Closed 6TELOIV closed 3 months ago
Browsing the page structure seems like quite a security risk for non-editors, since many sites could have pages which are either just invisible on purpose, or the pages-list could give away some "secrets".
I don't think we can just open this up - it would result in opening up unexpected security holes.
I believe the correct approach is to add this permission to DNN, so a user can be properly authorized to "browse page structure".
This would fit in well with the new Advanced Permissions Provider which @tvatavuk is working on for DNN - https://github.com/dnnsoftware/Dnn.Platform/issues/6042
I created an issue on dnn here https://github.com/dnnsoftware/Dnn.Platform/issues/6087
I think that's the right place to pursue this, so I'm going to close this task.
I'm submitting a
[x] bug report => search github for a similar issue before submitting [x] feature request [x] not sure
...about
[x] edit experience / UI [x] admin experience UI [x] DNN parts [x] other / unknown
Current Behavior / Expected Behavior
Users with draft-only permissions (řčǔď) cannot use the page picker in the WYSIWYG UI
Attempting to access it gives a 401 Unauthorized error, and the response from the HTTP request cointains
Request not allowed. User does not have read permissions for query 'System.Pages'
.I have put this as both "bug" and "feature request", because I can understand by default not wanting to allow anonymous/non-editor users to access the
System.Pages
query, but there seems to be no way to grant the user access to it either, resulting in a confusing UI bug.Instructions to Reproduce the Problem
PermissionCheckUsers
feature in 2sxcYour environment