Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when accessing Membes section without Settings section: membertype/GetAllTypes #11258

Closed
LennardF1989 opened this issue Oct 3, 2021 · 2 comments
Closed

Error when accessing Membes section without Settings section: membertype/GetAllTypes #11258

LennardF1989 opened this issue Oct 3, 2021 · 2 comments
Labels
project/v9 release/9.0.1 status/regression type/bug

Comments

@LennardF1989
Copy link
Contributor

LennardF1989 commented Oct 3, 2021
edited by Shazwazza
Loading

Which exact Umbraco version are you using? For example: 8.13.1 - don't just write v8

9.0.0

Bug summary

If you login with a User that has no access to the Settings section, but does have access to the Members section, you will get the following error:

Authorization error: Unauthorized access to URL:
/umbraco/backoffice/umbracoapi/membertype/GetAllTypes
Contact your administrator for information.

Specifics

No response

Steps to reproduce

  1. Create a usergroup with access to Members, but not to Settings.
  2. Create a user with the created usergroup
  3. Login as the user
  4. Go to the Members section, the error will show immediately.

Expected result / actual result

No error is shown and/or the API should not be authorized for the Settings section permission only.

This item has been added to our backlog AB#14271
@nul800sebastiaan
Copy link
Member

Interesting, I tried this in v8, but it seems to be only a v9 problem.

I can reproduce in v9:

image

@nul800sebastiaan nul800sebastiaan added state/sprint-candidate We're trying to get this in a sprint at HQ in the next few weeks status/regression labels Oct 4, 2021
bergmania added a commit that referenced this issue Oct 4, 2021
@bergmania
Fixed #11258
1ea7b47 
Moved endpoint and obsoleted the old one to avoid breaking changes..
The issue is the auth policies cannot be overridden.. You need all of them, and the controller requires you to have access to member types
@bergmania bergmania mentioned this issue Oct 4, 2021
Merged
@bergmania
Copy link
Member

PR: #11264

@nul800sebastiaan nul800sebastiaan added project/v9 and removed state/sprint-candidate We're trying to get this in a sprint at HQ in the next few weeks labels Oct 6, 2021
bergmania added a commit that referenced this issue Oct 6, 2021
@bergmania @Zeegaan
Moved endpoint to new controller to avoid issue with too hard access …
114ab93 
…requirements (#11264)

* Fixed #11258

Moved endpoint and obsoleted the old one to avoid breaking changes..
The issue is the auth policies cannot be overridden.. You need all of them, and the controller requires you to have access to member types

* Update src/Umbraco.Web.BackOffice/Controllers/MemberTypeQueryController.cs

Co-authored-by: Nikolaj Geisle <[email protected]>

Co-authored-by: Nikolaj Geisle <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
project/v9 release/9.0.1 status/regression type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nul800sebastiaan @LennardF1989 @bergmania