search

2sic / 2sxc

DNN + 2sxc = #DNNCMS - This tool helps web designers and developers prepare great looking content in DNN (DotNetNuke). It's like mixing DNN with Umbraco and Drupal :)
http://2sxc.org
MIT License
145 stars 40 forks source link

401 Error for Draft CRUD users when using the "Link to a Page from the current site" WYSIWYG button #3434

Closed 6TELOIV closed 3 months ago

6TELOIV commented 3 months ago

I'm submitting a

[x] bug report => search github for a similar issue before submitting [x] feature request [x] not sure

...about

[x] edit experience / UI [x] admin experience UI [x] DNN parts [x] other / unknown

Current Behavior / Expected Behavior

Users with draft-only permissions (řčǔď) cannot use the page picker in the WYSIWYG UI

Attempting to access it gives a 401 Unauthorized error, and the response from the HTTP request cointains Request not allowed. User does not have read permissions for query 'System.Pages'.

I have put this as both "bug" and "feature request", because I can understand by default not wanting to allow anonymous/non-editor users to access the System.Pages query, but there seems to be no way to grant the user access to it either, resulting in a confusing UI bug.

Instructions to Reproduce the Problem

  1. Create an app
  2. Make a View using a Content Type with a WYSIWYG field
  3. Create a user
  4. Enable PermissionCheckUsers feature in 2sxc
  5. Grant the created user Draft CRUD permissions (řčǔď) on the app
  6. As the user, try to click the "Link a page from the current site" button
  7. Observe the 401 error.

Your environment

iJungleboy commented 3 months ago

Browsing the page structure seems like quite a security risk for non-editors, since many sites could have pages which are either just invisible on purpose, or the pages-list could give away some "secrets".

I don't think we can just open this up - it would result in opening up unexpected security holes.

I believe the correct approach is to add this permission to DNN, so a user can be properly authorized to "browse page structure".

This would fit in well with the new Advanced Permissions Provider which @tvatavuk is working on for DNN - https://github.com/dnnsoftware/Dnn.Platform/issues/6042

iJungleboy commented 3 months ago

I created an issue on dnn here https://github.com/dnnsoftware/Dnn.Platform/issues/6087

I think that's the right place to pursue this, so I'm going to close this task.