templateResource.getByAlias requires the logged in user to have access to the Settings Section
I have an interesting problem I've encountered with a custom plugin I am working for a customer. The site allows certain User Groups permission to schedule specific node types to be emailed out to users in the form of a notification email. The UI for this feature allows users to select from the available templates allowed for the node type and in order to provide this list I am getting the list of allowedTemplates from the content item and then filtering list before returning the available templates to the user.
The problem occurs when members of this group attempt to use this action are sent to the login screen and I have discovered that the reason for this is due to a 401 (Unauthorized) exception thrown when the plugin tries to call templateResource.getByAlias(alias). It is obviously doing so in the context of the logged in user and if, as is the case, they don't have access to the Settings section of Umbraco they are given a 401 and bounced to the login page.
For obvious reasons, I don't want to give this user group access to the settings section so looking for some feedback on whether or not this should really behave in this way and a way around it. At the moment I am thinking I will need to create my own API call to retrieve and return the list but I also don't think this should be the behaviour for retrieval of templates (but should require authorization to save them).
Thanks Dave, and sorry for the delayed reply I missed the notification.
The properties collection does not contain the templates list but the editorState.current.allowedTemplates does contain a list of template aliases, however, I need the template id. I think I might need to write something of my own to get it after all.
templateResource.getByAlias requires the logged in user to have access to the Settings Section
I have an interesting problem I've encountered with a custom plugin I am working for a customer. The site allows certain User Groups permission to schedule specific node types to be emailed out to users in the form of a notification email. The UI for this feature allows users to select from the available templates allowed for the node type and in order to provide this list I am getting the list of
allowedTemplatesfrom the content item and then filtering list before returning the available templates to the user.The problem occurs when members of this group attempt to use this action are sent to the login screen and I have discovered that the reason for this is due to a
401 (Unauthorized)exception thrown when the plugin tries to calltemplateResource.getByAlias(alias). It is obviously doing so in the context of the logged in user and if, as is the case, they don't have access to the Settings section of Umbraco they are given a 401 and bounced to the login page.For obvious reasons, I don't want to give this user group access to the settings section so looking for some feedback on whether or not this should really behave in this way and a way around it. At the moment I am thinking I will need to create my own API call to retrieve and return the list but I also don't think this should be the behaviour for retrieval of templates (but should require authorization to save them).
Thoughts?
Hi Simon,
The api called by the template resource is restricted to users who have access to the template tree
https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Editors/TemplateController.cs#L19
If you need to get the allowed templates from your current node, it can be possible using editorState in your angular controller.
If you inject editorState and then console.log this
You will see all the templates that appear in the template dropdown of your item
Dave
Thanks Dave, and sorry for the delayed reply I missed the notification.
The properties collection does not contain the templates list but the
editorState.current.allowedTemplatesdoes contain a list of template aliases, however, I need the template id. I think I might need to write something of my own to get it after all.is working on a reply...