itself. As a user you only see the pages which are visible to you, but not the ones which you are denied to see.

That means that the repository will give you the same response (from an API point of view) if

* you want to access a non-existing node

* you want to access a node, which you are not allowed to see.

This is for security reasons.

If you want to give the user a hint, that the permissions are insufficient, you should implement a custom 404 handler, which internally checks which of the both cases are the true reason behind the 404.

Jörg

View solution in original post

2 Replies

Avatar

Correct answer by
Employee Advisor

CUG is implemented via groups, that means using the permissions built into the repository itself. As a user you only see the pages which are visible to you, but not the ones which you are denied to see.

That means that the repository will give you the same response (from an API point of view) if

* you want to access a non-existing node

* you want to access a node, which you are not allowed to see.

This is for security reasons.

If you want to give the user a hint, that the permissions are insufficient, you should implement a custom 404 handler, which internally checks which of the both cases are the true reason behind the 404.

Jörg

Avatar

Level 2

Hi Jorj,

We have a website where some of the pages are rendered from non AEM application also. So we have implemented errorhandling via dispatcher. If the error handling is done via dispatcher, how can we achieve this?

Thanks,

Akhila