U4-2161 - Permission inheritance is failing

Created by Mikko Vartiainen 26 Apr 2013, 08:51:08 Updated by Mirko Vukusic 11 Feb 2014, 15:20:38

Is duplicated by: U4-2406

Relates to: U4-4213

I'm running a 6.0.3 site and I am having some trouble with permission inheritance.

The default permission for the user type Writer does not permit Publish. We do however have a Node where we want specific users with the Writer permissions to be able to create child nodes and publish these.

In order to make that happen I have under 'Users > User Permissions > Some Specific User > Node in question' added Publish, and also selected to Replace child node permissions. That works fine for the actual Node and any existing child nodes, but as soon as a new child node is created the specific users who should have Publish permission are missing it for that new node.


Doug 20 May 2013, 23:31:01

This is a major issue for my situation. I am building an intranet using Umbraco. I limit the content menu for a department admins. However, after they add a new sub page to their department, they have the full context menu including things like "manage hostnames" which I never want them to see.

Mikko Vartiainen 21 May 2013, 12:42:21

We're still having this issue on 6.0.5.

Jason Provence 10 Jun 2013, 18:39:37

Also on 6.0.5. I made a custom type that starts with no permissions and we assign nodes individually. Even if a person has all the rights to a node, once they create a child node they aren't even allowed to view it.

Francisco Oliveira 10 Jun 2013, 20:50:00

I have exactly the same issue of Jason! I had a look on Umbraco source and while the v4 replicate the permissions from the parent, the v6 doesn't.

Extracted from Umbraco source:

        // NH 4.7.1 duplicate permissions because of refactor
        if (node.Parent == null) return;

        IEnumerable<Permission> permissions = Permission.GetNodePermissions(node.Parent);
        foreach (Permission p in permissions)
            Permission.MakeNew(User.GetUser(p.UserId), node, p.PermissionId);

Andrew 20 Jun 2013, 18:37:38

close to what I just reported.. http://issues.umbraco.org/issue/U4-2411

Thought I only had this issue on this install, not on any of the other installs.

Martin Griffiths 02 Jul 2013, 09:18:12

Is anyone working on this? It's a critical error!

Shannon Deminick 09 Jul 2013, 01:48:47

Fixed in 868edee5e647f6210e0a2507e615a93a2671f251

Shannon Deminick 09 Jul 2013, 01:50:46

The problem was due to the new Content Service API's not taking into account the permissions structures for nodes. This has now been implemented at the underlying repository level.

Now, all new content created will have it's parent permissions applied to it (if any exist). The same goes for any copied content, if you copy content, the copied item will have it's parent permissions applied to it (if any exist).

Martin Griffiths 09 Jul 2013, 08:25:25

Awesome Shannon, many thanks

Mikko Vartiainen 09 Jul 2013, 08:46:03

Great work!

Promoscience 26 Jul 2013, 09:04:35

I have the same problem with the 6.1.2. When will the fix be released?

Sebastiaan Janssen 26 Jul 2013, 09:07:46

6.1.3 was released yesterday. http://umbraco.com/follow-us/blog-archive/2013/7/25/umbraco-613-released.aspx

Promoscience 26 Jul 2013, 09:16:34

Sorry, I didn't see the U4-2161 in the bug fixes. Thanks.

Dan Bramall 29 Nov 2013, 11:08:33

Not 100% sure this is the same thing, but I don't think 'replace child node permissions' is working in 6.1.6. I've created a user which has no permissions to do anything, to test this. I've removed all permission on the home node, with 'replace child node permissions' checked. It works - when they log in they can't do anything with the home node, but then they seem to have full permission to view/edit the rest of the website. The only way to prevent this is to set the permissions on every single page manually, but this isn't a practical option since new child pages are being created all the time.

This seems like a pretty significant thing.

Can anyone verify this behaviour?

Dan Bramall 29 Nov 2013, 11:32:30

Also, shouldn't permission choices be saved? So when you re-visit the user permissions page the green ticks should appear where you set them? Currently nothing is checked when you re-visit.

Sebastiaan Janssen 02 Dec 2013, 16:54:06

@Dan I'm not sure this is the same issue either, could you please open a new issue for this and set affected version to 6.1.6? Thanks!

Dan Bramall 02 Dec 2013, 16:57:34

I think it actually might have been caching. I just need to find some time to try to get to the bottom of it - at least to check that I can replicate it reliably - at which point I'll raise a new issue. Thanks Seb.

Sebastiaan Janssen 02 Dec 2013, 17:19:15

@Dan Ouch, always so difficult to find those pesky hard to reproduce issues. :)

Mirko Vukusic 11 Feb 2014, 15:20:38

@Dan/@Sebastian... I also have issues with 6.1.6 similar do Dan's, but managed to reproduce it. Problem is when I want to clear all permissions. In that case descendats are not updated. I created another issue for this (http://issues.umbraco.org/issue/U4-4213) but thought it would be good to put link here to relate it with Dan's issue he posted.

Priority: Critical

Type: Bug

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 6.1.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.1.2

Due in version: 6.1.3


Story Points: