Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Q-ten 16 posts 116 karma points
    Jan 25, 2018 @ 09:20
    Q-ten
    0

    Disabling backoffice section disables API access to users.

    Hi,

    I've created a couple of new sections for my users. These sections make api calls to the REST apis including members, getting a specific document type and some media management.

    I don't want my users to have access to the Settings, Media, or Members sections. They can break things in there.

    However, my users get booted out of the backoffice if they try to do something that calls an API that is linked to the sections I've disabled. For example, if my section tries to access a document type, I have to enable the Settings section for my user to get it to work. If I try to access a media item via an API call, I have to enable the entire Media section.

    It doesn't quite seem right that the section access is tied so strongly to the API access. Is there a way around this?

    Cheers, Q

  • Q-ten 16 posts 116 karma points
    Jan 26, 2018 @ 10:59
    Q-ten
    0

    I can be a bit more specific. The following call is made from my custom section and requires my user to have been given access to the Settings section for it to work:

    http://localhost:1244/umbraco/backoffice/UmbracoApi/ContentType/GetById?id=1391
    

    I guess my question is how can I avoid having to give my user access to the Settings section?

  • Q-ten 16 posts 116 karma points
    Jan 26, 2018 @ 13:20
    Q-ten
    0

    Ugh.

    So after digging through the Umbraco source code for hours I've found that this call (in my previous post) gets handled by the Umbraco.Web.Editors.ContentTypeController.

    All of the API controllers under umbraco/backoffice/UmbracoApi are dealt with by various Umbraco.Web.Editors controllers.

    All of these controllers have Authorization defined via class attributes like the UmbracoTreeAuthorize attribute or the UmbracoApplicationAuthorize attribute. (Application here means section, like the Content section.)

    /// <summary>
        /// An API controller used for dealing with content types
        /// </summary>
        [PluginController("UmbracoApi")]
        [UmbracoTreeAuthorize(Constants.Trees.DocumentTypes)]
        [EnableOverrideAuthorization]
        public class ContentTypeController : ContentTypeControllerBase
        {
            ...
        }
    

    Some of the methods have additional permissions via similar attributes at the method level to allow access from some of the other standard sections or trees.

    Having made my own custom sections and trees, I'd like to also add permission to certain functions. But I can't because it's all compiled up.

    Does anyone know a way around this? Is there a filter I can add in to override permissions or something?

    As it stands, it looks like I'll have to re-write the umbraco rest apis to give my users access.

Please Sign in or register to post replies

Write your reply to:

Draft