U4-6314 - 'Preview'-button gives 'Unauthorized acces to URL:' in error-message.

I can't reproduce that. On which version of Umbraco is this?

Do you have more elaborate errors in your log files?

Hi, i did a simple test to reproduce it myself. I had a clean umbraco-installation, version 7.2.1. After installation i did the following:

• make a simple startpage

• create a testuser 'testuser 1'. (usertype 'Writer')

• removed all the permissions for the usertype 'Writer', except the 'Browse Node'.

• with another browser i log on with this 'testuser 1'

• and i browse to the startpage

• now when i hit the previewbutton, the preview starts in another window.

• but in the original window i get the errormessage 'unauthorized' (see screenshot)

My logfile (/UmbracoTraceLog.txt) has no records of this event.

I hope you can look into it again.

Yeah, that's to be expected. If you don't give people the permission to save nodes then they can't preview nodes either (as it requires a save before being able to preview any changed content). I think they'd need at least "Send to publish" permissions to be able to preview the content. Unfortunately our permission system isn't super granular at the moment so it's a bit hard to decipher what's going on here.

I tried the 'send to publish'. But that's not enough. Only when i give 'Update'-rights the user can preview the page.

I ask all this because i have the situation that i have content-editors who only can edit child-nodes with a certain document-type. They are not allowed to change the main parent-node. But they can browse to this parent-node. I cannot hide the 'preview'-button, so i'm sure there will be content-editors who will hit this button. By doing this they will get the error-message. I can't explain that to all of them!

So, i understand from your answer that it's not possible to change the preview-behaviour. But is it possible to hide the previewbutton?

Hi again, could you tell me how to hide the preview-button in case a user has no save-rights?

I think it is really not ok to present the users with an unneccesary error-message!

So please look into this again. I don't mind if i have to tweak something in my code to get this working. As long as i can prevent this error-message.

thanks.

Hi Sebastiaan

I've just come across this issue too on 7.2.1. In my case it's on a page with more properties, including a related links field with lots of links, and the error message fills the entire screen with red - it would look quite alarming to a user!

The use case for this is that we have editors who are preparing pages in Umbraco for customers, and they want to be able to send the customers a link to review their content before it goes live. An account with permissions to view unpublished content but not update it seemed like the perfect solution, until this bug became apparent.

Hi Rick, i have a work-around. It require some coding.

I have set up a new user-type: 'Previewer' with permissions to 'browse node' and to 'save'. Someone with this permissions can preview a page.

But he also has the permission to save, which we don't want him/her to do.

To solve this i override the umbraco-event 'ContentService.Saving' with a eventhandler 'ContentService_Saving'. Like this: protected override void ApplicationStarting(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext) { ContentService.Saving += ContentService_Saving; } In 'ContentService_Saving' i check for the usertype of the current user. var curIdentity = System.Web.HttpContext.Current.User.Identity; var curUser = Services.UserService.GetByUsername(curIdentity.Name); string userType = curUser.UserType.Alias; If userType is 'Previewer' than i cancel the event. Just add the following to cancel: e.Cancel = true;

So now if the user did make some changes, these changes will not be saved. And if he/she started a 'Preview' the preview will be shown (with the original content).

Hope this will help you.

Kind regards, Arthur

Hi Rick, i have a work-around. It require some coding.

I have set up a new user-type: 'Previewer' with permissions to 'browse node' and to 'save'. Someone with this permissions can preview a page.

But he also has the permission to save, which we don't want him/her to do.

To solve this i override the umbraco-event 'ContentService.Saving' with a eventhandler 'ContentService_Saving'. Like this: protected override void ApplicationStarting(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext) { ContentService.Saving += ContentService_Saving; } In 'ContentService_Saving' i check for the usertype of the current user. var curIdentity = System.Web.HttpContext.Current.User.Identity; var curUser = Services.UserService.GetByUsername(curIdentity.Name); string userType = curUser.UserType.Alias; If userType is 'Previewer' than i cancel the event. Just add the following to cancel: e.Cancel = true;

So now if the user did make some changes, these changes will not be saved. And if he/she started a 'Preview' the preview will be shown (with the original content).

Hope this will help you.

Kind regards, Arthur

Thanks @arthur.vanalten, that sounds really useful.

I too have just come across this in a similar way to how @arthur.vanalten describes. Ideally, the preview button would be hidden, or would allow the preview without a save (although I can see why that wouldn't be possible). Perhaps if the user only has browse permissions, the preview button could read "View" and it simply load the live page?

Just an update to note that this is still a problem in 7.4.3. I've just been looking into errors reported by two of our page authors and ended up reproducing this issue again.

Still an issue in Umbraco 7.5.6 In older versions of Umbraco "Browse node" used to also prevent the user viewing it. Should "Browse node" only allow a user to expand it to get to child nodes, rather than click into and get the broken preview button?

Also having this issue in 7.6.3

Retested in 7.12.2 and the preview button now works when the user only has "Browse node" permissions.

I'll close this then as it seems fixed!