[MAGNOLIA-6842] Ability to open read-only content in edit mode misleads users Created: 24/Oct/16  Updated: 08/Mar/23

Status: Open
Project: Magnolia
Component/s: None
Affects Version/s: 5.4.9, 6.2.9
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Matteo Pelucco Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: maintenance, support
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File SUPPORT-6779_1.png     PNG File SUPPORT-6779_2.png     XML File userroles.restricted-dam.xml     XML File users.admin.eric.xml    
Issue Links:
Cloners
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Team: Nucleus

 Description   

Some URLs does not reflect security permissions, or app behaviour.

e.g.: edit asset

  1. create a role restricted-dam, with read-only value to DAM /destinations
  2. assign that role to user eric
  3. login with user superuser, and reach DAM /destinations/south-central-america, open in edit mode and copy URL
  4. login with user eric, reach the same folder. You notice that read-only icon is shown and if you double click on the image, it won't open. Now, paste the URL and hit enter. URL is loaded and you can enter values. If you save, then an error appear (You don't have rights...)

Attached: JCR export for reproducing the issue and few screenshots



 Comments   
Comment by Jan Haderka [ 24/Oct/16 ]

Yes, the save button should be disabled, however,

  • there is no escalation in privilege (user is allowed to see the content) and
  • requires forgery of the request by addressing dialog directly to open it, application doesn't allow that out of the box via browser subapp.
  • save operation is not performed and user is not able store modified data and is notified about the reason why save failed.

=> reducing prio to minor

Comment by Matteo Pelucco [ 09/Nov/16 ]

Any roadmap?

Comment by Jan Haderka [ 14/Nov/16 ]

Next maintenance release. Depending on closing the current one, that would be either 5.4.10 still or 5.4.11 latest.

Comment by Jan Haderka [ 16/Jun/21 ]

Verified this is still an issue on the latest version as of today.

Generated at Mon Feb 12 04:18:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.