search

neos / neos-development-collection

The unified repository containing the Neos core packages, used for Neos development.
https://www.neos.io/
GNU General Public License v3.0
260 stars 221 forks source link

Deleting a User, which has unpublished changes in his Workspace leads to a security validation exception #926

Closed neos-bot closed 5 years ago

neos-bot commented 8 years ago

Jira issue originally created by user @daniellienert:

To reproduce:

As soon the user discardes the changes - the user is deleteable.

Exception #1222268609 in line 63 of /var/www/surf/releases/20160324154450/Data/Temporary/Production/SubContextJail/Cache/Code/Flow*Object_Classes/TYPO3_Flow_Security_Aspect*PolicyEnforcementAspect.php: Access denied for method
Method: TYPO3\TYPO3CR\Domain\Service\Context::validateWorkspace()

Evaluated following 1 privilege target(s):
"TYPO3.Neos:Backend.OtherUsersPersonalWorkspaceAccess": ABSTAIN
(0 granted, 0 denied, 1 abstained)

Authenticated roles: TYPO3.Flow:Everybody, TYPO3.Flow:AuthenticatedUser, TYPO3.Neos:Administrator, TYPO3.Neos:Editor, TYPO3.Neos:AbstractEditor, TYPO3.TYPO3CR:Administrator, TYPO3.Neos:LivePublisher

55 TYPO3\Flow\Security\Authorization\Interceptor\PolicyEnforcement_Original::invoke()
54 TYPO3\Flow\Security\Aspect\PolicyEnforcementAspect_Original::enforcePolicy(TYPO3\Flow\Aop\JoinPoint)
53 TYPO3\Flow\Aop\Advice\AroundAdvice::invoke(TYPO3\Flow\Aop\JoinPoint)
52 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
51 TYPO3\TYPO3CR\Domain\Service\Context::validateWorkspace(TYPO3\TYPO3CR\Domain\Model\Workspace)
50 TYPO3\TYPO3CR\Domain\Service\Context_Original::getWorkspace()
49 TYPO3\TYPO3CR\Domain\Repository\NodeDataRepository_Original::findOneByPathInContext("/sites/website", TYPO3\Neos\Domain\Service\ContentContext)
48 TYPO3\TYPO3CR\Domain\Model\Node_Original::getParent()
47 TYPO3\Neos\TypoScript\Cache\ContentCacheFlusher_Original::registerNodeChange(TYPO3\TYPO3CR\Domain\Model\Node, "TYPO3\Neos\Service\PublishingService::nodeDiscarded")
46 call*user_func*array(array|2|, array|2|)
45 TYPO3\Flow\SignalSlot\Dispatcher::dispatch("TYPO3\Neos\Service\PublishingService", "nodeDiscarded", array|2|)
44 TYPO3\Flow\SignalSlot\SignalAspect_Original::forwardSignalToDispatcher(TYPO3\Flow\Aop\JoinPoint)
43 TYPO3\Flow\Aop\Advice\AbstractAdvice::invoke(TYPO3\Flow\Aop\JoinPoint)
42 TYPO3\Neos\Service\PublishingService::emitNodeDiscarded(TYPO3\TYPO3CR\Domain\Model\Node)
41 TYPO3\TYPO3CR\Domain\Service\PublishingService_Original::discardNode(TYPO3\TYPO3CR\Domain\Model\Node)
40 TYPO3\TYPO3CR\Domain\Service\PublishingService_Original::discardAllNodes(TYPO3\TYPO3CR\Domain\Model\Workspace)
39 call*user_func*array(array|2|, array|1|)
38 TYPO3\Flow\Object\DependencyInjection\DependencyProxy::**call("discardAllNodes", array|1|)
37 TYPO3\Neos\Domain\Service\UserService_Original::deletePersonalWorkspace("testuser")
36 TYPO3\Neos\Domain\Service\UserService_Original::deleteUser(TYPO3\Neos\Domain\Model\User)
35 TYPO3\Neos\Controller\Module\Administration\UsersController_Original::deleteAction(TYPO3\Neos\Domain\Model\User)
34 TYPO3\Neos\Controller\Module\Administration\UsersController::deleteAction(TYPO3\Neos\Domain\Model\User)
33 call*user_func*array(array|2|, array|1|)
32 TYPO3\Neos\Controller\Module\Administration\UsersController::Flow*Aop_Proxy*invokeJoinPoint(TYPO3\Flow\Aop\JoinPoint)
31 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
30 TYPO3\Flow\Security\Aspect\PolicyEnforcementAspect_Original::enforcePolicy(TYPO3\Flow\Aop\JoinPoint)
29 TYPO3\Flow\Aop\Advice\AroundAdvice::invoke(TYPO3\Flow\Aop\JoinPoint)
28 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
27 TYPO3\Neos\Controller\Module\Administration\UsersController::deleteAction(TYPO3\Neos\Domain\Model\User)
26 call*user_func*array(array|2|, array|1|)
25 TYPO3\Flow\Mvc\Controller\ActionController_Original::callActionMethod()
24 TYPO3\Flow\Mvc\Controller\ActionController_Original::processRequest(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
23 TYPO3\Flow\Mvc\Dispatcher_Original::initiateDispatchLoop(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
22 TYPO3\Flow\Mvc\Dispatcher_Original::dispatch(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
21 TYPO3\Neos\Controller\Backend\ModuleController_Original::indexAction(array|3|)
20 TYPO3\Neos\Controller\Backend\ModuleController::indexAction(array|3|)
19 call*user_func*array(array|2|, array|1|)
18 TYPO3\Neos\Controller\Backend\ModuleController::Flow*Aop_Proxy*invokeJoinPoint(TYPO3\Flow\Aop\JoinPoint)
17 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
16 TYPO3\Flow\Security\Aspect\PolicyEnforcementAspect_Original::enforcePolicy(TYPO3\Flow\Aop\JoinPoint)
15 TYPO3\Flow\Aop\Advice\AroundAdvice::invoke(TYPO3\Flow\Aop\JoinPoint)
14 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
13 TYPO3\Neos\Controller\Backend\ModuleController::indexAction(array|3|)
12 call*user_func*array(array|2|, array|1|)
11 TYPO3\Flow\Mvc\Controller\ActionController_Original::callActionMethod()
10 TYPO3\Flow\Mvc\Controller\ActionController_Original::processRequest(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
9 TYPO3\Flow\Mvc\Dispatcher_Original::initiateDispatchLoop(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
8 TYPO3\Flow\Mvc\Dispatcher_Original::dispatch(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
7 call*user_func*array(array|2|, array|2|)
6 TYPO3\Flow\Object\DependencyInjection\DependencyProxy::**call("dispatch", array|2|)
5 TYPO3\Flow\Mvc\DispatchComponent_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
4 TYPO3\Flow\Http\Component\ComponentChain_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
3 TYPO3\Flow\Http\Component\ComponentChain_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
2 TYPO3\Flow\Http\RequestHandler::handleRequest()
1 TYPO3\Flow\Core\Bootstrap::run()

Jira-URL: https://jira.neos.io/browse/NEOS-1803

regniets commented 7 years ago

Neos Version 2.3.7 - Same issue here with a user having been deleted on a live website, mainly visible with "related media elements" still being referenced in a user's workspace, which then isn't accessibly anymore.

DrillSergeant commented 6 years ago

This bug is still present in Neos 3.3.8. Cannot delete a user that has unpublished nodes in his workspace.

dlubitz commented 6 years ago

+1

Happens just for users with unpublished workspace changes. And it seems to be caused by the policy for Neos.Neos:Backend.OtherUsersPersonalWorkspaceAccess. As long as no current.userInformation.backendUser is set e.g in CLI you are able to delete the user. But if you are logged in in backend, the deletion is prevented, because of the access to the workspace.

https://github.com/neos/neos-development-collection/blob/3.3.9/Neos.Neos/Configuration/Policy.yaml#L40

rolandschuetz commented 5 years ago

@daniellienert https://github.com/neos/neos-development-collection/pull/2323 fixes this issue, so this can be closed?