Backoffice login "expires" immediately when user only has rights to custom area(s)
I have created a custom application tree i Umbraco 7.1.6, for which a user has been given access. This user, however, is not allowed access to anything in the backoffice other than the custom application.
In a completely "clean" browser (as in no cookies, no cache) you can log in to the backoffice - but you are shown the regular content tree although the "content" application icon isn't visible. The custom tree icon is available, and as long as you click that and only that, you're fine.
Should you by accident click on the master content node, you are immediately logged out and told that the "Session timed out". And when you try to log back in, you can't!
Probably some cookie has been set, telling the backoffice to go to the master content node, which you are not allowed to access and then it logs you back out.
Is it not an error that the content tree is shown at first, even when the user is not allowed to see it? It should jump straight to the custom application, right?
I've just tried this - I saw similar issues. It seemed to resolve itself if you give the user content permissions, log in and then take them away again. Then it plays nicely.
Definitely a bug - I think you should report this but perhaps my method might work as a temporary workaround?
I'm dealing with the exact same issues and there are two others related (one I've opened myself). I'm setting up a fork to work on this cause I have a project that needs this by end of next week.
This has been documented in U4-5430 and U4-5506, and submitted as a PR on Github here.
The core of the issue is that when AngularJS tries to resolve the route, if the route is empty (i.e. /#/ instead of /#/content), it defaults to "content" without checking that the user has access to it.
These lines in routes.js fix it:
if (user.allowedSections.indexOf($route.current.params.section) > -1) { // this will resolve successfully so the route will continue deferred.resolve(true); } else { deferred.reject({ path: "/" + user.allowedSections[0] }); }
This, inside the user.isAuthenticated check, will check that the user.allowedSections array has access to the current section - if false, then it will fail, redirecting the user to their first allowed section.
Backoffice login "expires" immediately when user only has rights to custom area(s)
I have created a custom application tree i Umbraco 7.1.6, for which a user has been given access. This user, however, is not allowed access to anything in the backoffice other than the custom application.
In a completely "clean" browser (as in no cookies, no cache) you can log in to the backoffice - but you are shown the regular content tree although the "content" application icon isn't visible. The custom tree icon is available, and as long as you click that and only that, you're fine.
Should you by accident click on the master content node, you are immediately logged out and told that the "Session timed out". And when you try to log back in, you can't!
Probably some cookie has been set, telling the backoffice to go to the master content node, which you are not allowed to access and then it logs you back out.
Is it not an error that the content tree is shown at first, even when the user is not allowed to see it? It should jump straight to the custom application, right?
I've just tried this - I saw similar issues. It seemed to resolve itself if you give the user content permissions, log in and then take them away again. Then it plays nicely.
Definitely a bug - I think you should report this but perhaps my method might work as a temporary workaround?
Steve
Hey Steve,
Thanks for verifing the issue!
I'll report it in the morning - I found your "workaround" as well, but it's no good in the long haul ;-)
/Jannik
Reported it to http://issues.umbraco.org/issue/U4-5430
Voted - wish I had the time to delve into the source and try to help and fix some of these. One day!
Thanks, yeah, I took a quick peek in the source but couldn't figure out at all where the bug might be :-(
I'm dealing with the exact same issues and there are two others related (one I've opened myself). I'm setting up a fork to work on this cause I have a project that needs this by end of next week.
This has been documented in U4-5430 and U4-5506, and submitted as a PR on Github here.
The core of the issue is that when AngularJS tries to resolve the route, if the route is empty (i.e. /#/ instead of /#/content), it defaults to "content" without checking that the user has access to it.
These lines in routes.js fix it:
if (user.allowedSections.indexOf($route.current.params.section) > -1) {// this will resolve successfully so the route will continue
deferred.resolve(true);
} else {
deferred.reject({ path: "/" + user.allowedSections[0] });
}
This, inside the user.isAuthenticated check, will check that the user.allowedSections array has access to the current section - if false, then it will fail, redirecting the user to their first allowed section.
Looks great Benjamin!
I'll test your fix in my solution this afternoon :-)
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.