I'm using version version 7.1.4 but I seem to have come across a bit of a security flaw.
For a specific node I have removed all permissions for one user, nothing is ticked. When I log in with that user the node does not show in the tree but I can still access it by entering the id in the URL. After that the user is still able to save and send to publish even though the have no update permission.
Could there be something else I have overlooked that is still granting this permission?
This was running in IIS express on Visual Studio 2013. Restarting IIS express did cause the correct permissions to take effect. I'll leave this for now and have to test again once it's moved to the integration server.
Node permissions not being applied correctly
Hi,
I'm using version version 7.1.4 but I seem to have come across a bit of a security flaw.
For a specific node I have removed all permissions for one user, nothing is ticked. When I log in with that user the node does not show in the tree but I can still access it by entering the id in the URL. After that the user is still able to save and send to publish even though the have no update permission.
Could there be something else I have overlooked that is still granting this permission?
Thanks
Shane
Hi Shane,
I saw that problem. We have the same behavior of Umbraco 7.1.8.
Did you setup restrictions as on the screen ?
http://screencast.com/t/BlnoKTlh6KL5
For preventing that you have to write some custom module.
Thanks
Hi,
Yes, that's how my permissions screen looks.
Were you able to solve this with your custom module? Any details on what you did would be helpful!
Thanks
Hi, Have you tried by restarting IIS apppool/website?
Hi,
This was running in IIS express on Visual Studio 2013. Restarting IIS express did cause the correct permissions to take effect. I'll leave this for now and have to test again once it's moved to the integration server.
Thanks for the suggestion
Shane
is working on a reply...