-
-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Permission denied" alerts for limited access policy Users #12568
Comments
Ok, I've finally traced it down to 0ba1005 which modified manager/assets/modext/widgets/core/modx.combo.js in #12354 Specifically, it is stemming from this fireEvent call when the settings panel is empty (per missing The combo doesn't load (e.g. "fails" silently), and works as before...until the @theboxer any ideas on how to account for both scenarios here? |
It appears one way to solve this specific scenario is to prevent the entire "Settings" tab from rendering if no |
Actually, the user edit form depends on both "settings" and "namespaces" permissions. as required by the settings grid, and the namespace combo "modx-combo-namespace". This is wrong, it makes no sense to allow manager users to edit namespaces nor system settings, just because they require to edit users. (and that's not the only case) I was about to send a PR with a solution, but I'm not convinced. The current MODx approach would be to expand "settings" and "namespaces" to multiple permissions. e.g.: namespace_view, _delete, _edit, _new, _save. (related with each processor's duty). BUT:
Perhaps another opinion about "permissions 2.5/3.0" would help? @opengeek @theboxer |
Then if i want create and editor user that manager the user i must do access permission of "settings" and "namespaces" ?? |
@oori @brescianicri Completely agree. 😞 I'm hopeful that a solution can be presented to at least restore this critical functionality to MODX I'm not sure of the implications of reverting this line of code...could be an option? @theboxer can you comment for us? Maybe there's an additional check that could account for combos who's store can't be populated as a result of no permissions, preventing the While ideal, any kind of improvement or overhaul to permissions for |
we're having the same problem on sites recently running 2.4.2 ... when setting up new users in the manager, this error fires off when viewing their user info:
|
@pixelchutes reverting that line of code wouldn't do it. the issue is in the processors (getlist specifically) |
Thanks @oori. In my testing, it was that line of code triggering the processor resulting in the "permission denied" alert. You're absolutely right, the root of the problem runs much deeper. |
I have updated the title of this issue to reflect the previous conversation, and the fact that this issue is present outside of editing Users. It can happen when editing Resources (I believe since 2.4.3?) and other content, too. This is an impactful regression issue since 2.4.0 that deserves proper attention. |
I'm unfortunately new to all of this.. I have this issue on users who do not have full admin rights but should have enough to edit users. I have given the settings and namespaces permissions but the problem persists. As soon as you visit Manage -> Users the error pops up. Any thoughts? Currently on an unmodified version of 2.4.2-pl (not sure if this problem has been addressed at all in another version but this conversation suggests it has not been). |
This is a system wide error that was introduced in |
I'm getting the same: Code: 200 OK when clicking save on the resource edit screen. Save still works, you just get this pop up box. |
Not every "Code 200 OK permission denied" error has the same root cause. The problem in each case is the lack of a specific permission though. In the case of editing the resource it's probably either the class list or content types (on the resource settings tab) that doesn't have sufficient permissions. I'm not sure what the best way to resolve #12568 (namespaces dropdown triggering the error) is either, though I'm leaning towards a new permission for listing the namespaces. If that permission is not available, don't show the combo. The problem with not showing the combo is that users might not be able of switching namespaces to get to the setting they should be able of editing. Other areas this might also affect include the lexicon management (which is what the modAccessNamespaces was introduced for) and system/context settings. |
Is it possible to make the combo more conclusive as to which permission is causing it? Maybe use the debug system setting to control whether they are displayed or not. |
Another note is that the "permission denied" errors have always been the case for limited access users like this, however before |
Show them in the js console but don't display them on the screen. Developers like me who create limited permission accounts know we are opening up a configuration can of worms and don't need to pass more problems along to end users. |
@pyrographics Exactly. That's how it actually worked through |
ACLs have a discovery problem where the UI is suboptimal and the error messages insufficient. Hiding the error messages in the console really doesn't help make ACLs better. What if the permission denied error showed the name of the permission that was required? The errors seem pretty scattered across the core from a quick search, but adding a new lexicon for something that says "Permission denied! Your account requires [[+permission]] to complete this action, which you have not been granted." and updating the various processors to pass the required permission in there... wouldn't that help? |
Displaying / logging the permission would be awesome. I've had a tough time tracking issues down occasionally. Bonus points for also displaying/logging the bit of the system that's making the request. |
Totally agree. This would be incredibly helpful for debugging, or new users to MODX ACLs, eliminating much of the current guess-work that's often involved. |
Suggested idea related to #12693 |
Did this issue change from being a bug report on a missing ACL to becoming a suggestion for how to log/display error messages related to permissions? The original issue was solved in PR #13508. |
Hmm...I don't think so? This started as a regression issue in |
Ah, yes. I see. Sorry about that. |
Improved in #15402 |
Summary
Everything functioning as desired in MODX 2.3.5 with a custom "customer service" user role, tied to a custom access policy with limited permissions (enough to change basic user profile fields / passwords, etc), but
settings
permission is not granted, as User Settings / System Settings access is not desired.Upgrading to MODX 2.4.0-pl, and now a "Permission denied." alert is shown on each page load when attempting to update a user.
Step to reproduce
Create a User, assigned to a custom role tied to a custom policy without
settings
permission access. Login as the new user and attempt to edit another User in the system.Observed behavior
Permission Denied alert is now prompted on every page load when editing a user once the following processor is called:
system/settings/getAreas
Expected behavior
Prior to the 2.4.0 upgrade, these processors did not alert the permission denied error each time. This was just fine since the access policy did not grant
settings
permission, and "failed silently", allowing the customer service user to administer users without issue, to the extent their access allowed. User settings grid was empty (by design).Now a confusing "permission denied" prompt is alerted by simply loading the page...
Hopefully there is a way to suppress this warning / error message, as it is important to be able to provide limited access controls in the Manager (e.g. to only manage users) without having to grant access to
settings
(System Settings!) to do so.Environment
MODX 2.4.0-pl, Chrome 46
The text was updated successfully, but these errors were encountered: