Skip navigation

Guest access to app or view w/o prior login

score 45
You have not voted. Active

For security reasons, a login is exactly what you need to authenticate and authorize users. However, applications are also conceivable and often occur in practice, where access control and authorization are still required, but you do not want to force the end-user through a complex registration process before he can place his real concern. For example: Place an order w/o creating a customer account, requesting information w/o currently being a customer or similar processes.


So, how to accomplish that with Innovation Suite?


Laurent Matheo proposed to use the "Guest user" configuration. A user could then login w/ any user/password and is permitted as a guest user w/ limited access rights. - The drawback is that then actually meaningless login screen. How to get rid of it?


a) One possibility were to enable encoding user and password of an account within the URL

The disadvantage of this solution is that this URL shows up in the browser history and normal users might come up with the idea of storing such an URL (w/ encoded User/Password) as a bookmark for quick access to a view for their normal user accounts. Unencrypted storing of user/passwords is from a security standpoint in no way a good idea.


b) Signal that guest user access w/o login is desired by adding an URL query parameter

Combined with the existing "Allow Guest Users" option, this would enable directly accessing a view as a guest user w/o prior login.


Example for query:



c) Login w/ distinctive user account by adding an URL query parameter

With this approach, you had first to add a new (guest) user, e.g. 'MyGuestUser'. This would be administratively configured as normal.

After that, the administrator had to configure/mark this user as a "Guest User" - this were a new option.

One could then access a view w/o prior login by adding the name of the so configured guest user to the URL as a query parameter.


Example for query:



One could go even further by limiting access of these guest user accounts to a configurable list of allowed views.


Personally, I prefer alternative (c)


Vote history