"Authorization has been denied for this request." for all other user groups than 'Administrators'

[aso-pentia]

User assigned to groups: 'Editors', 'Sensitive data', 'Translators', 'Writers' logged out upon navigating to root node.
Upon subsequent logins, user is logged in and then immediately logged out.

Umbraco version

I am seeing this issue on Umbraco version: 8.12.1

Reproduction

1. Open browser developer tools and go to 'Network' tab
2. Log in from /umbraco with a user assigned to groups: 'Editors', 'Sensitive data', 'Translators', 'Writers'
3. In 'Content' section, navigate to root node. User is logged out
4. Try logging in again
5. Review entries under 'Network' tab in developer tools. You will see an entry with status for 401 for request GET: /umbraco/backoffice/UmbracoApi/ContentType/GetAll

Below screenshots are from my own encounter with the issue:

User does not appear to have any failed login attempts:

I've tried removing the root node and creating a new one. Same result.

Bug summary

User authorization not as expected. Don't know what could be the cause.

Specifics

URL where this bug occurs: Local developer environment -> https://localhost:44314/
Umbraco version: 8.12.1
Browser: Google Chrome - Version 89.0.4389.90 (Official Build) (64-bit)
Checked in other browser: Firefox Developer Edition - Version 87.0b9 (64-bit)

Checked log viewer, but for the particular user it looks like login succeeded:

There's an error message in the log viewer but it seems to be associated with the login of the user from the Administrators group that I used to go to the log viewer.

System.Web.Mvc.HttpAntiForgeryException (0x80004005): The provided anti-forgery token was meant for a different claims-based user than the current user.
   at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
   at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken)
   at System.Web.Helpers.AntiForgery.Validate(String cookieToken, String formToken)
   at Umbraco.Web.WebApi.Filters.AngularAntiForgeryHelper.ValidateTokens(String cookieToken, String headerToken) in D:\a\1\s\src\Umbraco.Web\WebApi\Filters\AngularAntiForgeryHelper.cs:line 58

Steps to reproduce

1. Open browser developer tools and go to 'Network' tab
2. Log in from /umbraco with a user assigned to groups: 'Editors', 'Sensitive data', 'Translators', 'Writers'
3. In 'Content' section, navigate to root node. User is logged out
4. Try logging in again
5. Review entries under 'Network' tab in developer tools. You will see an entry with status for 401 for request GET: /umbraco/backoffice/UmbracoApi/ContentType/GetAll

Expected result

I expected for the user assigned to the specified groups to be able to log in as well as (as a minimum) be able to navigate to any node in the Content tree.

Actual result

The user is practically unable to access Umbraco backoffice.

[nul800sebastiaan]

Could it be that you recently upgraded from a version before 8.7 or lower to version 8.12.1? If so, is there a User Picker on the content item that is causing a logout for your users?

We've just fixed a bug with the user picker that was causing these symptoms, and we'll have a new release out by Tuesday to solve the problem: #9983

Could that be it?

[aso-pentia]

No this was on a newly installed version 8.12.1.
There's no User Picker on the item that is causing the logout.

[nul800sebastiaan]

@aso-pentia alright, very strange, could you open up the dev tools in your browser on the network panel and see which request is causing a logout to occur please?

[nul800sebastiaan]

Oh sorry, I didn't see in your screenshots above it's ContentTypeController.GetAll.. hmm.. we'll have a look.

[nul800sebastiaan]

Hmmm, nothing has changed here that I can see, do you have any dashboards installed in the content section @aso-pentia?
The only thing that DID happen was a breaking change to remove one of the options of creating doctypes, but I fail to see how that would lead to an error on GetAll.

[nul800sebastiaan]

I really need to read better, you navigate to a content node where you get logged out. Any Content Apps installed? What datatypes does this content node use?

[aso-pentia]

Thanks for taking the time @nul800sebastiaan.
No Content Apps installed.
Data types:

• Umbraco.NestedContent
• Umbraco.MediaPicker
• Umbraco.MultiUrlPicker
• Umbraco.TextBox
• Umbraco.TextArea
• Umbraco.Integer
• Umbraco.TinyMCE
• Umbraco.DropDown.Flexible
• Umbraco.TrueFalse

[nul800sebastiaan]

@aso-pentia I'm afraid you're going to have to dig in further yourself, the I haven't seen any other reports of this and I suspect this might just be an upgrade problem or something (have you updated your ClientDependency version and cleared browser cache?).

10005.mp4

I'm going to close this for now but if there's any additional steps to reproduce we can reopen it of course. Might be good to get some help on the forum as well if you checked the upgrade is definitely complete.

[mikefitz888]

Just in case this should help anyone in the future, I started seeing this issue too. I would try to view a content node as an Editor, in the network logs I could see a request to /umbraco/backoffice/UmbracoApi/ContentType/GetAll resulting in a 401 and I would be kicked out of the back-office.

It turned out I had a custom content app on this content node, that used an angular controller with a contentTypeResource and it was calling contentTypeResource.getAll() which lead to this issue. Restricting this content app to admin only works around the issue for me. Also, in hindsight I don't need to be using contentTypeResource in the first place - I would look to replace that if Editors needed to use this content app.

(I realise the author mentions no Content Apps were installed, and in my case there were, but this was the only related issue I could find so hopefully this helps anyone else who stumbles upon this issue)