Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
13.1.0
Bug summary
When restricting public access to a specific member, bad data is persisted if the member's login contains a '+' character. It is not uncommon for mail providers to support aliasing multiple addresses to one mailbox using this character.
Specifics
When making the request to the backoffice public access controller, it looks like member logins are sent in a query string parameter, which is not URL encoded.
On hitting the save button, a POST is sent to https://localhost:44303/umbraco/backoffice/umbracoapi/publicaccess/PostPublicAccess?contentId=1075&loginPageId=1075&errorPageId=1075&usernames[]=jmf+directaccess@umbraco.dk. Note the '+' character in the email.
But to the controller receiving it, this login is interpreted as jmf directaccess@umbraco.dk.
I have not yet tested whether affected members are able to browse to the selected content nodes via SSR or the delivery API, but my best guess is that they cannot.
Steps to reproduce
Create a member with a + character in the login
Hit "Restrict Public Access..." on a content node
Select "Specific member protection" and choose the member created above
Hit the save button
Expected result / actual result
Actual Result
The public access rule is persisted in SQL with a space character instead of a '+'
The RuleValue field in any triggered PublicAccessEntrySavedNotification's rules contains a space character instead of a '+'
Subsequently selecting "Restrict Public Access..." on the same content node shows as though no rules are configured, see following:
Expected Result
In both places above, the member's login name contains a '+' character instead of a space
When selecting "Restrict Public Access..." on the same content node again, the selected member rule is shown, like the following:
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
13.1.0
Bug summary
When restricting public access to a specific member, bad data is persisted if the member's login contains a '+' character. It is not uncommon for mail providers to support aliasing multiple addresses to one mailbox using this character.
Specifics
When making the request to the backoffice public access controller, it looks like member logins are sent in a query string parameter, which is not URL encoded.
On hitting the save button, a
POST
is sent tohttps://localhost:44303/umbraco/backoffice/umbracoapi/publicaccess/PostPublicAccess?contentId=1075&loginPageId=1075&errorPageId=1075&usernames[]=jmf+directaccess@umbraco.dk
. Note the '+' character in the email.But to the controller receiving it, this login is interpreted as
jmf directaccess@umbraco.dk
.I have not yet tested whether affected members are able to browse to the selected content nodes via SSR or the delivery API, but my best guess is that they cannot.
Steps to reproduce
Expected result / actual result
Actual Result
RuleValue
field in any triggeredPublicAccessEntrySavedNotification
's rules contains a space character instead of a '+'Expected Result