[MAGNOLIA-8025] Show error message in log when permission is denied (read/write) Created: 14/Feb/14  Updated: 11/Mar/21

Status: Open
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Marvin Kerkhoff Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Currently, if any code tries to access/write data without the relevant permission given to the currently logged in user (or anonymous if you're not logged in), no error is shown in the log file!

I believe this is an extremely common issue coming up to many developers, whether new to Magnolia CMS or advanced.
I had this problem several times in the past few months, on new projects as well as on existing ones. Lately I worked on a migration, after migrating I tested a page & I could not see some of the data. I had to go through, checking the location of the data imported, checking the data itself (export), modifying the template script, & so on, until I found out it simply was a permission issue. It can take a couple of hours to fix/understand, as it is so easy to forget about this possibility.



 Comments   
Comment by Adrien Berthou [ 27/Feb/14 ]

1. As a developer/tester/support, I want the relevant error message showed in the log file when a permission is denied.
For instance, if my code tries to access data under the a repo called "classified data" under the path "/private-addresses" & the currently logged in user (or anonymous if you're not logged in) has no read-access, then I should see "The current user <userName> does not have the relevant permissions to access repo "classified data" under the path "/private-addresses".

2. As a developer/tester/support, I want to be able to enable/disable this feature via configuration in the admin panel.

3. Just an idea/inspiration: a cool feature could also be to add an actual message on the page itself, such as "Some content could not be shown because you do not have the required permission". This would force the developer to make the necessary checks before trying to access data that is not supposed to be for "the whole world". This could be very useful for http://wiki.magnolia-cms.com/display/DEV/Concept+-+Personalization

Comment by Richard Gange [ 11/Mar/21 ]

As far as logging is concerned JR's org.apache.jackrabbit.core.security package could be turned on either in the log4j file or using the Log Tools app. All the access control is handled at that level.

Generated at Mon Feb 12 04:28:57 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.