search

enonic / xp

Enonic XP
https://enonic.com
GNU General Public License v3.0
202 stars 34 forks source link

A user with Contributor role but explicit FULL ACCESS permissions cannot delete a content #10364

Closed alansemenov closed 11 months ago

alansemenov commented 11 months ago

User has roles "system.admin.login" and Contributor role for one of the CMS projects. Inside this project there's a content which the user by default cannot delete, because Contributor role doesn't give DELETE permissions. However, even after explicitly giving the user "Full Access" permissions for the content, he still cannot delete the content.

The last line in the table below shows that the user has explicit permission to DELETE, but is still not allowed to.

image

2023-12-13 13:36:46,428 ERROR com.enonic.xp.impl.task.TaskRunnable - Error executing task [269fb7ed-c5dc-4393-8b1d-60875a0aab50] 'task-com.enonic.app.contentstudio-269fb7ed-c5dc-4393-8b1d-60875a0aab50': Access denied to [/superhero/search] for [DELETE] by user [user:system:alan] ''Alan''
com.enonic.xp.content.ContentAccessException: Access denied to [/superhero/search] for [DELETE] by user [user:system:alan] ''Alan''
    at com.enonic.xp.core.impl.content.ArchiveContentCommand.execute(ArchiveContentCommand.java:86)
    at com.enonic.xp.core.impl.content.ContentServiceImpl.archive(ContentServiceImpl.java:731)
    at com.enonic.xp.app.contentstudio.rest.resource.content.task.ArchiveRunnableTask.run(ArchiveRunnableTask.java:57)
    at com.enonic.xp.impl.task.DescribedTaskImpl.run(DescribedTaskImpl.java:56)
    at com.enonic.xp.impl.task.TaskRunnable.lambda$doRun$2(TaskRunnable.java:57)
    at com.enonic.xp.context.ContextImpl.runWith(ContextImpl.java:84)
    at com.enonic.xp.impl.task.TaskRunnable.doRun(TaskRunnable.java:57)
    at com.enonic.xp.trace.Tracer.trace(Tracer.java:128)
    at com.enonic.xp.impl.task.TaskRunnable.run(TaskRunnable.java:39)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
alansemenov commented 11 months ago

The problem is the lack of permissions to create a node under /archive, not the lack of permissions to delete.