Uploaded image for project: 'Magnolia UI'
  1. Magnolia UI
  2. MGNLUI-2510

UI shouldn't enable actions for which the user has no permissions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.2
    • Fix Version/s: 5.2.3
    • Component/s: page editor, pages app
    • Labels:
    • Environment:
      demo.magnolia-cms.com
    • Magnolia Release:
      5.2.3

      Description

      This ticket originally helped us uncover security issues in core (see issue links, first comments), but the UI should also adjust itself correctly to denote correct user permissions, by disabling unauthorized actions, and maintaining proper state according to such permissions.

      For 5.2.x, AvailabilityDefinition should gain a #writePermissionRequired flag.
      For 5.3+, we will have multiple/configurable AvailabilityRules (will be captured by another issue).
      More details in linked concept page 'Permissions for UI availability'.

      – ORIGINAL DESCRIPTION –

      I changed the permission of the editors in a subtree to read only.
      The following issues occurred if I'm logged in as a editor:

      • Sometimes it renders a page without the components (fine) but I still can edit the page properties
      • I can exclude channels (page title I can't change)
      • I can add a page (just not selecting a template)
      • Some pages do not render (stay grey)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mgeljic Mikaël Geljić
              Reporter:
              samuel Samuel Staehelin
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: