[MGNLDIFF-146] Revise permissions to diff with modular privilege pattern Created: 08/Aug/23 Updated: 22/Jan/24 Resolved: 22/Jan/24 |
|
| Status: | Closed |
| Project: | Magnolia Diff Module |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 3.0.0 |
| Type: | Bug | Priority: | Major |
| Reporter: | Miguel Martinez | Assignee: | Rishab Dhar |
| Resolution: | Done | Votes: | 0 |
| Labels: | dx-core-6.3 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||
| Template: | |||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[X] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||
| Epic Link: | Sane Default Roles & Groups | ||||||||||||||||||||
| Story Points: | 3 | ||||||||||||||||||||
| T-Shirt Size: | Small | ||||||||||||||||||||
| Team: | |||||||||||||||||||||
| Work Started: | |||||||||||||||||||||
| Approved: |
Yes
|
||||||||||||||||||||
| Description |
|
6.3 introduces a new modular privilege pattern with new roles & default groups. The admincentral-editor role in particular denies everything starting with /.*, instead of leaving it implicitly allowed. That includes /.magnolia/versionDiff, pointing to the diff servlet. Possible workaround (not a fix)
See also:
|
| Comments |
| Comment by Christopher Zimmermann [ 05/Dec/23 ] |
|
Might be related to |
| Comment by Quach Hao Thien [ 25/Dec/23 ] |
|
The new role was introduced in 6.3 admincentral-editor deny access to URLs that start with "/.". And this role was assigned to default user groups: developers, publishers, and editors. This role also affects the superuser, who has the most powerful access to the system since this user has been assigned to the publishers group since 6.2 or older. What we can do to fix this issue is introduce a new role that grants permission to the "/.magnolia/versionDiff{*}" and assign it to default user groups like we have done with |
| Comment by Christopher Zimmermann [ 18/Jan/24 ] |
|
I see this is flagged as dx-core-6.3 and for M 6.3. The problem exists on 6.2 as well (or at least the symptom), so we should fix it in both places. Feel free to split to 2 tickets if that makes the most sense. |
| Comment by Rishab Dhar [ 18/Jan/24 ] |
|
I added a backport for diff release/2.2 which should take care of the issue in dx-core 6.2. Don't think we need to split the ticket. |
| Comment by Mikaël Geljić [ 19/Jan/24 ] |
Let's be clear on that: do we mean A. the startup issue with PathNotFoundException: /system/anonymous (was fixed in different "fast-startup" tickets for both 6.2 and 6.3), or B. editors actually unable to diff pages? (just tried on demo public, all looks fine). |
| Comment by Christopher Zimmermann [ 19/Jan/24 ] |
|
I meant the problem `Magnolia fails to start with error ’javax.jcr.PathNotFoundException: /system` had been occuring on 6.2 as well. I don't know if that has been fixed in other tickets, but just wanted to ensure that the problem should be addressed on 6.2 as well as 6.3. I didn't want it to slip through the cracks. |
| Comment by Mikaël Geljić [ 19/Jan/24 ] |
|
Thanks, we actually never split this ticket between diff & PathNotFound issues, let me do/clone that now => MAGNOLIA-9259. Indeed, there are many occurrences of this exception in both Slack & Jira/Support, including this one lately here affecting 6.2.41. So indeed it looks like |