Closed jdotcms closed 6 months ago
A page created by a User with the expected Scripting Developer
Role can now display secrets without issues, and no errors are displayed in the log.
Failed: Tested on master_62e8d60, Docker, macOS 13.0, FF v121.0.1
I see this is still happening
hi @josemejias11 could you please add the steps to reproduce it
@bryanboza any ideas here?
Approved: Tested on master_909f9ce, Docker, macOS 13.0, FF v121.0.1
I was trying to reproduce this once again and I'm not able to do it so.
Ok, I tested this card and what I have we need some work here:
Following the provided steps, this is what I have...
https://github.com/dotCMS/core/assets/2641437/3a6a7c87-5648-4d36-acd8-b44f8615cb7a
hi @bryanboza
Thanks for the feedback, unfortunately in your video I can not see 2 things: 1) the ttl for the testing page (I would recommend 0 to avoid caching issues) 2) the last modifier user for the template
I am wondering that, because the rules are the following:
a)
boolean hasScriptingRole = checkRoleFromLastModUser(scripting);
If the last mod user has scripting role it is enough to show the secrets, even if the current user does not have the scripting role or it is anonymous
b)
if (!hasScriptingRole) {
final User user = WebAPILocator.getUserWebAPI().getUser(this.request);
// try with the current user
if (null != user) {
hasScriptingRole = APILocator.getRoleAPI().doesUserHaveRole(user, scripting);
}
}
If the last mod user does not have the scripting role, then we check if the actual user has the scripting role permission
So, what I think is happening, is that the last user to modified the template was the admin, so the page is accesible for everyone in terms of secrets, I have debugged master and I can confirm that
Yes I tested modifying the template with the limited user and the same thing happens, and also I tested in a incognito mode to make sure that is not the browser cache and flushing the dotCMS caches too.
This is working on the demo site - take a look here, it is pulling the secrets. I think the user (admin?) you used to create the template does not have the scripting role?
Per discussion with @bryanboza , it seems he tested/edit the template with Chris Publishi who does not have any script role and then request the page associated to that template with the same Chris or Annonymous and was able to see the secrets
About to re-test the scenario
I have done the following test 1) have created an user with access to pages, templates, etc but without the scripting role 2) have created with admin user a template + page + secrets tools (admin of course has scripting role) 3) the page works fine even if the limited user is the one that request the page, of course admin works too. 4) get login as limited user 5) edit the template where I wrote the secrets tool code 6) looks such as this
7) get back again to the page and see, the secrets are not longer available b/c the latest upd user has not the role, and even the current one (which is the limited)
Note: if I logout as a Limited user and get back to admin, and re-open the page again (the one with the template with secrets), the secrets are available to see b/c even if the latest mod user has not the script role, the current user is admin and he has the script role
Fixed, after the discussion seems that this is ok for now!!!
Tested on master // Docker // FF
Only for 23.10 LTS
Parent Issue
No response
Problem Statement
Secrets tool can not parse url such as this: /data/shared/assets/c/e/ce837ff5-dc6f-427a-8f60-d18afc395be9/fileAsset/openai-summarize.vtl
In order to get the inode and realized if the last editor has permissions to retrieve the secret
Steps to Reproduce
Error reported on Auth, when accessing a page (using secrets) as an anon user, you get this error:
In your local dotCMS instance, please do the following:
Dot Velocity Secrets
App, and click your current site --default
ordemo.dotcms.com
keyone
with valueValue for Key One
. 2.2keytwo
with valueHidden Value for Key Two
, and mark it asHidden
.keyone
andkeytwo
keys.Scripting Developer
Role assigned to it.Acceptance Criteria
The secrets should work ok
dotCMS Version
master
Proposed Objective
Core Features
Proposed Priority
Priority 3 - Average
External Links... Slack Conversations, Support Tickets, Figma Designs, etc.
No response
Assumptions & Initiation Needs
No response
Quality Assurance Notes & Workarounds
No response
Sub-Tasks & Estimates
No response