Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Damien Holley 180 posts 541 karma points
    May 28, 2019 @ 05:33
    Damien Holley
    0

    dashboards not obeying accessrules

    Hi, I have created some dashboards in C#, but the access is not denied to the backoffice users that are supposed to be denied access.

    So some of these dashboards should no show up for unauthorised users.

    Here is the dashboard code:

    [Weight(10)]
public class dashboardMonth : IDashboard
{
    public string Alias => "abrioffice_month";
    public string View => "/umbraco/backoffice/abrioffice/ABRIOffice/Month";

    public string[] Sections => new[] { "abrioffice" };
    public IAccessRule[] AccessRules {
        get {
            var rules = new IAccessRule[] {
                new AccessRule() { Type = AccessRuleType.Deny,  Value = "manager" },
                new AccessRule() { Type = AccessRuleType.Grant, Value = Umbraco.Core.Constants.Security.AdminGroupAlias },
                new AccessRule() { Type = AccessRuleType.Deny,  Value = Umbraco.Core.Constants.Security.SensitiveDataGroupAlias },
                new AccessRule() { Type = AccessRuleType.Deny,  Value = Umbraco.Core.Constants.Security.TranslatorGroupAlias },
                new AccessRule() { Type = AccessRuleType.Deny,  Value = "editor" },
                new AccessRule() { Type = AccessRuleType.Grant, Value = "hrAdmin" } };

            return rules; } }
}

    Any help appreciated.

    Copy Link
  • Damien Holley 180 posts 541 karma points
    Jun 18, 2019 @ 03:20
    Damien Holley
    0

    Nobody?

    Copy Link
  • Tarik 196 posts 840 karma points c-trib
    Jun 18, 2019 @ 06:28
    Tarik
    0

    Damien Holley, peace be upon those who follow guidance.

    What are the access rules those not working ?

    Copy Link
  • Damien Holley 180 posts 541 karma points
    Jun 20, 2019 @ 23:51
    Damien Holley
    0

    It's allowing access to all users who have access to any part of that section. for example: A user who is part of the 'manger' user group is given access to the month dashboadr even though the rule above specifically denies it.

    Copy Link
  • Tarik 196 posts 840 karma points c-trib
    Jun 23, 2019 @ 07:12
    Tarik
    100

    I was able to replicate the issue of allowing a denied group with a group alias manager too.

    In contrast, I found it working and deny that group when there is only one rule in that dashboard class.

    Currently I don't have visual studio installed yet which allows to debug.

    I suggest that you try package.manifest file to apply your preferred rules.

    Copy Link
  • Damien Holley 180 posts 541 karma points
    Jun 23, 2019 @ 22:47
    Damien Holley
    0

    This will have to be the workaround for now, but it's not good practice or efficient. I will lodge this issue as a bug.

    Thanks for the verification.

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft