Deny Anonymous Users Access to the Master Database
This page explains how to deny anonymous users access to the
master database items.
How Coveo for Sitecore Replicates the Sitecore Security Model
Coveo for Sitecore automatically replicates the Sitecore permissions model into Coveo to ensure that logged in users only have access to the documents they’re allowed to see (see How Coveo for Sitecore Handles Sitecore Access Rights).
However, it doesn’t apply strict permissions based on the item publishing status in Sitecore.
This means that
master database documents can be accessible through the
/coveo/rest endpoint if the documents are allowed to anonymous users.
By default, the
extranet\Anonymous user has the
Read access right over all documents in the
master database in Sitecore.
A user accesses your website.
It’s assigned the
extranet\Anonymous identity because it’s not logged into the system.
In this context, querying from the
/coveo/rest endpoint will yield results from both
web because the security model allows it in both databases.
Denying Anonymous Users With the AddSecurityOnItemsWithDatabase Processor
If you don’t want your
master items to be returned on queries before these items are published, you can enable a processor which adds a new permission level in Coveo.
That permission level denies access to the specified identity on all items associated with the specified database.
The default processor settings are the following:
To deny anonymous users with the
Coveo.SearchProvider.Custom.configfile, in the
<coveoPostItemProcessingPipeline>element, enable the processor by uncommenting the
<coveoPostItemProcessingPipeline> <processor type="Coveo.SearchProvider.Processors.AddSecurityOnItemsWithDatabase, Coveo.SearchProviderBase"> <database>master</database> </processor> </coveoPostItemProcessingPipeline>
If you want to override the default processor settings, you can explicitly specify the identity parameters to be added to the documents, as follows:
<coveoPostItemProcessingPipeline> <processor type="Coveo.SearchProvider.Processors.AddSecurityOnItemsWithDatabase, Coveo.SearchProviderBase"> <database><SITECORE_DATABASE></database> <domain><SITECORE_DOMAIN></domain> <identity><SITECORE_ACCOUNT></identity> </processor> </coveoPostItemProcessingPipeline>
<SITECORE_DATABASE>with the name of the Sitecore database whose documents you want to add the identity to.
<SITECORE_DOMAIN>with the name of the target Sitecore domain (e.g.,
<SITECORE_ACCOUNT>with the name of the target Sitecore account, including the domain name (e.g.,
Rebuild your indexes.