Stricter routine for files in Sitevision
The procedure governing management of linked files in Sitevision is now being made stricter. In the future, files should in the first instance be uploaded to Page files and not to the file archive, to ensure that they have the correct authorisation settings. It is important that all web editors understand and adhere to this procedure.
During the summer, it was discovered that files intended to be behind login pages had been placed in the file archive and could thus be accessed by those who were not logged in, even if the pages they were linked from required login. As a result, some measures have been taken and the procedures for managing files have been reviewed.
To reduce the risk of files being accessible to unauthorised persons, selected folders and files have been temporarily placed behind logins in the file archive. The folders in question have been given the extension “behind login”. For individual files, it is not possible to tell from the file name which ones have been placed behind login. This locking of the folders and files in the file archive implemented during the summer is not necessarily comprehensive.
By uploading files to Page files, they are automatically given the same authorisation settings as the page from which they are linked. Files on the page are connected to a specific web page and can only be used by those authorised to view that page. This is useful if you need to upload a file that you do not want everyone to have access to. Another advantage is that the files are deleted when the page is removed, so you don’t have to worry about files lying around.
What you need to do
As a webmaster, you need to work with your web editors to ensure that you do not expose files in the wrong way now and in the future, by
1. Ensure that files that should be restricted are behind login
Review all your pages in the Staff Gateway that are behind login, identify all links that lead to files and move those files from the file archive to Page files. Do this even if the folder was placed behind login, as that solution is only temporary.
2. Remember to follow the procedures
A file placed on the page (instead of in the file archive) always has the same authorisation settings as that page. If the page is behind login, then so is the file and it cannot be found by external search engines, such as Google. In addition, the files are automatically removed if the page is deleted.
By consistently placing the files on the page, web editors do not need to think about the files’ authorisation settings or about clearing the files when the page is deleted – simple and helpful.
How do I know which pages are behind login?
If you are unsure whether a page is behind login or not, just go to the page and log out by pressing Log out in the top right corner under your name. If you are automatically logged in again, then the page is behind login. Note that your name will appear in the top right corner if you are logged in.
The following page structures are behind login:
- The targeted gateways Financial administration, Study administration, HR and Management and leadership.
- Tools and guides
- Campus pages
The following page structures are behind login and only accessible to local staff:
How file authorisation settings work
When you link to a file from a page in Sitevision, you can choose to upload it to the file archive or to the page. If you place the file on the page, the file will automatically have the same access setting as the page, unlike if you put the file in the file archive, as in that case it will always be public regardless of whether the page is behind login or not.
Placing a file on the page means:
- The file is automatically given the same access settings as the page.
- If you delete the page, the file will also be deleted.
- You cannot link to the file from any other page.
Adding a file to the file archive means:
- The file can be found by search engines and is public, i.e. you do not need to log in to view and download it.
- The file is not automatically deleted when the page to which it “belongs” is removed.
- You can also link to the file from other pages.