[MGNLUI-2642] Publisher should not be allowed to open 'add page' dialog under /demo-project Created: 30/Jan/14  Updated: 03/Feb/14  Resolved: 03/Feb/14

Status: Closed
Project: Magnolia UI
Component/s: pages app
Affects Version/s: 5.2.1
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Roman Kovařík Assignee: Mikaël Geljić
Resolution: Duplicate Votes: 0
Labels: maintenance
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File Screen Shot 2014-02-03 at 10.15.08.jpg    
Issue Links:
causality
caused by MGNLUI-2510 UI shouldn't enable actions for which... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

As a publisher (peter) i can open add page dialog. This shouldn't be possible as peter has read-only permissions for nodes.

Note: if add page dialog is opened, this error can be seen in logs.

2014-01-30 10:09:53,017 ERROR nolia.pages.app.field.TemplateSelectorFieldFactory: Could not create temporary node to get available templates.
javax.jcr.AccessDeniedException: Access denied.
	at org.apache.jackrabbit.core.security.DefaultAccessManager.checkPermission(DefaultAccessManager.java:193)
	at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1266)
	at org.apache.jackrabbit.core.session.AddNodeOperation.perform(AddNodeOperation.java:111)
	at org.apache.jackrabbit.core.session.AddNodeOperation.perform(AddNodeOperation.java:37)
	at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216)
	at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
	at org.apache.jackrabbit.core.NodeImpl.addNodeWithUuid(NodeImpl.java:1814)
	at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1774)
	at info.magnolia.jcr.wrapper.DelegateNodeWrapper.addNode(DelegateNodeWrapper.java:122)
	at info.magnolia.jcr.decoration.ContentDecoratorNodeWrapper.addNode(ContentDecoratorNodeWrapper.java:115)
	at info.magnolia.jcr.wrapper.MgnlPropertySettingNodeWrapper.addNode(MgnlPropertySettingNodeWrapper.java:210)
	at info.magnolia.jcr.wrapper.DelegateNodeWrapper.addNode(DelegateNodeWrapper.java:122)
	at info.magnolia.jcr.decoration.ContentDecoratorNodeWrapper.addNode(ContentDecoratorNodeWrapper.java:115)
	at info.magnolia.jcr.wrapper.DelegateNodeWrapper.addNode(DelegateNodeWrapper.java:122)
	at info.magnolia.jcr.decoration.ContentDecoratorNodeWrapper.addNode(ContentDecoratorNodeWrapper.java:115)
	at info.magnolia.audit.MgnlAuditLoggingContentDecoratorNodeWrapper.addNode(MgnlAuditLoggingContentDecoratorNodeWrapper.java:84)
	at info.magnolia.pages.app.field.TemplateSelectorFieldFactory.getSelectFieldOptionDefinition(TemplateSelectorFieldFactory.java:90)
	at info.magnolia.ui.form.field.factory.SelectFieldFactory.buildOptions(SelectFieldFactory.java:129)
	at info.magnolia.ui.form.field.factory.SelectFieldFactory.createFieldComponent(SelectFieldFactory.java:96)
	at info.magnolia.ui.form.field.factory.SelectFieldFactory.createFieldComponent(SelectFieldFactory.java:71)
	at info.magnolia.ui.form.field.factory.AbstractFieldFactory.createField(AbstractFieldFactory.java:104)
	at info.magnolia.ui.dialog.formdialog.FormBuilder.buildReducedForm(FormBuilder.java:165)
	at info.magnolia.ui.dialog.formdialog.FormBuilder.buildForm(FormBuilder.java:106)
	at info.magnolia.ui.dialog.formdialog.FormDialogPresenterImpl.buildView(FormDialogPresenterImpl.java:133)
	at info.magnolia.ui.dialog.formdialog.FormDialogPresenterImpl.start(FormDialogPresenterImpl.java:115)
	at info.magnolia.ui.dialog.formdialog.FormDialogPresenterImpl.start(FormDialogPresenterImpl.java:91)
	at info.magnolia.ui.framework.action.OpenCreateDialogAction.execute(OpenCreateDialogAction.java:81)
	at info.magnolia.ui.api.action.AbstractActionExecutor.execute(AbstractActionExecutor.java:74)
	at info.magnolia.ui.contentapp.browser.BrowserPresenter.executeAction(BrowserPresenter.java:391)
	at info.magnolia.ui.contentapp.browser.BrowserPresenter.onActionbarItemClicked(BrowserPresenter.java:331)
	at info.magnolia.ui.actionbar.ActionbarPresenter.onActionbarItemClicked(ActionbarPresenter.java:183)
	at info.magnolia.ui.vaadin.actionbar.Actionbar$1.onActionTriggered(Actionbar.java:70)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:168)
	at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:118)
	at com.vaadin.server.communication.ServerRpcHandler.handleBurst(ServerRpcHandler.java:214)
	at com.vaadin.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:111)
	at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:91)
	at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:37)
	at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1371)
	at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:238)
	at info.magnolia.ui.admincentral.AdmincentralVaadinServlet.service(AdmincentralVaadinServlet.java:131)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
	at info.magnolia.cms.filters.ServletDispatchingFilter.doFilter(ServletDispatchingFilter.java:126)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.VirtualUriFilter.doFilter(VirtualUriFilter.java:68)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.module.cache.executor.Bypass.processCacheRequest(Bypass.java:58)
	at info.magnolia.module.cache.executor.CompositeExecutor.processCacheRequest(CompositeExecutor.java:66)
	at info.magnolia.module.cache.filter.CacheFilter.doFilter(CacheFilter.java:153)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:58)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.i18n.I18nContentSupportFilter.doFilter(I18nContentSupportFilter.java:73)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.RangeSupportFilter.doFilter(RangeSupportFilter.java:84)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.security.BaseSecurityFilter.doFilter(BaseSecurityFilter.java:57)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.security.SecurityCallbackFilter.doFilter(SecurityCallbackFilter.java:83)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:58)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.security.LogoutFilter.doFilter(LogoutFilter.java:93)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:58)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.module.templatingkit.filters.SiteMergeFilter.doFilter(SiteMergeFilter.java:106)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.multisite.filters.MultiSiteFilter.doFilter(MultiSiteFilter.java:106)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.MultiChannelFilter.doFilter(MultiChannelFilter.java:82)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:58)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.module.cache.filter.GZipFilter.doFilter(GZipFilter.java:73)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:58)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.security.auth.login.LoginFilter.doFilter(LoginFilter.java:104)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.enterprise.registration.RegistrationFilter.doFilter(RegistrationFilter.java:56)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:82)
	at info.magnolia.module.devicedetection.filter.DeviceDetectionFilter.doFilter(DeviceDetectionFilter.java:71)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:58)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:103)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:129)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:80)
	at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:89)
	at info.magnolia.cms.filters.SafeDestroyMgnlFilterWrapper.doFilter(SafeDestroyMgnlFilterWrapper.java:106)
	at info.magnolia.cms.filters.MgnlFilterDispatcher.doDispatch(MgnlFilterDispatcher.java:66)
	at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:107)
	at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:93)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)


 Comments   
Comment by Mikaël Geljić [ 30/Jan/14 ]

Not sure how the publisher role is/should be configured. The thing is:

  • if it is about applying availability based on permissions then it's MGNLUI-2510
  • if generally any publisher should never be able to add/edit a page, then the publisher role can already be excluded in these actions' availability, i.e. we have to configure roles for which these actions are available (most likely editor, superuser...)
Comment by Daniel Lipp [ 03/Feb/14 ]

Indeed Peter can choose 'add page' which is wrong. But luckily he has no available templates and hence cannot save because of a validation error.

Comment by Mikaël Geljić [ 03/Feb/14 ]

Of course Peter cannot concretely add a page. Now bouncing back on my previous comment:

  • This issue is only valid if it's about disabling all edit actions for the base publisher role (however roles are configured right now), in actions availability.
    • This would imply that if a customer wants publisher to have a read/write access to any page, e.g. an overview section, then these actions would remain disabled and would have to be re-configured.
  • I just checked what's happening in 4.5: publisher can gain RW on a page and is then able to edit content right away, i.e. availability is only based on permissions, not roles.

Therefore, I would consider closing this issue and focus on MGNLUI-2510 as specfied for 5.2.x.

Generated at Mon Feb 12 08:58:43 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.