User must have View permission on default Site to edit on other Sites - v5.x

[craigWagner99]

Describe the bug

User must have at least View permissions on the default site or they can not edit content on any other host.

Even if the page/template/container/contentlet/workflow/etc. have proper permissions.

Steps to reproduce the behavior:

1. add new site
2. add new Role and User
3. Permission Role to be able to edit pages on new site
4. Create new Page Content Type / content / Container / Template and grand permissions to new role
5. Add a Workflow to CT and CT contentlet
6. Add Role to Workflow
7. Create new folder
8. Create new page in the folder

Expected behavior

Role should have permissions to create / edit pages.

Actual Behavior

User cannot - Access Denied Error

Workaround

Adding at least "View" permission to the default site allows editing.

Screen Recording reviewing entire issue:

https://drive.google.com/open?id=1G_CP9tXy9Czl0z3Sik2aNbm_MeNRxQF1

Desktop (please complete the following information):

• OS: n/a
• Browser chrome/FF
• Recreated on demo version - 5.2.1

[freddyucv]

PR #17759

[wezell]

This change has performance problems as it forces an index lookup for every host lookup. I think we need a 404 cache on it.

[freddyucv]

PR: #17832

[nollymar]

Tests Results: Success

[bryanboza]

After this fix, we still with a couple of problems navigating in other sites:

If you add full permissions to handle the new site to this role.

• Unable to add rules: https://gist.github.com/bryanboza/a3f8f9cbe80ca960db1e28f8b2dcc71f (moved to Unable to add rules if you don't have default site permissions #18023 )
• Unable to execute WF: This is causing you can't add pages, files or anything (moved to Unable to execute workflows if you don't have default site permissions  #17876)
  Unable to handle users: https://gist.github.com/bryanboza/bd62f77e3a51a686f647562db3dda707
• Unable to use the time machine (moved to Future Time Machine does not display future publish content #17594 )

[wezell]

@bryanboza only CMS Admins can manage users.
I think the other issues are all new cards.

[bryanboza]

@wezell , After this fix we don't have the error if you try to edit an existing page, but if you try the steps provided by the client

1. add new site
2. add new Role and User
3. Permission Role to be able to edit pages on new site
4. Create new Page Content Type / content / Container / Template and grand permissions to new role
5. Add a Workflow to CT and CT contentlet
6. Add Role to Workflow
7. Create new folder
8. Create new page in the folder

We can't do that since you are unable to add a new page, because you don't have available workflow actions, I reported this on the #17876 .

In the main description of the bug they are talking about add//edit pages, this why I send this card back...

[freddyucv]

You can do that if you add permission to "Edit content" for all sites, this is a bug but is another issue

[bryanboza]

Yes @freddyucv in this case when you add permissions to All Sites this includes the default one, that's why now it is working. But don't make sense need to add permissions to all sites, we need be able to handle this individually

[dsilvam]

Originally commented by @wezell:

@freddyucv @dsilvam this fix is still hitting elasticsearch every request:

ab -c 10 -n 10000 http://localhost:8080/about-us/index

[wezell]

@dsilvam is Freddy's fix making it into 5.2.4? It should I believe

[dsilvam]

yes 5.2.4 @wezell

[dsilvam]

Passed Internal QA: HostAPIImpl.resolveHostName is not showing anymore in the profiling via glowroot when performing
ab -c 10 -n 10000 http://localhost:8080/about-us/index

[freddyucv]

PR: #17892

[bryanboza]

Fixed, tested the performance problems after the last fix, and now we don't have calls to that method

Tested starting dotCMS in profile mode and tracking the ab request with Glowroot.
SC: https://content.screencast.com/users/Bryan_Boza/folders/Snagit/media/9cb13fa8-8029-4e46-8924-d34e8fccb5a2/2020-01-24_14-52-53.png

Tested on release-5.2.4 // Postgres

[bryanboza]

All the new bugs on this card was moved to separate cards, here the references:
#17612 (comment)