[MGNLDIFF-146] Revise permissions to diff with modular privilege pattern Created: 08/Aug/23  Updated: 22/Jan/24  Resolved: 22/Jan/24

Status: Closed
Project: Magnolia Diff Module
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.0

Type: Bug Priority: Major
Reporter: Miguel Martinez Assignee: Rishab Dhar
Resolution: Done Votes: 0
Labels: dx-core-6.3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File can't start instance.png     PNG File error-in-screen.png     Text File magnolia-debug.log     Text File magnolia-error-0.log     Text File magnolia-error.log    
Issue Links:
Issue split
split to MAGNOLIA-9259 Magnolia fails to start with error ’j... Open
Relates
relates to MAGNOLIA-9097 Instances randomly fail to start up o... Closed
relates to MAGNOLIA-9214 Instances randomly fail to start up o... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[X]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: Sane Default Roles & Groups
Story Points: 3
T-Shirt Size: Small
Team: DeveloperX
Work Started:
Approved:
Yes

 Description   

6.3 introduces a new modular privilege pattern with new roles & default groups.

The admincentral-editor role in particular denies everything starting with /.*, instead of leaving it implicitly allowed. That includes /.magnolia/versionDiff, pointing to the diff servlet.

See https://git.magnolia-cms.com/projects/PLATFORM/repos/ui/browse/magnolia-admincentral/src/main/resources/mgnl-bootstrap/admincentral/userroles.admincentral-editor.yaml?at=76c9ea475a18856e458c60e7b390331597b54fda#14

Possible workaround (not a fix)

  1. Edit https://localhost:8080/.magnolia/admincentral#app:security:roles;/superuser:treeview:
  2. Go to the “Web Access” tab.
  3. Add Get & Post to /.magnolia/versionDiff*

See also:



 Comments   
Comment by Christopher Zimmermann [ 05/Dec/23 ]

Might be related to MAGNOLIA-9097. Maybe similar underlying problem.

Comment by Quach Hao Thien [ 25/Dec/23 ]

The new role was introduced in 6.3 admincentral-editor deny access to URLs that start with "/.". And this role was assigned to default user groups: developers, publishers, and editors.

This role also affects the superuser, who has the most powerful access to the system since this user has been assigned to the publishers group since 6.2 or older.

What we can do to fix this issue is introduce a new role that grants permission to the "/.magnolia/versionDiff{*}" and assign it to default user groups like we have done with MGNLRES-404 and MGNLIMG-232.

Comment by Christopher Zimmermann [ 18/Jan/24 ]

I see this is flagged as dx-core-6.3 and for M 6.3. The problem exists on 6.2 as well (or at least the symptom), so we should fix it in both places. Feel free to split to 2 tickets if that makes the most sense.

Comment by Rishab Dhar [ 18/Jan/24 ]

I added a backport for diff release/2.2 which should take care of the issue in dx-core 6.2. Don't think we need to split the ticket.

Comment by Mikaël Geljić [ 19/Jan/24 ]

The problem exists on 6.2 as well

Let's be clear on that: do we mean A. the startup issue with PathNotFoundException: /system/anonymous (was fixed in different "fast-startup" tickets for both 6.2 and 6.3), or B. editors actually unable to diff pages? (just tried on demo public, all looks fine).

Comment by Christopher Zimmermann [ 19/Jan/24 ]

I meant the problem `Magnolia fails to start with error ’javax.jcr.PathNotFoundException: /system` had been occuring on 6.2 as well. I don't know if that has been fixed in other tickets, but just wanted to ensure that the problem should be addressed on 6.2 as well as 6.3. I didn't want it to slip through the cracks.

Comment by Mikaël Geljić [ 19/Jan/24 ]

Thanks, we actually never split this ticket between diff & PathNotFound issues, let me do/clone that now => MAGNOLIA-9259.

Indeed, there are many occurrences of this exception in both Slack & Jira/Support, including this one lately here affecting 6.2.41. So indeed it looks like MAGNOLIA-9097 did not fix it (rather fixed NPEs upon install if I understand correctly).

Generated at Mon Feb 12 05:21:47 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.