User not in sensitive data group can inadvertently change Approved state of member account

[russellshome]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

10.8.6

Bug summary

A user that is not in the sensitive data group should not be able to change the approved state of a member account. However, when a user that is not in the sensitive data group saves a member, that member is set to not approved.

Specifics

This happens in version 10 but does not happen in version 13 of Umbraco

Steps to reproduce

Create Umbraco 10 site. Add a member using the default admin account. The member is approved by default. Change the Admin user account by removing the sensitive data group Go to the member and Save Change the Admin user account by adding back the sensitive data group Check whether the member is approved. It will have become not approved.

Expected result / actual result

Expected: User not in sensitive data group cannot change approved state of a member Actual: User not in sensitive data group sets approved to false on save

[github-actions[bot]]

Hi there @russellshome!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[elit0451]

Hi @russellshome 👋

Thanks for reaching out! I was able to reproduce this issue when a member is saved from a user who is not part of the Sensitive data user group, the "Approved" toggle is automatically switched off. Unfortunately, since Umbraco 10 is no longer in its support phase, the only thing we can do here is to advise you to upgrade to version 13, where as you pointed out, the problem was resolved.

Here is the list of Long-term Support & End-of-Life for Umbraco CMS versions for reference: https://umbraco.com/products/knowledge-center/long-term-support-and-end-of-life/

[elit0451]

Meanwhile, you can see the fix for v13 here.