Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jannik Anker 36 posts 181 karma points c-trib
    Sep 01, 2014 @ 17:46
    Jannik Anker
    0

    Backoffice login "expires" immediately when user only has rights to custom area(s)

    I have created a custom application tree i Umbraco 7.1.6, for which a user has been given access. This user, however, is not allowed access to anything in the backoffice other than the custom application.

    In a completely "clean" browser (as in no cookies, no cache) you can log in to the backoffice - but you are shown the regular content tree although the "content" application icon isn't visible. The custom tree icon is available, and as long as you click that and only that, you're fine.

    Should you by accident click on the master content node, you are immediately logged out and told that the "Session timed out". And when you try to log back in, you can't!

    Probably some cookie has been set, telling the backoffice to go to the master content node, which you are not allowed to access and then it logs you back out.

    Is it not an error that the content tree is shown at first, even when the user is not allowed to see it? It should jump straight to the custom application, right?

  • Steve Morgan 1276 posts 4214 karma points c-trib
    Sep 01, 2014 @ 18:08
    Steve Morgan
    100

    I've just tried this - I saw similar issues. It seemed to resolve itself if you give the user content permissions, log in and then take them away again. Then it plays nicely. 

     Definitely a bug - I think you should report this but perhaps my method might work as a temporary workaround?

     

    Steve

  • Jannik Anker 36 posts 181 karma points c-trib
    Sep 01, 2014 @ 21:46
    Jannik Anker
    0

    Hey Steve,

    Thanks for verifing the issue!

    I'll report it in the morning - I found your "workaround" as well, but it's no good in the long haul ;-)

    /Jannik

  • Jannik Anker 36 posts 181 karma points c-trib
    Sep 02, 2014 @ 09:44
  • Steve Morgan 1276 posts 4214 karma points c-trib
    Sep 02, 2014 @ 09:51
    Steve Morgan
    0

    Voted - wish I had the time to delve into the source and try to help and fix some of these. One day! 

  • Jannik Anker 36 posts 181 karma points c-trib
    Sep 02, 2014 @ 10:26
    Jannik Anker
    0

    Thanks, yeah, I took a quick peek in the source but couldn't figure out at all where the bug might be :-(

  • Benjamin Howarth 305 posts 771 karma points c-trib
    Sep 17, 2014 @ 18:50
    Benjamin Howarth
    0

    I'm dealing with the exact same issues and there are two others related (one I've opened myself). I'm setting up a fork to work on this cause I have a project that needs this by end of next week.

  • Benjamin Howarth 305 posts 771 karma points c-trib
    Sep 18, 2014 @ 10:36
    Benjamin Howarth
    0

    This has been documented in U4-5430 and U4-5506, and submitted as a PR on Github here.

    The core of the issue is that when AngularJS tries to resolve the route, if the route is empty (i.e. /#/ instead of /#/content), it defaults to "content" without checking that the user has access to it.

    These lines in routes.js fix it:

    if (user.allowedSections.indexOf($route.current.params.section) > -1) {
    // this will resolve successfully so the route will continue
    deferred.resolve(true);
    } else {
    deferred.reject({ path: "/" + user.allowedSections[0] });
    }

    This, inside the user.isAuthenticated check, will check that the user.allowedSections array has access to the current section - if false, then it will fail, redirecting the user to their first allowed section.

  • Jannik Anker 36 posts 181 karma points c-trib
    Sep 19, 2014 @ 10:41
    Jannik Anker
    0

    Looks great Benjamin!

    I'll test your fix in my solution this afternoon :-)

Please Sign in or register to post replies

Write your reply to:

Draft