Please login or register to participate.
Wiki Page

Setup for Anonymous Acces


This how-to screenshot tour shows how to get your site working with anonymous access. This is the new feature we slipped into 3.0.5 so let's put it through it's paces.

Goals for our anonymously accessible site

  1. Change the default redirect to login behaviour to instead show the Home screen to anonymous visitors.
  2. Create a Space for usage by regular users who will later sign up on the site.
  3. Create a Space for usage by internal staff only that will be inaccessible to regular users.
  4. Demonstrate visibility of items to anonymous by workflowing them to be Published to Anonymous visitors.
  5. Turn on automatic User Registration.

Setup anonymous access on the site root

 Login with the siteadmin user in your v3.0.5 site.


This is what you'll see upon login into a new site, your view might differ if you have existing content in the site.


Add siteadmin to the Editor local role of Home Space by giving it the Can Edit permission.

Open up Manage Space -> Sharing in the Home Space.


By default you'll see only "Logged in users" with the Can Add and Can View permissions turned on. Type siteadmin into the search box and hit the Search button.


Two new entries will get added into the Sharing list with everything turned off. Turn on Can Edit for the siteadmin and Siteadmins entries. (Siteadmins is the group of site administrator users, of which siteadmin is a part of). Note that if you're not going to have many site administrative users, then it's perfectly alright to turn on Can Edit for only the siteadmin user, as shown. Hit Save to make your changes permanent.


Workflow the Home Space

Navigate to the Manage Space -> Contents screen


If there are no content items present then all buttons other than Import will be invisible. To turn on the buttons, we're going to have to add a dummy item to the Home Space.


To do that quickly, just type something into the "Start a discussion box" above, hit Post and refresh the current page, and the new item and with it, all the management buttons will show up.


Make sure no item is checked and hit the Change State button.

Tip: When you're managing a Space, and you don't check any items and hit the Change State button, you will workflow the Space instead.


Now you'll see the Change State screen with the Home Space checked. Scroll to the bottom, choose Published to Anonymous and hit Save.


Let's logout to see if that transition took place properly. Checkout the spiffy new user popup menu we did in v3.0.5! :)


Alright we logged out. Now what?


Click the site logo image, that's what! You were looking at the logged out message, which has not changed. But when you navigate to the site root, you will now be greeted with the Home screen, instead of the login screen of before. Congratulations, your site is now minimally accessible by anonymous visitors, search engine crawlers, various spam bots, and basically the entire Internet. :)

But wait. You've only published the site's Home Space, which forms the root of your domain. That is the first barrier to access. If you do not publish your site's Home space to anonymous then any visitor who hits your domain URL will be taken to the login prompt, directly.

Note that even though we published the Home Space to anonymous visitors, the single discussion item we created in it is still not showing up at all.


Let's clean up, by removing the dummy item we'd created.


Create your root-level Spaces

This Space and all contents in it, will be visible and in active use by normal registered users the moment they verify their email registration.

First, we turn off Can Add on the Home Space

Go to Manage Space -> Sharing at the Home Space and turn off the Can Add permission. We leave the Can View, on at the as part of what we accomplished above, allowing anonymous viewers to be able to view all content at the Home Space. 

I recommend that you keep the Can Add permission off for all users, including yourself, at the Home Space if you want to have anonymous users and still have more than one kind of user that creates content.

The Can View permission is absolute minimum to be able to see any item or Space in
If you do not have Can View permission for an item, it will be as if it does not exist. It will not be shown from everything, search results, navigation, listings.
If a logged-in user navigates to an item's or container's direct URL, they will be shown an Insufficient Privileges message.
If an anonymous user navigates to to an item's or container's direct URL, they will be redirected to the login/register prompt.


Create two Spaces

We definitely know for sure that you're going to have at least two kinds of users, so...

Let's create a Space for registered users.

Name and describe yours the way you want to, we'll just call our Spade a Spade. ;)


And let's create a Space for Internal staff

And we'll continue with the Spade theme :)


Don't allow any more root-level Spaces

You don't want anyone to be able to create any more root-level Spaces once you're through creating the first ones, because they'd probably mess up your basic structuring anyway. Do remember though that after this point, anytime you want to be able to create a root-level Space? Come back, undo this, create your new Spaces, and then come back again and redo


Why? Because normal users, (any logged in user, including the wannabe lamers and spammers who will perhaps sign up), will otherwise be able to create a Space at the root of your site. A Space owner gets to control most of the goings on, in their created Spaces (and hence, Spaces nested below), with the default workflows.

Go to Manage Space -> Customize on the Home Space


Turn on Specify types manually, and then turn off Space


Set up groups and users

Open up User Management by going to Administration -> User Management

DON'T do this!

In the actions grid that is shown for both users and groups, you can assign site-wide roles (when you press the Show All button or you search). These are not what you will think they are when you first look at them.



The actions grid that comes up when you press the Show All button in the User and Group Management screens lets you assign site-wide roles. If you assign someone a role here, it will be used before any other permission that you allow in the Manage Space -> Sharing screen, or just about anywhere. This screen's permissions are only to be used when you really need a user to have that permission anywhere, always. If you give someone the Contributor role here, they get the Can Add permission by default throughout the whole site, in an un-overridable way.

Use the roles part of the action grid only if you really know what you're doing.

Create Test users

It is very important to create test users for every kind of user that will be present in your site, so that you can test your permissions settings with them. Do not just set this up and believe that it will work, use these test users to ensure that it does. You will need to do this to be able to figure out what each kind of user is seeing, because your view of could be completely

different from what another person is seeing, depending on what your setup is and the level of activity in your Site's various Spaces.


Go to Administration -> User Management in the left bar


Add two users

You or anyone else should not, in normal usage of use the siteadmin user. That user and all users with the Manager site-wide role should only be used for administrative and setup oriented tasks. Using the siteadmin user or having a site-wide Manager role assigned during normal usage to someone is pretty much the sure-shot route to having chaos, and doubt on your site, and sooner or later there is this inadvertent mishap (the current running favorite with our support staff is the deletion of the Recycle Bin itself!) that can only be fixed by restoring a backup.
Add yourself, if you've not, already.


Add a "normal" user

This is to let you emulate what a normal self-registered user sees when he's on your site.


This is what you should see when you're done adding and press the Show All button


Add yourself to the "internal" group

We create a pre-fab group called internal by default setup, this one does not have any users assigned to it when you start off. It's intended to be used as a group for Internal Staff, where the key staff members who will have elevated permissions in most Spaces. Use it as you wish or create your own groups, as per your varying needs. For the further steps in this how-to we'll assume that you yourself are in the internal group.

Click on your user, and go to Group Memberships tab.


Search for...


...and add yourself to the internal group


Allow internal group the Can Edit permission on both Spaces

Navigate to the Internal Staff Space, and go to Manage Space -> Sharing. Search for and turn on the checkbox for Can Edit for the internal group. Do the same for the Registered Users space as well.


This will allow members of the internal group to:

  1. Edit the Space itself: This allows editing of the Space title, description, changing the Spaces workflow state, and also the bulk management rights to rename, delete, import and export from Zip files, for any item in the Space.
  2. Allow publishing of any content item in the Space, and the Space itself, to anonymous visitors.

Verify permissions #1

Log out...



...And check that there's no change for anonymous users.


Publish Registered Space to anonymous, and add welcome message Discussions

Add Discussions...

...or any content that you want in both the Spaces.


Login with your user



Publish only the Registered User Space to Anonymous, exactly the same way as you did for the Home Space. Leave the Internal Staff Space as is.

Add a new discussion message, one for each  in each Space

Add your own custom message as a discussion item (or whatever else you want to add) for each Space.

Publish the one in the Registered Users Space to Anonymous, by dropping down the Change State menu. Leave the item in the Internal Staff Space as it is, Published to Contributors.



Verify Permissions #2

Only the discussion that is Published to Anonymous in the Registered Space should be visible, in all views, to anonymous users. Each kind of user should be able to see the content that is available exclusively to them, when they're logged in. When you login with your own user, you should see the item in the Internal Space as well, in all applicable Application Views (not shown in screenshots).

Anonymous Dashboard


Anonymous Activity Stream


Anonymous direct item URL

Or as we sometimes call it, the "Single Item View". :)


Set up Registration for Anonymous Visitors

Setting up automatic end-user registration is actually optional. You would not enable end user registration if you just wanted to publish selective read-only content out to the world, but tightly control who gets to create and work on it. But do note that is not really designed

for a non-collaboration oriented use case, at least out-of-the-box. So if you're letting anonymous users see stuff, then you'd better let them come into your site and tell you what they think about it, right?

Control Panel Settings

Navigate to the Control Panel from the Administration accordion in the left side bar.


Open up Security


Turn on Enable Self Registration, and Save

You'll also find a setting here that will "Let users type their own passwords". This also

means that they won't need to verify their email addresses, and so is not recommended, so please don't turn it on. The other settings here should be left to the defaults as well.


Ensure that your Mail setup works!

This is very important. When you're setting up all users (whether or not you create them administratively) will by default only be able to login when they verify their email address. If your email setup is not correct, then they will not recieve these emails and thus not be able to proceed. The same email setup is also used to send notifications updates as well.

Key problems that occur in Mail setup:
  1. You're sending email directly from in your dev box or server in your local LAN to email addresses at GMail, Yahoo, MSN, etc. This will not work, and you'll see more and more email providers go this way. You need to set an SMTP server that is online and is allowed to send email for the domain of the email address that you setup in this screen as the From email address. When I say allowed, I mean allowed by SPF record in the DNS domain that you're using the From email address.
  2. You let the default email from address be as is. Change it already! :)
  3. Firefox users, beware: We've noted that a lot of times the default password manager gets confused and puts in the siteadmin username and password into the ESMTP user and password fields. This is to only be used when your SMTP server supports/requires authentication and you must battle the password manager when it does that.


Verify permissions #3


The blurb at the top in the white bar should now say "or register" and work properly.

Try it out, register a new user, see that they get the verification email and registration completes fine. Ensure that your new user only sees the Registered User Space and has no clue that the Internal Staff area even exists.


Next Steps, Tips, Troubleshooting

  1. Revise the below Role-Permission-State Map whenever you're in doubt as to who gets to do what
  2. Test. Always test. You must never assume that what you did "worked" fine. Especially when you're setting up a new Space, it is very advisable to login with all the kinds of people who will have access, as well as those who will not to ensure that they cannot accesss.
  3. Always use a group to set a permission, role or whatever. Maintaining permissions on individual users, means that you have to remember what you did different, each time. Easier and more recommended way is to always use a group instead. That way you don't need to test your permissions again, when you add new users to a role. You just add the user to the relevant groups and you're set.
  4. When you publish an item anonymously, it is recommended that you set all above Spaces chain to be able to be viewed anonymously as well.

Reference Role-Permission-State transition Map for Spaces Content Workflow

When an item is Private, only the Owner/Creator of the item, and people with the Can Edit permission on the Space gets to see it. Items can be made Private by using the Retract transition.
When an item is Published to Contributors, only people with the Can Add or the Can Edit permission on the Space get to see it.
When an item is Published to Viewers, only people with Can Add, Can Edit or Can View permission on the Space can see it.
When an item is Published to Anonymous, Everyone gets to see it.

Only People with the Can Add permission on the Space get to add new items and edit all items (except Private items) in the Space.
People with the Can Add permission on the Space get to workflow items to be Published to Contributors or Published to Viewers.
Only People with the Can Edit permission on the Space get to workflow items to be Published to Anonymous.
Knowing and understanding this chart above is probably the most important part of this how-to. Study it, question it, do what you have to, but you must get this clear in your head if you're going to implement this setup successfully for your instance.
This how-to describes the concepts and steps required to be performed to setup in such a way that anonymous visitors can access and register on the site.
Comments (4)
asiletto May 03, 2010 11:58 AM
hello, i've followed this tutorial and i can change the state of the sub-folders to "Publish to Anonymous" like in[…]/anonymous-workflow-setup-10.jpg but i cannot "Publish to anonymous" the Home folder...there are only one button "No change" on the can i do that?
offray May 03, 2010 08:43 PM
I have the same problem. How can we publish to anonymous the home content (not the one in sub-spaces)?
jeanjordaan May 15, 2011 06:33 AM
Just follow the instructions above. As long as your instance is in its default state (i.e. you have not changed the workflow definitions), they do work.
glenworrall Jan 31, 2014 06:51 AM
I noticed it took a year to respond ... However, asiletto or offray did you manage to get this working, I have exactly the same problem. Does the site have to be totally empty before following these instructions ? I already have spaces and content, I just want to make some of that available to anonymous browsers, not start a brand new site.