U4-2759 - Using MemberAuthorize AllowedGroup never denies

Created by Andy Butland 31 Aug 2013, 15:51:07 Updated by Sebastiaan Janssen 01 Sep 2013, 15:25:10

See discussion here: http://our.umbraco.org/forum/developers/api-questions/44446-Using-MemberAuthorize-AllowedGroup-never-denies


Andy Butland 31 Aug 2013, 15:55:35

Looks to be a typo causing this on line 75 of Umbraco.Web\Security\WebSecurity.cs

allowAction = groups.Select(s => s.ToLowerInvariant()).Intersect(groups.Select(myGroup => myGroup.ToLowerInvariant())).Any();

This will always be true as it's checking itself. Instead I believe it should be:

allowAction = allowGroupsList.Select(s => s.ToLowerInvariant()).Intersect(groups.Select(myGroup => myGroup.ToLowerInvariant())).Any();

Andy Butland 31 Aug 2013, 21:57:57

Have submitted a pull request for this: https://github.com/umbraco/Umbraco-CMS/pull/124

Sebastiaan Janssen 01 Sep 2013, 12:23:30

Thanks Andy!

Fixed in rev 6e6ac8a4d5641efc095deaa8653285623fb226cd

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted: Pull request

Affected versions:

Due in version: 6.1.5


Story Points: