U4-9255 - Not having access to settings section causes backoffice user to be logged out when browsing media list views

Created by Claus Jensen 07 Dec 2016, 11:56:24 Updated by Claus Jensen 08 Dec 2016, 08:10:12

Tags: Unscheduled

Due to the fact that we need to call GetById on the MediaType controller when using a listview in the media section, this action needs to be accessible even though you only have access to the Media section in backoffice. This action was only allowed to be called if you had access to the Settings section due to the controller action being limited to this section.

This fix allows anyone with access to the media section, to be able to also call the GetById action on the MediaType controller.

Comments

Claus Jensen 07 Dec 2016, 11:57:48

PR: https://github.com/umbraco/Umbraco-CMS/pull/1645


Shannon Deminick 07 Dec 2016, 12:00:26

What is calling this endpoint from the media section?


Claus Jensen 07 Dec 2016, 12:01:54

'''Test note:'''

  • Have a user in backoffice with access to content/media/settings
  • Go to the media section .. confirm you are not logged out of backoffice
  • Remove access to settings section for this user
  • Go to the media section again and confirm you are still not logged out of backoffice


Claus Jensen 07 Dec 2016, 12:03:59

@Shandem the ListViewLayoutController stuff: line 40ish:

          if($scope.entityType === 'media') {
            mediaTypeHelper.getAllowedImagetypes(vm.nodeId).then(function (types) {
                vm.acceptedMediatypes = types;
            });
          }

It's needed for the "pick which media type you want when you are uploading a file" functionality added in 7.5.5.


Claus Jensen 07 Dec 2016, 12:05:51

So - actually the call failing is within the code called by that:

                    var allowedQ = types.map(function(type){
                        return mediaTypeResource.getById(type.id);
                    });

the getAllowedTypes (calling GetAllowedChildren) is already allowed to be called from media section.


Stephan 07 Dec 2016, 12:06:00

Test report: created a user having only access to content & media. Without the PR, going to media logs me off. With the PR, going to media works. So PR is OK and merging now.


Stephan 07 Dec 2016, 12:07:24

Have merged the PR, leaving the issue open + re-assigning to @claus in case the discussion with @Shandem needs to go on.


Shannon Deminick 07 Dec 2016, 12:09:36

Ok, generally anything apart from very specific things should use the EntityController/entityResource, could that be used instead of:

var allowedQ = types.map(function(type){
                        return mediaTypeResource.getById(type.id);
                    });


Claus Jensen 07 Dec 2016, 12:44:42

Getting the mediaType via the entityResource doesn't get it with all the properties and groups we need to determine if the "upload-dropzone" should be shown, so unless I'm missing something I don't think we can do it with the "basic entity" that comes from the entityResource services.


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.5.5

Due in version: 7.5.6

Sprint: Sprint 48

Story Points:

Cycle: