search

umbraco / Umbraco-CMS

Umbraco is a free and open source .NET content management system helping you deliver delightful digital experiences.
https://umbraco.com
MIT License
4.47k stars 2.69k forks source link

Read-only mode allows user to edit content in RTE property editor #16854

Open ainokarita opened 2 months ago

ainokarita commented 2 months ago

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

Cms 13.4.1

Bug summary

When a user with read-only permissions goes into a content node, they can remove text and images from an RTE property editor. Also, the Save and Preview button is available. This is not reflected in the backoffice for editors. So user can't save anything in reality, but the seeming possibility creates concerns.

Specifics

https://github.com/user-attachments/assets/03e90941-6048-44fd-8fb1-e4d175d186c1 image

Steps to reproduce

  1. Create a document type with RTE property, and add that page to the Content tree.
  2. Add image(s) and text inside the RTE, and save and publish.
  3. Create a user group with read-only rights under default permissions to the recently created content node. Add a user to that group.
  4. The user with read-only rights can access the specific content node, delete/add text in the RTE, and remove the image(s).
  5. The user can click on the save & preview button

Expected result / actual result

The user should not have access to touch any of the content in the UI. In my opinion, the read-only user should also not have the possibility to see the save & preview button, because it is not needed.

NguyenThuyLan commented 2 months ago

This is a low priority bug and I agree that the "Save and Preview" button seems useless in this case, we should remove it from the read-only user interface.

ainokarita commented 2 months ago

There is another bug report on this issue for v10 https://github.com/umbraco/Umbraco-CMS/issues/16867