Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Tim 1193 posts 2675 karma points MVP c-trib
    Dec 17, 2009 @ 12:50
    Tim
    0

    Back End User Permissions Bug?

    I have a site where I have defined a "client admin user" which has the rights to create content, users and media etc and not a lot else. By default the user is allowed to add, edit and delete content. All good so far.

    Now, under my home node, I have a few key pages (search, sitemap, 404 page etc) that I don't want the client to be able to delete. I'm happy for them to be able to see and edit those pages, but deleting them removes important site functionality. So I've set the permissions for the user on that page so that they do not have the delete permission for those pages. However, when I log in as the user, I can still delete the pages, even though I've explicitly unchecked their delete permission using the page permissions.

    Its almost as if the back end is ignoring the fact that I've set the user not to be able to delete specific pages and is falling back to the default permission, which is to be able to delete anything they like.

    This seems like a fairly seriously security flaw to me, has anyone else come accross this? Or am I doing something obviously wrong?

  • Tim 1193 posts 2675 karma points MVP c-trib
    Dec 17, 2009 @ 12:58
    Tim
    0

    Ok, it looks like you have to re-publish the page for the new permissions settings to take effect on the back end, so one to watch out for if you have the same issue!

    :)

  • Fernando Camillo 41 posts 82 karma points
    Mar 24, 2011 @ 19:24
    Fernando Camillo
    0

    Hi,

    I'm having the same problem. I noticed the page creator can always delete his own pages. How can we deny this permission?

    Thanks!

    Umbraco 4.5.2 for .Net 3.5

Please Sign in or register to post replies

Write your reply to:

Draft