Coveo for Sitecore 5 is now available!

Coveo for Sitecore Not Properly Replicating the Sitecore Permission Model

Coveo for Sitecore 4.0 (August 2018) Coveo for Sitecore 4.1 (September 2018)

Symptoms

You have the following permissions scenario:

  • A document is allowed to anonymous users (i.e., publicly available).
  • The document has a parent that denies access to a given role/user.
  • The item is allowed to a specific user/role.
  • You have not explicitly denied read access to the extranet/Anonymous user anywhere in the Content tree on the path to the document.

The expected result is that the document appears in the search results for all users except for the members of the denied role/user. The actual result is that the document appears in the search results for all users.

This vulnerability affects Coveo for Sitecore 4.0 and 4.1.

Cause

Coveo for Sitecore is not properly replicating the Sitecore permission model for this specific scenario.

Resolution

The issue can be resolved by adding an additional security configuration in Sitecore (see Quick Fix). Coveo has also fixed the issue in releases of Coveo for Sitecore 4.0 and 4.1 (see Coveo Fixes).

Quick Fix

As a quick fix, you can obtain the valid Coveo for Sitecore permissions by denying Read permissions for the extranet/Anonymous user on any parent folder of the restricted item(s) in the Sitecore Content Tree.

  1. In the Content Editor, on the path to the restricted item(s), select a folder.
  2. Under the Security tab, select Assign.
  3. In the Assign Security Rights dialog, click Add.
  4. In the Add an Account dialog, click the Users radio button.
  5. Select the extranet\Anonymous user. Click OK.
  6. Configure the Read access rights as illustrated below.

  7. Save your changes.
  8. Publish your changes.
  9. Rebuild your indexes.

Coveo Fixes

Coveo has prepared fixes for Coveo for Sitecore 4.0 and 4.1 clients. Follow the instructions provided below to update your specific Coveo software.

Coveo for Sitecore 4.0

The August 2018 version of Coveo for Sitecore 4.0 has been hotfixed to eliminate the issue.

  1. Upgrade to the August 2018 release of Coveo for Sitecore 4.0.
  2. Rebuild your indexes.

Coveo for Sitecore 4.1

The issue is corrected in the September 2018 version of Coveo for Sitecore 4.1.

  1. Upgrade to the September 2018 release of Coveo for Sitecore 4.1.
  2. Rebuild your indexes.