U4-3119 - Non-Admin Users Cannot Create or Edit Users regardless of permission settings - 6.1.6

Created by Paul Sterling 11 Oct 2013, 20:09:53 Updated by Shannon Deminick 13 Oct 2013, 23:49:40

Any user not of type Admin is denied access to create/view/edit others users in 6.1.6. This was available to non-admin users who were granted User section access prior to 6.1.6.

The trace log contains this entry:

2013-10-11 13:02:16,516 [7] ERROR Umbraco.Core.UmbracoApplicationBase - [Thread 12] An unhandled exception occurred System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> umbraco.businesslogic.Exceptions.UserAuthorizationException: Access denied at umbraco.cms.presentation.user.EditUser.Page_Load(Object sender, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at umbraco.BasePages.BasePage.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.umbraco_users_edituser_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Shannon Deminick 13 Oct 2013, 23:49:28

Unfortunately this was a problem of a merge + cherry pick gone wrong.

We fixed the EditUser page to ensure the underlying app authentication was being triggered in: c9aac96c1a22d7d701e78798ff9239cadd48a932

  • this changeset also included the additional security of only admin user's being able to edit - which was incorrect. So this was fixed in : 56f1062db8cfb1c96f6d5d15a5090c958e076f3b

But then it looks like the initial revision was cherry picked into the 6.1.6 release in: 830fde372e06a4547626b24fe7848f479eb9d93d

  • which of course voided the 2nd changeset above

This latest revision was then merged upwards to 6.2 and again voided the 2nd revision above.

So now that is re-fixed in 72ea43758dc3972329799218729e52d5e9447194

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions: 6.1.6

Due in version: 6.2.0


Story Points: