[MAGNOLIA-8319] Page editor: areas and components not editable if user doesn't have write permission on page Created: 24/Jan/22  Updated: 20/Jul/22  Resolved: 24/Feb/22

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.2.16
Fix Version/s: 6.2.18

Type: Improvement Priority: Neutral
Reporter: Carlos Cantalapiedra Assignee: Sang Ngo Huu
Resolution: Fixed Votes: 1
Labels: nucleus
Remaining Estimate: Not Specified
Time Spent: 4d
Original Estimate: Not Specified

Issue Links:
Problem/Incident
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Date of First Response:
Visible to:
Bence Vass, Bence Vass
Epic Link: Nucleus Quality Maintenance
Sprint: Nucleus 4
Story Points: 5
Team: Nucleus

 Description   

Description

There is a security issue, when creating different editor groups, which should allow editing of specific parts of a site

Steps to reproduce

  1. Login demo.magnolia-cms.com
  2. In the Security App, edit the userrole "/travel-demo-editor"
    • Change Website ACLs
      • Read-Only - Sub nodes - /
      • Read/Write - Sub nodes - /travel/about
  3. Log in as "eric"
  4. Eric doesn't have the rights to open edit mode of /travel/about (which is correct)
  5. Open edit mode of /travel/about/company (works correctly too)
  6. Change the URL to:
    https://demo.magnolia-cms.com/.magnolia/admincentral#app:pages-app:detail;/travel/about:edit
  7. Check Eric now can edit /travel/about page

Expected results

Eric can't edit /travel/about even directly accessing through URL

Actual results

Eric can edit /travel/about by directly copying the URL on the browser

Workaround

Set read only for ares of /travel/about as well.

Development notes

Probably as far as main area and rest of elements are subnodes of /travel/about path, then they can be edited (the ACL setting affects to subsides of /travel/about).



 Comments   
Comment by Bence Vass [ 28/Jan/22 ]

I might add that this also happens, when the editor navigates in edit mode, so it is not only about URL manipulation

Comment by Carlos Cantalapiedra [ 02/Feb/22 ]

Thank you for sharing your finding Bence!

Comment by Adam Siska [ 28/Feb/22 ]

RN: Page editor is disabled (areas and components not editable) if user doesn't have write permission on page.

Generated at Mon Feb 12 04:31:39 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.