[MGNLFE-369] Restricting component availability in an area template via Roles not working in SPA enviroment Created: 02/Nov/22 Updated: 21/Nov/22 Resolved: 21/Nov/22 |
|
| Status: | Closed |
| Project: | Magnolia Frontend Helpers |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Carlos Cantalapiedra | Assignee: | Canh Nguyen |
| Resolution: | Not an issue | Votes: | 3 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||
| Documentation update required: |
Yes
|
||||||||||||
| Date of First Response: | |||||||||||||
| Visible to: |
Alexander Hems, Fabian Bading, Martin Schmid, Marvin Boie, Wojciech Rydzewski
|
||||||||||||
| Epic Link: | Support | ||||||||||||
| Team: | |||||||||||||
| Description |
Steps to reproduce
Expected resultsSuperuser can add the headline component. Actual resultsSuperuser cannot add the headline component because the template annontations endpoint is called by the SPA as an anonymous user. WorkaroundN/A Development notesCustomer findings: The role restrictions are checked here: info.magnolia.templating.elements.attribute.AvailableComponents#resolveAvailableComponents There I noticed that the user is not the same as the one logged into Admincentral, but the one the spa uses to invoke the template anontation endpoint, the anonymous user.{quote} |
| Comments |
| Comment by Canh Nguyen [ 18/Nov/22 ] |
|
The problem is that when making CORS requests, if the request does not include credentials, it will be an anonymous request so that the template annotations endpoint will return data for anonymous user. From SPA, it must make requests to the template annotations endpoint like this:
fetch(templateEndpointUrl, { credentials: "include" });
And the CorsResponseFilter must check if the request has credentials information the set "Access-Control-Allow-Origin" with the origin URL instead of "*", and "Access-Control-Allow-Credentials" with value is true. So that the browser will accept the response. NOTE: cookies are credentials info, so we can check request.getCookies() is not null. |
| Comment by Canh Nguyen [ 21/Nov/22 ] |
|
I've configured CORS like the screenshot below and it worked perfectly.
Please be informed that both server and client have credentials config like I explained in the previous comment to make this works. |