Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 Error for Draft CRUD users when using the "Link to a Page from the current site" WYSIWYG button #3434

Closed
6TELOIV opened this issue Jun 26, 2024 · 2 comments
Closed

401 Error for Draft CRUD users when using the "Link to a Page from the current site" WYSIWYG button #3434

6TELOIV opened this issue Jun 26, 2024 · 2 comments

Comments

@6TELOIV
Copy link
Contributor

6TELOIV commented Jun 26, 2024

I'm submitting a

[x] bug report => search github for a similar issue before submitting
[x] feature request
[x] not sure

...about

[x] edit experience / UI
[x] admin experience UI
[x] DNN parts
[x] other / unknown

Current Behavior / Expected Behavior

Users with draft-only permissions (řčǔď) cannot use the page picker in the WYSIWYG UI

Attempting to access it gives a 401 Unauthorized error, and the response from the HTTP request cointains Request not allowed. User does not have read permissions for query 'System.Pages'.

I have put this as both "bug" and "feature request", because I can understand by default not wanting to allow anonymous/non-editor users to access the System.Pages query, but there seems to be no way to grant the user access to it either, resulting in a confusing UI bug.

Instructions to Reproduce the Problem

  1. Create an app
  2. Make a View using a Content Type with a WYSIWYG field
  3. Create a user
  4. Enable PermissionCheckUsers feature in 2sxc
  5. Grant the created user Draft CRUD permissions (řčǔď) on the app
  6. As the user, try to click the "Link a page from the current site" button
  7. Observe the 401 error.

Your environment

  • 2sxc version(s): 17.9.0
  • Browser: all
  • DNN: 9.13.2
  • Hosting platform: azure
  • Language: English
@iJungleboy
Copy link
Contributor

Browsing the page structure seems like quite a security risk for non-editors, since many sites could have pages which are either just invisible on purpose, or the pages-list could give away some "secrets".

I don't think we can just open this up - it would result in opening up unexpected security holes.

I believe the correct approach is to add this permission to DNN, so a user can be properly authorized to "browse page structure".

This would fit in well with the new Advanced Permissions Provider which @tvatavuk is working on for DNN - dnnsoftware/Dnn.Platform#6042

@iJungleboy iJungleboy mentioned this issue Jun 27, 2024
Open
4 tasks
@iJungleboy
Copy link
Contributor

I created an issue on dnn here dnnsoftware/Dnn.Platform#6087

I think that's the right place to pursue this, so I'm going to close this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iJungleboy @6TELOIV