Kentico Permissions - Page requiring authentication not considered a secure area

Question

I'm setting up a secure area of a site and I'm curious about how Kentico (version 11) checks permissions. According to the documentation -

Check page permissions Indicates if the website should check the user permission settings of pages and apply them. The following values are possible:

• All pages - permissions will be checked for all pages on the website.
• No page - permissions will not be checked for any pages.
• Secured areas - permissions will be checked only for pages that are configured to require authentication.

This seems to indicate that if a page is set to require authentication, the page permissions will be checked. However, if my site is set with Settings -> Security & Membership and set Check page permissions to Secured areas, members in Groups that don't have permissions are able to access the page.

If we edit the settings to Settings -> Security & Membership and set Check page permissions to All pages, the users are appropriately denied access.

We would prefer not to check page permissions on every page for performance reasons. I can create a control to check the permissions of the page but I was curious if there was some reason why setting the page to require authentication and checking permissions for secured areas doesn't work the way the documentation indicates it would.

Answer 1

I can guarantee you from a performance standpoint you won't notice a difference. If you want it to check permissions, you WILL NEED to have that site/global setting checked, there is no way around it.

If you have that global setting checked and it's denying access to everyone, then you don't have your permissions set properly at the root level. At the root level, there should be no permissions set. Then at your /members-only page, add the role "Authentiated users" and below that box, then check the Read box under the Allow column. This is the simplest setup for permissions you can have for a test case.