umbraco / Umbraco-CMS

Umbraco is a free and open source .NET content management system helping you deliver delightful digital experiences.
https://umbraco.com
MIT License
4.49k stars 2.69k forks source link

Public access broken when assinging to member with '+' character in login #15723

Open jmf-umbraco opened 9 months ago

jmf-umbraco commented 9 months ago

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.1.0

Bug summary

When restricting public access to a specific member, bad data is persisted if the member's login contains a '+' character. It is not uncommon for mail providers to support aliasing multiple addresses to one mailbox using this character.

image image

Specifics

When making the request to the backoffice public access controller, it looks like member logins are sent in a query string parameter, which is not URL encoded.

On hitting the save button, a POST is sent to https://localhost:44303/umbraco/backoffice/umbracoapi/publicaccess/PostPublicAccess?contentId=1075&loginPageId=1075&errorPageId=1075&usernames[]=jmf+directaccess@umbraco.dk. Note the '+' character in the email.

But to the controller receiving it, this login is interpreted as jmf directaccess@umbraco.dk.

I have not yet tested whether affected members are able to browse to the selected content nodes via SSR or the delivery API, but my best guess is that they cannot.

Steps to reproduce

Expected result / actual result

Actual Result

image

Expected Result

image

nul800sebastiaan commented 9 months ago

Yeah, that part of the backoffice hasn't gotten much love for many years! 😅 I've put it up for grabs, seems like it shouldn't be too hard to fix.

nagolucky18 commented 8 months ago

I can look at this one.