Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

Kentico CMS comes with an on‑line help reference that is available in most parts of the administration interface. Users can view it to learn context‑specific information about the current section of the application's interface. By default, any users (including public) can open the HTML content of the on‑line help by entering the appropriate URL. This behavior may not be desirable in certain scenarios, e.g. in the case of high‑security websites or if you are creating a rebranded solution.

There are several ways to solve this issue. The simplest is to delete the ~/CMSHelp folder from the project of your production website. This removes the possibility of public users opening the help files, but the on‑line help in the Kentico CMS administration interface will no longer be available to the users.

 

If you wish to keep the on‑line help on your live website, you can limit access to the content of the help directory so that only users with the appropriate authorization are allowed to view it. Follow these steps to perform the required configuration:

  1. Edit your application's web.config file.
  2. Find the <system.webServer> section directly under the web.config root (i.e. not under a specific <location> element).
  3. Configure the application to handle the requests for the HTML help files:
    1. One option is to add the runAllManagedModulesForAllRequests attribute to the <modules> element:

      <system.webServer>
          ...
         <modules runAllManagedModulesForAllRequests="true">
           ...
         </modules>
         ...
       </system.webServer>

      Setting this attribute to true ensures that the CMS application processes all types of requests and requires authentication if needed.

       

    2. If you do not want the application to process all additional request types, only .html and .htm, add the following two handlers into the <handlers> element:

      <handlers>
           ...
           <add name="HTMLRequestHandler" path="*.html" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="" />
           <add name="HTMRequestHandler" path="*.htm" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="" />
           ...
      </handlers>

      Adjust the path in the scriptProcessor attribute as necessary according to your specific .NET environment.

       

  4. Define the authorization rules applied to the content of the CMSHelp directory by adding the following section into your web.config file:

    <location path="CMSHelp">
         <system.web>
             <authorization>
                 <deny users="?"/>
             </authorization>
         </system.web>
    </location>

This example only allows authenticated users to access the on‑line help files. Public users cannot reach the files through a direct URL without being prompted to log in. To further increase the security, you can restrict access only for a specific set of roles by editing the <authorization> section:

<authorization>
     <allow roles="GlobalAdmin, CMSDeskAdmin"/>
     <deny users="*"/>
</authorization>

This ensures that only users who belong to the given roles (specified by their code names) have access to the directory.

  • No labels