I found a bug about anonymous access

Topics: ASP.NET 2.0, Business Logic Layer
Feb 17, 2011 at 5:02 AM

My blog can't anonymous access,so i don't allow anybody visit my blog who not login in.i found a problem ,that when i visit http://my blog url/syndication.axd will see my posts.

I hope developer can fix it as soon as possible

Feb 17, 2011 at 7:39 AM

Thanks ... you're right.  When turning off access to View Published Posts, they can still be seen thru the RSS feed.  This needs to be fixed.

Mar 16, 2011 at 9:55 AM

Fixed in -- thanks.

Jul 7, 2011 at 5:46 PM

Ben is this fix implemented in 2.5x? this issue still seems to happen on anonymous view of syndication.axd

Jul 7, 2011 at 5:54 PM

The fix is in place:


public void ProcessRequest(HttpContext context)
    if (!Security.IsAuthorizedTo(Rights.ViewPublicPosts))
        context.Response.StatusCode = 401;

It's in the HttpHandlers/SyndicationHandler.cs.

Do you have "view public posts" revoked from anonymous users?


Jul 7, 2011 at 6:31 PM

the only thing rights i have given "Anonymous" is "View Ratings on Posts" basically nothing.

When i go to my site anonymously, it prompts me to login (as expected)

but if i go to /syndication.axd i can browse the feed anonymously.

I'm using 2.5x

What could be wrong?

Jul 7, 2011 at 6:57 PM

Just checked it on my family's blog, which is set as private. Works as expected - trying to load syndication.axd kicks me out to logon screen. Plain 2.5 out of the box... Not sure what you doing different.

Jul 7, 2011 at 7:45 PM

is there a particular file or dll that i can replace again to make sure the change is reflected? I've gone through so many upgrades that perhaps the necessary files didn't copy over or get replaced...

Jul 8, 2011 at 7:59 AM

The RSS feed is heavily cached.  Probably you are viewing a cached copy of the RSS feed that you initially viewed while you were logged in.  While logged out, go to syndication.axd and do a no-cache refresh (typically Ctrl-F5).   That should then attempt to retrieve the latest version from the server, and at that point, it should detect that you are anonymous and redirect you to the login page.