Potential security issue with "public access" feature
I am a non-paying user of Umbraco so I do not know how to get specific support but I maintain a conference website for my group based on:
Umbraco version 7.1.6 assembly: 1.0.5350.25714 (upgrading is not an option so close to the conference deadline).
Umbraco Contour version 3.0.21 (might not be relevant)
I have defined two member groups for my front-end. Most members are "participants", some are "admin" (referees and such).
There is one critical page where "admins" can see all abstracts submitted and do stuff with them. This page should not be visible to regular "participants"so I did the following:
1) I have defined "public access" such that only admins can see it.
2) All partial views related to navigation take access settings into account.
I have tested over and over with dummy accounts that all is as intended.
However, this morning I was notified by a participant that he/she could actually see the "Admin"-only page, both in the navigation structure as well as the actual page itself.
At that time, I myself could not reproduce with my dummy front-end account and after a few minutes of Emailing back and forth the person claimed the problem "went away" without me even having logged into the backend to check/change things.
I recall having the Umbraco "forget" public access settings immediately after setting them, much like there are sometimes caching issues upon updating pages but never spontaneously like this.
I am actually quite worried by this.
I could supply URL's and demo accounts to Core team members.
What could be going on?
UPDATE 1:
The user has since been able to send a screenshot confirming that indeed she hád access to something she should not.
Could you be missing a check for whether the current member has access for a particular node when you're rendering the code? If you're not checking it then everyone who can login will be able to see the same pages.
Could you be missing a check for whether the current member has access for a particular node when you're rendering the code?
I actually check for those things as mentioned in all my sensitive razor scripts:
Umbraco.MemberHasAccess(page.Id, page.Path)
The problem does not lie there though.
It has happened repeatedly that the node itself, which should have access restrictions, is visible to everyone even though it should not be. Often this problem will pop up to go away again soon after without intervention of my own. As if Umbraco temporarily "forgets" that a certain page has public access settings for a page.
The issue described above popped up again and this time, I have experienced it first hand:
Some of my nodes have role based protection.
When I occasionally restart my site it will happen that pages under protection become accessible to the general public and when they do, they also show as unprotected in the backend tree view while all the time access.config remains unchanged:
Restarting the site somehow magically restores the protected status of the page:
I can provide a full DB and filesystem backup of this site if need be but I think this is quite serious. I need to be able to trust the page protection status...
Potential security issue with "public access" feature
I am a non-paying user of Umbraco so I do not know how to get specific support but I maintain a conference website for my group based on:
I have defined two member groups for my front-end. Most members are "participants", some are "admin" (referees and such).
There is one critical page where "admins" can see all abstracts submitted and do stuff with them. This page should not be visible to regular "participants"so I did the following:
1) I have defined "public access" such that only admins can see it. 2) All partial views related to navigation take access settings into account.
I have tested over and over with dummy accounts that all is as intended.
However, this morning I was notified by a participant that he/she could actually see the "Admin"-only page, both in the navigation structure as well as the actual page itself.
At that time, I myself could not reproduce with my dummy front-end account and after a few minutes of Emailing back and forth the person claimed the problem "went away" without me even having logged into the backend to check/change things.
I recall having the Umbraco "forget" public access settings immediately after setting them, much like there are sometimes caching issues upon updating pages but never spontaneously like this.
I am actually quite worried by this.
I could supply URL's and demo accounts to Core team members.
What could be going on?
UPDATE 1:
UPDATE 2:
access.config is correct and appears to have been unchanged for ages:
Hi Kris
Could you be missing a check for whether the current member has access for a particular node when you're rendering the code? If you're not checking it then everyone who can login will be able to see the same pages.
/Jan
Hi Jan,
I actually check for those things as mentioned in all my sensitive razor scripts:
The problem does not lie there though.
It has happened repeatedly that the node itself, which should have access restrictions, is visible to everyone even though it should not be. Often this problem will pop up to go away again soon after without intervention of my own. As if Umbraco temporarily "forgets" that a certain page has public access settings for a page.
Hello All,
The issue described above popped up again and this time, I have experienced it first hand:
access.configremains unchanged:I can provide a full DB and filesystem backup of this site if need be but I think this is quite serious. I need to be able to trust the page protection status...
Could somebody look at this?
Update
I have created an issue
Best regards,
Kris
Issue U4-6247 is fixed :)
is working on a reply...