U4-11020 - Deleting a member group that is part of a Public Access feature, from the system, does not also remove the corresponding rows from the umbracoAccessRule table.

Created by George 27 Feb 2018, 15:32:20 Updated by Robert Copilau 21 Mar 2018, 12:47:23

Deleting a member group that is part of a Public Access feature, from the system, does not also remove the corresponding rows from the umbracoAccessRule table.

As a side effect, if a new member group is created having the same name as the deleted one, it will be automatically included in the "Member of group(s)" list of the Public Access feature.

Steps to reproduce:

  1. In the Members section under Member Groups, create a new Member Group named "Test Member Group".
  2. In the Content section, select an existing content item that is not protected (e.g. "Home"), and then select Public Access. 2.1. In the Public Access panel, select the "Role based protection" option. 2.2. Locate the "Test Member Group" in the "Not a member of group(s)" list and move it to the "Member of group(s)" list. 2.3. Select the Login Page, the Error Page and then click Update.
  3. After the Public Access setup is completed, run the following sql statement against the database: SELECT * FROM umbracoAccessRule WHERE ruleValue = 'Test Member Group' which will (correctly) return a single row.
  4. In the Members section, under Member Groups, locate the "Test Member Group" and delete it.
  5. In the Content section, locate the "Home" content item and then select Public Access. 5.1. In the Public Access panel the "Member of group(s)" list is empty.
  6. Run the same sql statement against the database: SELECT * FROM umbracoAccessRule WHERE ruleValue = 'Test Member Group' which will (falsely) return the same row as above.

The expected behavior would be that the above sql statement did not return any rows.

In order to verify the side effects (after the above steps): 1.In the Members section under Member Groups, create (once more) the "Test Member Group". 2 In the Content section, locate the "Home" content item and then select Public Access. 2.1. In the Public Access panel, the "Member of group(s)" list displays the "Test Member Group" even thought it was previously deleted from the system and not re-selected by a user's action.

The above was tested with Umbraco v7.8.1.

Comments

Sebastiaan Janssen 20 Mar 2018, 14:02:54

PR: https://github.com/umbraco/Umbraco-CMS/pull/2525

Testing notes are the same as above, when testing out the fix follow the same steps and make sure the member group is not assigned in Public Access.


Sebastiaan Janssen 21 Mar 2018, 12:25:26

@robertcopilau Cool! I didn't want to change anything in legacy code, but why not. Left you one comment to fix and then you can merge!


Robert Copilau 21 Mar 2018, 12:47:19

Done and done!


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.8.1

Due in version: 7.9.3

Sprint: Sprint 81

Story Points: 1

Cycle: 9