[PAGES-444] User that is disalowed to create pages can move pages Created: 18/May/21  Updated: 13/Aug/21  Resolved: 12/Aug/21

Status: Closed
Project: Magnolia pages module
Component/s: None
Affects Version/s: 6.2.8
Fix Version/s: 6.2.11

Type: Bug Priority: Major
Reporter: Daniel Schneeberger Assignee: Milan Divilek
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-05-18-15-22-39-102.png    
Issue Links:
dependency
depends upon MGNLUI-6812 Allow define DropConstraint for CanMo... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Release notes required:
Yes
Date of First Response:
Epic Link: UI framework implementation
Sprint: UI FW 33, UI FW 34
Story Points: 5

 Description   

Steps to reproduce

  1.  create roles allowing only superuser to create "Travel Home" pages:
  2.  Login with any "non-superuser" user
  3. Open Pages app
  4. (Notice that you cannot create a page of type "Travel Home", which is expected)
  5. Select an existing page of type "Travel Home" and select action "Move Page"
  6. Note that you are allowed to move the page literally everywhere

Expected results

Expectation is that "non-superuser" user is not allowed to move a page with the template that only superuser is allowed to create.

Actual results

"non-superuser" can move page of type "Travel Home".

Additional Input

Note that this is a regression from Magnolia 5.7.x as it worked there. This bug is reproducible on "Plain Magnolia" (e.g. https://demoauthor.magnolia-cms.com/ ).

The issue seems to be that info.magnolia.module.site.templates.ConfiguredSiteTemplateAvailability#isAvailable is not called when doing "Move Page" while it was called in Magnolia 5.7.x.

I set Prioriy to Major as this bug is security related.

Workaround

Legacy app works as expected, it can be used instead of the new app.

Development notes



 Comments   
Comment by Roman Kovařík [ 13/Aug/21 ]

For release notes:

The move page dialog actions now respect template availability constraints.

Generated at Mon Feb 12 06:19:00 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.