I have a site where I have defined a "client admin user" which has the rights to create content, users and media etc and not a lot else. By default the user is allowed to add, edit and delete content. All good so far.
Now, under my home node, I have a few key pages (search, sitemap, 404 page etc) that I don't want the client to be able to delete. I'm happy for them to be able to see and edit those pages, but deleting them removes important site functionality. So I've set the permissions for the user on that page so that they do not have the delete permission for those pages. However, when I log in as the user, I can still delete the pages, even though I've explicitly unchecked their delete permission using the page permissions.
Its almost as if the back end is ignoring the fact that I've set the user not to be able to delete specific pages and is falling back to the default permission, which is to be able to delete anything they like.
This seems like a fairly seriously security flaw to me, has anyone else come accross this? Or am I doing something obviously wrong?
Ok, it looks like you have to re-publish the page for the new permissions settings to take effect on the back end, so one to watch out for if you have the same issue!
Back End User Permissions Bug?
I have a site where I have defined a "client admin user" which has the rights to create content, users and media etc and not a lot else. By default the user is allowed to add, edit and delete content. All good so far.
Now, under my home node, I have a few key pages (search, sitemap, 404 page etc) that I don't want the client to be able to delete. I'm happy for them to be able to see and edit those pages, but deleting them removes important site functionality. So I've set the permissions for the user on that page so that they do not have the delete permission for those pages. However, when I log in as the user, I can still delete the pages, even though I've explicitly unchecked their delete permission using the page permissions.
Its almost as if the back end is ignoring the fact that I've set the user not to be able to delete specific pages and is falling back to the default permission, which is to be able to delete anything they like.
This seems like a fairly seriously security flaw to me, has anyone else come accross this? Or am I doing something obviously wrong?
Ok, it looks like you have to re-publish the page for the new permissions settings to take effect on the back end, so one to watch out for if you have the same issue!
:)
Hi,
I'm having the same problem. I noticed the page creator can always delete his own pages. How can we deny this permission?
Thanks!
Umbraco 4.5.2 for .Net 3.5
is working on a reply...