Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Chris Spanellis 45 posts 191 karma points
    Jul 27, 2023 @ 20:44
    Chris Spanellis
    0

    403 for back office GetAllGroups when attempting to restricut public access

    Hi,

    This is the only back office API call that exhibits this behavior, and I'm logged in as an admin (it happens to other admins as well).

    Click ellipsis of content node -> Do something else -> Restrict Public Access -> Group based protection -> Next

    Authorization error: Unauthorized access to URL: /umbraco/backoffice/umbracoapi/membergroup/GetAllGroups Contact your administrator for information.

    Note: We are not using the built in Umbraco Member management (the section is even removed from the back office). We have are own section that has Member and Group management within it, and ideally we'd be choosing from those groups if possible. We had this implementation in v8, and have ported over everything to v11. This seems to be the only hang-up at the moment.

    Thanks!

    Chris

  • Marc Goodson 2155 posts 14406 karma points MVP 9x c-trib
    Jul 29, 2023 @ 08:55
    Marc Goodson
    100

    Hi Chris

    It looks like the call to GetAllGroups is made to the MemberGroupController API Controlller here:

    https://github.com/umbraco/Umbraco-CMS/blob/dc947977848b87dba3caac96bfe69362535378a5/src/Umbraco.Web.BackOffice/Controllers/MemberGroupController.cs#L19

    and if you look at the way it's authorized...

    it's tied down to only be accessible to people who have access to the MemberGroup Tree

    [Authorize(Policy = AuthorizationPolicies.TreeAccessMemberGroups)]
    

    Details of the policy are here:

    https://github.com/umbraco/Umbraco-CMS/blob/dc947977848b87dba3caac96bfe69362535378a5/src/Umbraco.Web.BackOffice/DependencyInjection/UmbracoBuilder.BackOfficeAuth.cs#L362

    So my guess is you have removed the core Member Section from Umbraco? or your users don't have access to it? eg it's unticked, because you want to use your custom version?

    If I'm right then I think either giving your users access to the old Member section will enable the API endpoint to be Authorized, if you don't want to have both Member sections visible because it's confusing, then if you remove the existing Member Section and add your new version with the same 'alias' - then - and it's a shot in the dark, it might all work.

    But hopefully pointing in the direction to how the endpoint is currently Authorized gives you an insight into what might be going wrong!

    regards

    Marc

  • Chris Spanellis 45 posts 191 karma points
    Jul 31, 2023 @ 23:19
    Chris Spanellis
    0

    Marc,

    That was it! I forgot that we restricted access to the Members section. Granting access back, and then removing the section via an IComposer achieves the goal of removing the section and stopping the error.

    I'm not sure if naming my section the same thing will work routing wise, but maybe there's a middleware piece I can create/hook into?

    Thanks again!

    Chris

Please Sign in or register to post replies

Write your reply to:

Draft