API-calls to Layout Service that user does not has permission for are redirected to /sitecore/service/notfound.aspx #145
When a user is trying to access a route which they do not have access to in connected mode, the layout service call is redirected to login.aspx (http code 302), which in turn seems to be redirected to sitecore/service/notfound.aspx, which fails. In the JSS app this results in a "TypeError: Cannot read property 'sitecore' of null"-error in RouteHandler.js.
Expected behaviour (in my opinion) would be to get a 403-response or JSON-response from the Layout Service saying that this item is inaccessible to the current user, and it would then be up to the client to decide how to handle this (show an access-denied page, redirect to custom login route, or similar).
Steps To Reproduce
Possible fix could be to change the behavior as described under the Expected behavior section, altough there are likely other ways to fix this as well. If the default behavior is not changed, it would atleast be good to have an easy way to change the default behavior.
Out of curiosity, after starting the app in connected mode, are you browsing to
This issue sounds familiar, but I'm not having any luck locating prior information. I think if you're not in incognito (or a separate browser) in this scenario, then Sitecore will handle the request and redirect to the login page before Layout Service has a chance to handle it.
Nevermind, that is not the problem. I found the prior issue I was thinking of and, while somewhat related, is not the same: https://sitecore.stackexchange.com/questions/13387/jss-start-connected-mode-issue/13388
My guess is something in the
After some investigation, the behavior you're seeing is being caused Identity Server. Basically, when Layout Service (or likely any MVC controller) returns a
This is not an issue if Identity Server is disabled in your Sitecore instance and are instead using the traditional Forms Authentication. In that scenario, the Layout Service controller sets
We've raised the issue with the Identity Server/Auth/Owin team to find a good long-term solution.
In the meantime, there are a couple workarounds (outlined below). Both revolve around a pipeline named
Hi @aweber1! One slight modification I did to the second workaround suggestion:
Upon login, the SkipLayoutServiceRequest processor will cause an error, resulting in the user ending up on an error page (even though the login is succesful). PageContext.Current throws an excpetion when with the: Message: Attempt to retrieve context object of type 'Sitecore.Mvc.Presentation.PageContext' from empty stack.
Edit: .... And I just realized you just updated the code above with the exact thing I was about to tell you about xD
Edit 2: Aside from writing unnecessary comments, I also managed to close this ticket accidentally... I'll reopen it, sorry for the confusion.