Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Granular permissions not behaving correctly #18517

Open
arminmacic00 opened this issue Feb 28, 2025 · 4 comments
Open

Granular permissions not behaving correctly #18517

arminmacic00 opened this issue Feb 28, 2025 · 4 comments
Labels
affected/v15 state/reproduced type/bug

Comments

@arminmacic00
Copy link

arminmacic00 commented Feb 28, 2025
edited
Loading

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

15.2.2

Bug summary

I have a User group in which deleting nodes is enabled, but if I disable deleting a node in Granular permissions, it also disables deleting its children. It shows the option to delete, but when I try to do it, I get a message saying the user doesn't have access.

Also if I disable creating nodes, but enable it for a node in Granular permissions, its children won't have the option to create nodes.

In one case the children inherit the parent's permissions, but in the other they don't.
I'm pretty sure at least one of these is a bug.

Specifics

No response

Steps to reproduce

User group permissions:

Image

Permissions for a specific node:

Image

If I try deleting its child:

Image

And there is no option to create a node inside of the node's children, I can only create it directly inside of that node.

Expected result / actual result

I want to disable deleting a node, but enable deleting its children.
I also want to disable creating a node in the root, but enable creating nodes inside of the node's children.
Instead, the opposite happens in both cases.
@github-actions GitHub Actions
Copy link

Hi there @arminmacic00!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

  • We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
  • If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
  • We'll replicate the issue to ensure that the problem is as described.
  • We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

@AndyButland
Copy link
Contributor

Some findings from investigation here:

To my understanding document permissions should inherit, Not sure if that is documented - at least I couldn't find it - but that is what I'm seeing from older issues and discussions.

So for the report here on delete, looks like the server is correct in denying the permission to delete the children but there is an error on the client side in that you shouldn't be presented with the option to delete.

I dug a little and found this in UmbDocumentUserPermissionCondition:

/* If there are document permission we check if there are permissions for the current document
 If there aren't we use the fallback permissions */
if (hasDocumentPermissions) {
	const permissionsForCurrentDocument = this.#documentPermissions.find(
		(permission) => permission.document.id === this.#unique,
	);

	// no permissions for the current document - use the fallback permissions
	if (!permissionsForCurrentDocument) {
		this.#check(this.#fallbackPermissions);
		return;
	}

	// we found permissions for the current document - check them
	this.#check(permissionsForCurrentDocument.verbs);
}

Which on the basis of what I said above, isn't complete. It should be looking for permissions on the current document or any ancestor and use those, and if not, use the fall back permissions.

Unfortunately I see we only have the document's unique Id and the entity type available here, whereas it needs the unique for all the ancestors too.

The issue for create sounds the same - in this case we are allowing, but again it's not finding the "allow" rule as it's not looking at the ancestors.

@AndyButland
Copy link
Contributor

I believe this effectively duplicates the issue described here: #17870

I'll close this other issue as a duplicate given I've added findings already to this issue, but it's worth reviewing it for another setup that describes the same underlying problem.

@AndyButland AndyButland marked this as a duplicate of #17870 Mar 6, 2025
@arminmacic00
Copy link
Author

arminmacic00 commented Mar 7, 2025
edited
Loading

@AndyButland Thank you for your investigation.

So the issues are on client side for delete, where it shouldn't show the option at all, and on server side for create where it's not checking for the ancestor's permissions properly?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
affected/v15 state/reproduced type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AndyButland @nielslyngsoe @arminmacic00