Template picker showing on skin embedded apps for logged in users without permissions

[6TELOIV]

That's a very long title...

I'm submitting a

[x] bug report

...about

[x] edit experience / UI
[x] DNN parts

Current Behavior / Expected Behavior

For apps embedded in a skin on DNN, users who are logged in but don't have crud permissions on the app see an app view selector button:

The also see a toolbar, and get various errors when clicking the buttons on it. This error is from clicking the "change layout" toolbar item:

Uncaught (in promise) TypeError: Qe.getTag(...) is null
    code command-layout.ts:20
    f cms-engine.ts:127
    promise callback*e.prototype.run cms-engine.ts:125
    detectParamsAndRun cms-engine.ts:62
    r sxc-global-cms.ts:127
    do sxc-global-cms.ts:141
    runInternal sxc-global-cms.ts:130
    run edit-manager.ts:40
    onclick (index):1

Clicking the button gives the view selector menu but it never loads:

The second tab says TemplatePicker.ViewNeedsContentType:

Once granted crud permissions, this all goes away (template button and toolbar no longer show):

Also, when viewing the page where the "real" module lives, the issue goes away as well (template button and toolbar no longer show):

The apps are embedded in the skin using the following method:

<%@ Import Namespace="DotNetNuke.Entities.Modules" %>
<%@ Import Namespace="ToSic.Sxc.Dnn" %>
<%@ Import Namespace="ToSic.Sxc.Services" %>
<!-- * * * -->
<%= this.GetScopedService<IRenderService>().Module(77, 446) %>

Instructions to Reproduce the Problem

1. Create an app
2. Create a user with no crud access
3. Add the app to a page
4. Embed the app in the skin using the method outlined above
5. Login as the other user and view a page where the "real" app isn't and the skin app is.

Your environment

• 2sxc version(s): 17.6.3
• Browser: all
• DNN: 09.13.02
• Hosting platform: azure
• Language: English

[iJungleboy]

I tried to reproduce but everything seems to work. My guess is you're doing something special. Here's what I did:

1. user basic-user - no permissions, just registered user - so no edit permissions and correspondingly also no crud
2. module on a specific page etc.
3. also added to Theme
   ...everything works.

Not sure what you did, but I believe you did more special stuff ;) ?

Maybe some draft data or strange edit permissions?

[6TELOIV]

I had noticed today that it wasn't showing on certain pages, but was showing on others. Something additional to try would be adding an app to the page that they DO have permission to edit. That might be a part of it. Additional context is that this was a V16 install that was upgraded to V17. That could be part of the problem as well.

…

On Tue, May 14, 2024, 2:08 PM iJungleboy ***@***.***> wrote: I tried to reproduce but everything seems to work. My guess is you're doing something special. Here's what I did: 1. user basic-user - no permissions, just registered user - so no edit permissions and correspondingly also no crud 2. module on a specific page etc. 3. also added to Theme ...everything works. Not sure what you did, but I believe you did more special stuff ;) ? Maybe some draft data or strange edit permissions? — Reply to this email directly, view it on GitHub <#3380 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABS33DDAXBWZF6423V2RIPDZCJHIDAVCNFSM6AAAAABHS2GEK2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHAZDKMZWGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[iJungleboy]

The upgrade almost certainly is not relevant.

That the user has edit permissions is, but it feels confusing that he has edit but seems to not have edit?

If he has edit, how can he not have CRUD?

[6TELOIV]

I have narrowed down the issue. Here are the steps to reproduce.

• Create User with no DNN permissions (Test User)
• Make an app where Test User DOES NOT have any permissions (App 1)
• Make an app where Test User DOES have CRUD permissions (App 2)
• Add an App 1 module to a page
• Embed that instance of App 1 in the skin using <%= this.GetScopedService<IRenderService>().Module(X, Y) %>
• Create a new page using the skin with the embedded app
• Login as Test User and observe that the behavior is the normal.
• Add an App 2 module to the page.
• Login as Test User and observe the now visible template picker which cannot be dismissed by the user.

I just followed these steps to reproduce the issue on my local machine. As a note, the system will need to be registered to give just the user permissions. I'm not sure if this is a necessary step or not; it seems that the only criterion needed to cause the bug are: don't have permissions on the app in the skin, and DO have permission on an app on the page.

---

That the user has edit permissions is, but it feels confusing that he has edit but seems to not have edit?

Our content editors only have permissions to edit certain apps. They can edit the basic textual apps that we use for content on pages, but they are not allowed to edit our social media links, the search app, footer contact links, news releases, and many of our other apps. That's why they have CRUD permissions on "App 2" but not "App 1" (in this minimal reproducible demo)

[ajplopez]

I can confirm that I'm experiencing this issue on a brand new site that uses 9.13.03 and 17.9.0.

I have a menu that is injected into the theme's .ascx file. Everything works great for SuperUser, Administrators, and the public.

But I created a new role called "Content Editors" and they have permissions to 1 module on 1 page, and when the Content Editor is logged in, they see the big blue icon and the 2sxc App Chooser/Template Chooser section that spans the bottom of the browser.

[iJungleboy]

@ajplopez will look into this. Note BTW that DNN 10 will plan to come with a built-in role called "Content Editors" which has some long awaited features. To avoid your existing role being repurposed, I recommend you rename it.