I have a collection of documents in a CMS. The CMS is access from a repeater on a page which is restricted to “members only” - i.e., the user must be logged in to see the page. I want this same restriction to apply to the content of the CMS. The collection permissions are restricted to allow “members only” to view but a non-member friend tested for me and was able to access the contents using a direct URL.
How do I prevent access to my documents while being able to publish a URL for the file. (The “business objective” is to be able to distribute a club newsletter with links to interesting articles stored separately thereby keeping the size of the newsletter manageable.)
Working in
Wix Studio Editor, CMS
I found lots of help documents about permissions for CMSs and for Site Pages but none helped.
The AI agent offering “more help” actually did when I described the symptom and asked “Why?”. Its answer is that publishing the direct URL to a given page bypasses the permission checking for both the CMS and the relevant (bypassed) page so anyone with the URL can access the document.
So then what’s the solution for keeping your documents member only? Sorry I didn’t quite follow that part
The short answer is “Don’t publish the URL of the document.”
To provide secure access to a document in a CMS collection you need to access it through a Wix web page with appropriate security settings on that page. That way, only members can access the page and, consequently, only members can see the widget which displays the document.
Once a user displays the document, the URL in the browser tab for the document can be copied to provide unsecured access. That’s the vulnerability and the Wix security model does not prevent that exposure.