Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Marianne Hildesheim Bertelsen 26 posts 169 karma points
    Apr 26, 2019 @ 07:36
    Marianne Hildesheim Bertelsen
    0

    usersResource Angular Module logs user out if she doesn't have access to Users section

    Hi

    Not a question, but more a heads-up to devs using the userResource Angular module -- and maybe to Umbraco to extend/supplement their Angular docs :-)

    I've recently spent a lot of time trying to find out why a basic user (with access solely to the Content section) was instantaneously logged out of Umbraco when accessing a content node in which I had inserted a custom property editor (CPE) I had created -- and logged out again when trying to log back in.

    My CPE used, among other things, the userResource Angular module.

    It turns out that if you use this module in your CPE and then access a content node that uses the CPE, the user is logged out if she doesn't have access to the Users section. In Chrome Dev Tools Console i saw a JS error with "Unauthorized access" because the usersResource is using /Umbraco/Api/User/GetUserById (or something like that -- I don't have the precise text anymore).

    Anyway, the problem was easily solved by creating a sort of wrapper UmbracoAuthorizedJsonController method that called the C# UserService instead.

    I just wanted to put the problem/subject out there to let the community know, since it isn't documented on the ApiDocs page on usersResource https://our.umbraco.com/apidocs/ui/#/api/umbraco.resources.usersResource

    I'm guessing this is the intended functionality of usersResource for security reasons, but maybe it could be included in the docs for the Angular module, so that people don't end up spending a lot of time debugging this.

    Also since devs (I'm guessing) tend to use an admin user with access to all sections in Umbraco, and hence don't experience the problem with being logged out unless they remember to test with the basic user with no Users access as well (which may happen much later in the process, after the dev thinks that they're done with the CPE).

    /Marianne

  • Søren Gregersen 441 posts 1884 karma points MVP 2x c-trib
    Apr 26, 2019 @ 07:57
    Søren Gregersen
    0

    great writeup :)

    I order to get around this, you could check the user groups on a user (https://our.umbraco.com/apidocs/ui/#/api/umbraco.resources.authResource -> getCurrentUser())

    Of course you would then have to know if the usergroup has access to the users section :)

  • Marianne Hildesheim Bertelsen 26 posts 169 karma points
    Apr 26, 2019 @ 08:00
    Marianne Hildesheim Bertelsen
    100

    Yeah, that would prevent the "being logged out"-problem, but not make my CPE display the user list (which is sort of what it does) -- but there could be a scenario where that would be what you'd want :-)

Please Sign in or register to post replies

Write your reply to:

Draft