Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Dallas 133 posts 405 karma points
    Oct 09, 2013 @ 19:05
    Dallas
    0

    Only an admin can create or edit a user

    We have an Umbraco 6.1.6 site with many backoffice users and a number of custom UserTypes for grouping them. The UserTypes are used to customize the context menus ( We have custom actions for specific UserTypes ) and display different dashboards.

     

    Users of one of these UserTypes can create other users. It turns out that only a user that has the admin UserType can create or edit a user. A non-admin UserType can be granted access to the User section but if they try to view a user or create a user they get a YSOD - Access Denied.

     

    What are the implications of letting a non-admin edit users? Is it reasonable to think that granting them access to the section is enough authority to edit or create users?

     

    Here is the code from the Umbraco source where it clearly states in the comment that only an admin can edit a user


     

    protected void Page_Load(object sender, EventArgs e)

            {

                //if the current user is not an admin they cannot edit a user at all

                if (CurrentUser.IsAdmin() == false)

                {

                    throw new UserAuthorizationException("Access denied");

                }

     

                int UID = int.Parse(Request.QueryString["id"]);

                u = BusinessLogic.User.GetUser(UID);

     

     

    Dallas

  • Dan Diplo 1554 posts 6205 karma points MVP 6x c-trib
    Jan 07, 2014 @ 14:50
    Dan Diplo
    0

    I've just noticed this problem, too - still present. Any updates?

    Dan

  • Niels Hartvig 1951 posts 2391 karma points c-trib
    Jan 07, 2014 @ 14:56
    Niels Hartvig
    0

    It's by design as there's currently not a user type hierarchy in the core, meaning that a non-admin could create any type of user or change the type of an existing user (thus granting greater permissions).

    An alternative could be that a user with access to the user section who's not an admin would only be able to create and edit users of the same type.

  • Dan Diplo 1554 posts 6205 karma points MVP 6x c-trib
    Jan 07, 2014 @ 15:05
    Dan Diplo
    0

    I think the second option would be a better solution, Neils.

    The problem with the way it's currently implemented is that if you want to allow someone to create / edit users then it means they have to be an admin which means they also have access to all the options in the content menu tree (ie. they can access change hostnames, send to translation etc.) which you don't always want them to have.

    The second problem is that it seems illogical to grant (say) a Writer or Editor access to the Users section but then not allow them to do anything. This is a bit confusing.

    I'd also say throwing an exception to communicate this isn't really friendly, either :)

    One to think about... :D

  • Niels Hartvig 1951 posts 2391 karma points c-trib
    Jan 07, 2014 @ 15:27
    Niels Hartvig
    0

    Good points and great to find a solution. So it would be great to keep discussing this and then submit a change request in the tracker then.

    I'd also say throwing an exception to communicate this isn't really friendly, either :)

    I know and I wished we weren't limited on resources, but at least a specific exception is better than nothing. A pull request on a more friendly message than the exception is also more than welcome :-)

  • Dan Diplo 1554 posts 6205 karma points MVP 6x c-trib
    Jan 07, 2014 @ 15:50
    Dan Diplo
    0

    Thanks, Neils. It's so great that you take the time to address these points - it's what makes Umbraco so fantastic!

    I've created an issue in the tracker - http://issues.umbraco.org/issue/U4-3989  (feel free to edit)

    (I'd also love to have time to make pull requests, but until my baby daughter grows up a little my free time is very limited! But one day...!)

  • andri arkhan 1 post 21 karma points
    Feb 20, 2014 @ 02:24
    andri arkhan
    0

    after was update source umbarco ,iam not edit using account admin.display for edit nothing section.

    can help me?

  • Chris Mahoney 242 posts 454 karma points
    Mar 05, 2014 @ 22:29
    Chris Mahoney
    0

    I've just run into this issue after an upgrade to 6.1.6. It's good to hear that it's been looked into, but in the meantime can someone please update http://our.umbraco.org/download? It currently says that 6.1.6 has no breaking changes; obviously that isn't quite right :)

  • Iulia Maria Jensen 40 posts 71 karma points
    Apr 11, 2014 @ 11:10
    Iulia Maria Jensen
    0

    Any updates on the matter? Is there coming up a 6.1.7 and if so when? Will this be fixed there? 

    :-)

     

  • Dan Diplo 1554 posts 6205 karma points MVP 6x c-trib
    Apr 11, 2014 @ 21:22
    Dan Diplo
    0

    I think this is fixed in 6.20 - the next version. See the issue log at http://our.umbraco.org/contribute/releases/620

  • Janet Kirklen 102 posts 212 karma points
    Aug 25, 2014 @ 20:57
    Janet Kirklen
    0

    I had the same issue in v6.1.6 and was able to resolve it satisfactorily.  

    I had a Editor user and gave them access to the Users section.  When they went to the Users section and cliked on any of the users they got an "Access Denied" error.  To fix this I changed that editor's user type to Administrator.  In the sections area they have access to Content, Media and Users.  Now when they log in they can access other users without getting the error.  In addition they can only grant access to the sections they have access to - Users, Content & Media. Also, the top level Administrator account is not in their list of users.  So that is good.  

    So there does seem to be a difference between the system wide Administrator and a user that is given the Adminsitrator User Type.  

Please Sign in or register to post replies

Write your reply to:

Draft