Ensuring your Kentico instance is setup properly starts with the installation and configuration of your site on your local machine and the server(s). To fully embrace the functionality of Kentico you need to set permissions properly on folders within the Kentico install. This article will discuss more about what folders need what permissions and more importantly, why.
Installing Kentico is a pretty quick and easy task, sometimes too quick and easy. Imagine this scenario, you're working on your brochure website in Kentico and have it almost ready to go but you're tasked with needing to add some additional functionality for the Content Editors. The requirement is the Content Editors need to be able to change layout from 1 column, to 2 columns, to 3 columns without having to change the page template.
Installing a Webpart Scenario
On the Kentico Marketplace, you find a Bootstrap webpart which has templates, layouts and widgets already built-in. You download it, test it out locally and you go to install it on your server and you get an error stating you don't have permissions.
So you go to the file system and find the C:\Kentico9\CMS\App_Data\Persistent directory and see they have read, execute and list contents permissions for the user, in my case IIS_IUSRS, running the app pool for the website.
With the recent change you're able to actually navigate to the 1st step of importing the webpart. After you click Upload package and find your .zip file, you're presented with this error:
Once again, you set permissions but on the C:\Kentico9\CMS\CMSSiteUtils\Import directory. This allows you to continue and upload the package to continue onto the second step. When you get to the second step, the install instructions tell you to make sure you have the "Import files (recommended)" and "Import code files" checked before continuing. So you check the boxes and click next only to be presented with yet another permissions error.
Again, you go set permissions but on the C:\Kentico9\CMS\CMSWebParts\Custom directory and find the directory doesn't exist. So you create it, set the permissions and attempt the import again. Finally SUCCESS!
A More Global Approach
The webpart scenario is just a single scenario of many which will take place during your time with Kentico. Taking a more global approach to permissions will allow you to utilize the tool to it's fullest extent. You have access to create files in the following applications in Kentico:
- CSS Stylesheets - /App_Themes directory
- Form Controls - /CMSFormControls
- Modules - /CMSModules and /App_Data/CMSModules
- Webparts - /CMSWebparts
- Javascript - /CMSScripts/Custom
- Media library files - /<sitecodename>
And there are other areas which Kentico accesses and creates temporary files for different activities. So the approach I take is to set the entire /CMS directory with Read Only access. This is for overall security of your files. You can also set specific permissions within directories using the simple approach setting permissions on files and folders or you can use the web.config approach. Both work and provide the same security although with the web.config approach you can get more granular by granting/restrincting access to specific people or roles which are held within Kentico.
For a standard setup we set permissions with on the following directories with Read/Write access:
- /App_Data
- /App_Themes
- /CMSFiles (only if you're storing files and attachments in the file system)
- /CMSFormControls (only if you plan to do custom dev work, otherwise not needed)
- /CMSModules (only if you plan to do custom dev work, otherwise not needed)
- /CMSScripts/Custom
- /CMSSiteUtils
- /CMSWebParts
- /<SiteCodeName> (for media library files)
Doing so will allow you to take advantage of all the features in Kentico like editing images, uploading new controls (webparts, form controls, etc.), adding JavaScript files, adding media library files, etc. AND still keep your website secure.
Final Thoughts
Kentico does have some documentation regarding security and permissions for your application which you should follow as well but these above permissions will allow you to take advantage of the features Kentico offers and still provide a secure website.
Good luck and Happy Coding!