403 for back office GetAllGroups when attempting to restricut public access
Hi,
This is the only back office API call that exhibits this behavior, and I'm logged in as an admin (it happens to other admins as well).
Click ellipsis of content node -> Do something else -> Restrict Public Access -> Group based protection -> Next
Authorization error: Unauthorized access to URL:
/umbraco/backoffice/umbracoapi/membergroup/GetAllGroups Contact your
administrator for information.
Note: We are not using the built in Umbraco Member management (the section is even removed from the back office). We have are own section that has Member and Group management within it, and ideally we'd be choosing from those groups if possible. We had this implementation in v8, and have ported over everything to v11. This seems to be the only hang-up at the moment.
So my guess is you have removed the core Member Section from Umbraco? or your users don't have access to it? eg it's unticked, because you want to use your custom version?
If I'm right then I think either giving your users access to the old Member section will enable the API endpoint to be Authorized, if you don't want to have both Member sections visible because it's confusing, then if you remove the existing Member Section and add your new version with the same 'alias' - then - and it's a shot in the dark, it might all work.
But hopefully pointing in the direction to how the endpoint is currently Authorized gives you an insight into what might be going wrong!
That was it! I forgot that we restricted access to the Members section. Granting access back, and then removing the section via an IComposer achieves the goal of removing the section and stopping the error.
I'm not sure if naming my section the same thing will work routing wise, but maybe there's a middleware piece I can create/hook into?
403 for back office GetAllGroups when attempting to restricut public access
Hi,
This is the only back office API call that exhibits this behavior, and I'm logged in as an admin (it happens to other admins as well).
Click ellipsis of content node -> Do something else -> Restrict Public Access -> Group based protection -> Next
Note: We are not using the built in Umbraco Member management (the section is even removed from the back office). We have are own section that has Member and Group management within it, and ideally we'd be choosing from those groups if possible. We had this implementation in v8, and have ported over everything to v11. This seems to be the only hang-up at the moment.
Thanks!
Chris
Hi Chris
It looks like the call to GetAllGroups is made to the MemberGroupController API Controlller here:
https://github.com/umbraco/Umbraco-CMS/blob/dc947977848b87dba3caac96bfe69362535378a5/src/Umbraco.Web.BackOffice/Controllers/MemberGroupController.cs#L19
and if you look at the way it's authorized...
it's tied down to only be accessible to people who have access to the MemberGroup Tree
Details of the policy are here:
https://github.com/umbraco/Umbraco-CMS/blob/dc947977848b87dba3caac96bfe69362535378a5/src/Umbraco.Web.BackOffice/DependencyInjection/UmbracoBuilder.BackOfficeAuth.cs#L362
So my guess is you have removed the core Member Section from Umbraco? or your users don't have access to it? eg it's unticked, because you want to use your custom version?
If I'm right then I think either giving your users access to the old Member section will enable the API endpoint to be Authorized, if you don't want to have both Member sections visible because it's confusing, then if you remove the existing Member Section and add your new version with the same 'alias' - then - and it's a shot in the dark, it might all work.
But hopefully pointing in the direction to how the endpoint is currently Authorized gives you an insight into what might be going wrong!
regards
Marc
Marc,
That was it! I forgot that we restricted access to the Members section. Granting access back, and then removing the section via an IComposer achieves the goal of removing the section and stopping the error.
I'm not sure if naming my section the same thing will work routing wise, but maybe there's a middleware piece I can create/hook into?
Thanks again!
Chris
is working on a reply...