U4-10389 - Some webforms editors do not authorize on the user's path access or permissions set for the editing node

Created by Shannon Deminick 06 Sep 2017, 01:25:18 Updated by Mads Rasmussen 06 Sep 2017, 13:46:07

Tags: Unscheduled

Subtask of: UAASSCRUM-1073

for example, the sort.aspx would allow a user that doesn't have path access to the parent id being sorted to sort the children and similarly it would allow a user that didn't have the sort permission on the parent id to sort the children.

There are some other webforms editors that need this check too.

Comments

Shannon Deminick 06 Sep 2017, 01:50:30

--PR https://github.com/umbraco/Umbraco-CMS/pull/2174-- ... darn, it turns out this needs to be part of the PR for http://issues.umbraco.org/issue/U4-10275 due to other changes I've made there that this uses.

  • Fixed sort and assign domain webform editors to check path and permission
  • Migrated obsolete code from the old Action to the ActionResolver since we'll still need this moving forward
  • Added some helper methods to check permissions that only existed on the old Action class
  • removes old moveOrCopy.aspx.cs since this serves no purpose and should have been removed during the webforms cleanup

To Test:

  • As an admin go to the sort and assign domain dialogs on various nodes, right click the dialog in chrome and say view frame source which will open up a new tab, then remove the prefix 'source:' and load in the frame full screen. Do this for a few different nodes so you have a few tabs open
  • Then create a user/group combination that would restrict the user from being able to perform these actions above on those nodes based on 1) their path and 2) their permissions
  • Log in with this user
  • Refresh your opened tabs and ensure that the authorization code works - you'll get ysods when there is no access by either path or permission


Mads Rasmussen 06 Sep 2017, 13:46:00

It works like a charm!


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.7.0

Sprint: Sprint 67

Story Points: 1

Cycle: