Uploaded image for project: 'Magnolia UI'
  1. Magnolia UI
  2. MGNLUI-2510

UI shouldn't enable actions for which the user has no permissions

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 5.2.3
    • 5.2
    • page editor, pages app
    • demo.magnolia-cms.com

    Description

      This ticket originally helped us uncover security issues in core (see issue links, first comments), but the UI should also adjust itself correctly to denote correct user permissions, by disabling unauthorized actions, and maintaining proper state according to such permissions.

      For 5.2.x, AvailabilityDefinition should gain a #writePermissionRequired flag.
      For 5.3+, we will have multiple/configurable AvailabilityRules (will be captured by another issue).
      More details in linked concept page 'Permissions for UI availability'.

      – ORIGINAL DESCRIPTION –

      I changed the permission of the editors in a subtree to read only.
      The following issues occurred if I'm logged in as a editor:

      • Sometimes it renders a page without the components (fine) but I still can edit the page properties
      • I can exclude channels (page title I can't change)
      • I can add a page (just not selecting a template)
      • Some pages do not render (stay grey)

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            caused by

            Bug - A problem which impairs or prevents the functions of the product. MAGNOLIA-5537 DefaultACLBasedPermissions do not account for JCR's reordering permission

            • Critical - Crashes, loss of data, severe memory leak.
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MAGNOLIA-5541 MarkNodeAsDeletedCommand should check for Write permission before proceeding

            • Critical - Crashes, loss of data, severe memory leak.
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MGNLWORKFLOW-179 Any user can launch a workflow regardless of their permissions

            • Critical - Crashes, loss of data, severe memory leak.
            • Closed
            is causing

            Bug - A problem which impairs or prevents the functions of the product. MGNLUI-2642 Publisher should not be allowed to open 'add page' dialog under /demo-project

            • Major - Major loss of function, or significant new/changed feature
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MGNLUI-3036 Availability of duplicate action does not have writePermissionRequired flag

            • Neutral -
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. MGNLUI-2557 Show permissions in status column

            • Neutral -
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MGNLUI-3395 WritePermissionRequiredRule incorrectly skips superuser role from the checks

            • Neutral -
            • Closed
            mentioned in

            Wiki Page Loading...

            Wiki Page Loading...

            Wiki Page Loading...

            Activity

              People

                mgeljic Mikaël Geljić
                samuel Samuel Staehelin
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD