We have an Umbraco 6.1.6 site with many backoffice users and a number of custom UserTypes for grouping them. The UserTypes are used to customize the context menus ( We have custom actions for specific UserTypes ) and display different dashboards.
Users of one of these UserTypes can create other users. It turns out that only a user that has the admin UserType can create or edit a user. A non-admin UserType can be granted access to the User section but if they try to view a user or create a user they get a YSOD - Access Denied.
What are the implications of letting a non-admin edit users? Is it reasonable to think that granting them access to the section is enough authority to edit or create users?
Here is the code from the Umbraco source where it clearly states in the comment that only an admin can edit a user
It's by design as there's currently not a user type hierarchy in the core, meaning that a non-admin could create any type of user or change the type of an existing user (thus granting greater permissions).
An alternative could be that a user with access to the user section who's not an admin would only be able to create and edit users of the same type.
I think the second option would be a better solution, Neils.
The problem with the way it's currently implemented is that if you want to allow someone to create / edit users then it means they have to be an admin which means they also have access to all the options in the content menu tree (ie. they can access change hostnames, send to translation etc.) which you don't always want them to have.
The second problem is that it seems illogical to grant (say) a Writer or Editor access to the Users section but then not allow them to do anything. This is a bit confusing.
I'd also say throwing an exception to communicate this isn't really friendly, either :)
Good points and great to find a solution. So it would be great to keep discussing this and then submit a change request in the tracker then.
I'd also say throwing an exception to communicate this isn't really friendly, either :)
I know and I wished we weren't limited on resources, but at least a specific exception is better than nothing. A pull request on a more friendly message than the exception is also more than welcome :-)
I've just run into this issue after an upgrade to 6.1.6. It's good to hear that it's been looked into, but in the meantime can someone please update http://our.umbraco.org/download? It currently says that 6.1.6 has no breaking changes; obviously that isn't quite right :)
I had the same issue in v6.1.6 and was able to resolve it satisfactorily.
I had a Editor user and gave them access to the Users section. When they went to the Users section and cliked on any of the users they got an "Access Denied" error. To fix this I changed that editor's user type to Administrator. In the sections area they have access to Content, Media and Users. Now when they log in they can access other users without getting the error. In addition they can only grant access to the sections they have access to - Users, Content & Media. Also, the top level Administrator account is not in their list of users. So that is good.
So there does seem to be a difference between the system wide Administrator and a user that is given the Adminsitrator User Type.
Only an admin can create or edit a user
We have an Umbraco 6.1.6 site with many backoffice users and a number of custom UserTypes for grouping them. The UserTypes are used to customize the context menus ( We have custom actions for specific UserTypes ) and display different dashboards.
Users of one of these UserTypes can create other users. It turns out that only a user that has the admin UserType can create or edit a user. A non-admin UserType can be granted access to the User section but if they try to view a user or create a user they get a YSOD - Access Denied.
What are the implications of letting a non-admin edit users? Is it reasonable to think that granting them access to the section is enough authority to edit or create users?
Here is the code from the Umbraco source where it clearly states in the comment that only an admin can edit a user
protected void Page_Load(object sender, EventArgs e)
{
//if the current user is not an admin they cannot edit a user at all
if (CurrentUser.IsAdmin() == false)
{
throw new UserAuthorizationException("Access denied");
}
int UID = int.Parse(Request.QueryString["id"]);
u = BusinessLogic.User.GetUser(UID);
Dallas
I've just noticed this problem, too - still present. Any updates?
Dan
It's by design as there's currently not a user type hierarchy in the core, meaning that a non-admin could create any type of user or change the type of an existing user (thus granting greater permissions).
An alternative could be that a user with access to the user section who's not an admin would only be able to create and edit users of the same type.
I think the second option would be a better solution, Neils.
The problem with the way it's currently implemented is that if you want to allow someone to create / edit users then it means they have to be an admin which means they also have access to all the options in the content menu tree (ie. they can access change hostnames, send to translation etc.) which you don't always want them to have.
The second problem is that it seems illogical to grant (say) a Writer or Editor access to the Users section but then not allow them to do anything. This is a bit confusing.
I'd also say throwing an exception to communicate this isn't really friendly, either :)
One to think about... :D
Good points and great to find a solution. So it would be great to keep discussing this and then submit a change request in the tracker then.
I know and I wished we weren't limited on resources, but at least a specific exception is better than nothing. A pull request on a more friendly message than the exception is also more than welcome :-)
Thanks, Neils. It's so great that you take the time to address these points - it's what makes Umbraco so fantastic!
I've created an issue in the tracker - http://issues.umbraco.org/issue/U4-3989 (feel free to edit)
(I'd also love to have time to make pull requests, but until my baby daughter grows up a little my free time is very limited! But one day...!)
after was update source umbarco ,iam not edit using account admin.display for edit nothing section.
can help me?
I've just run into this issue after an upgrade to 6.1.6. It's good to hear that it's been looked into, but in the meantime can someone please update http://our.umbraco.org/download? It currently says that 6.1.6 has no breaking changes; obviously that isn't quite right :)
Any updates on the matter? Is there coming up a 6.1.7 and if so when? Will this be fixed there?
:-)
I think this is fixed in 6.20 - the next version. See the issue log at http://our.umbraco.org/contribute/releases/620
I had the same issue in v6.1.6 and was able to resolve it satisfactorily.
I had a Editor user and gave them access to the Users section. When they went to the Users section and cliked on any of the users they got an "Access Denied" error. To fix this I changed that editor's user type to Administrator. In the sections area they have access to Content, Media and Users. Now when they log in they can access other users without getting the error. In addition they can only grant access to the sections they have access to - Users, Content & Media. Also, the top level Administrator account is not in their list of users. So that is good.
So there does seem to be a difference between the system wide Administrator and a user that is given the Adminsitrator User Type.
is working on a reply...