U4-6622 - Umbraco 7 upgrade authorization

Created by Gavin Faux 14 May 2015, 11:17:08 Updated by Shannon Deminick 26 Jun 2017, 07:11:21

I have a site that is being upgraded from 7.2.2 to 7.2.5 and in our staging environment we are not being prompted to authorize the upgrade, other than seeing the 'Continue' prompt the process then happens automatically and leave the browser automatically logged into /umbraco as the default admin user (id 0).

I'd expect to be prompted for credentials before running the upgrade and being authenticated in back office. We've tried clearing browser cache, server caches and browser incognito mode but in all cases it appears to magically log us in without being prompted.

We've captured sessions with Fiddler, after the UmbracoVersion step completes the next call to POST /install/api/PostPerformInstall comes back with an authentication cookie; I can't figure out how this is happening without us having logged in first.


Gavin Faux 14 May 2015, 11:21:42

Note: we have run this process multiple times by just setting the umbracoConfigurationStatus to an empty string and browsing to site home page - not sure if this is affecting upgrade behaviour?

Gavin Faux 14 May 2015, 14:43:22

Okay if umbracoConfigurationStatus is a version below currently installed then we have to authorise via /umbraco/AuthorizeUpgrade, but if empty then upgrade is performed without authentication. Has this always been the case?

Sebastiaan Janssen 20 May 2015, 16:32:59

Yes, empty version means Umbraco isn't installed yet, then on the next request we see there IS a database and try to guess the version and upgrade. Not ideal but we do in the upgrade instructions mention to not clear the version number. https://our.umbraco.org/documentation/Installation/Upgrading/general#Mergeconfigurationfiles

Shannon Deminick 26 Jun 2017, 07:11:22

Closing issue due to inactivity - see blog post for details https://umbraco.com/blog/issue-tracker-cleanup/

Priority: Minor

Type: Bug

State: Closed


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.2.2, 7.2.5

Due in version:


Story Points: