2.5.4 requires view_template permission for listing templates, triggers permission denied popup ("200 OK error") #13243

Open
funkyduke opened this Issue Jan 6, 2017 · 32 comments

Projects

None yet

10 participants

@funkyduke

Summary

When logging in as a user with permissions the famous 200 OK error is back after upgrade to 2.5.4. (https://forums.modx.com/thread/?thread=92206)

Solution

The solution I found was to check the permission 'view_template'

Step to reproduce

Set permissions to a user and log in. Admins with all rights have no problem.

Observed behavior

You get the 200 OK error

Expected behavior

No 200 OK error

Environment

Modx 2.5.4. / PHP 5.5 or higher

@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

If the user doesn't have permission to view templates, they will get an error they don't have permission to access a template when for example listing templates. While the error is not very descriptive, this does not seem like a bug?

@jaygilmore
Member

If it returns a mystery error message it's a UX bug. If it's showing that old dialogue with 200 and the okay button, that's not just obtuse it gives the impression of something being broken or that the user may have done something wrong.

It should have error state microcopy associated with it. Whenever someone attempts to access something they are not permitted to access. Something like "You do not have permissions to access this [OBJECTNAME], please contact your site administrator"

@funkyduke

In previous versions of Modx (< 2.5.4) there were no problems. After upgrading to 2.5.4. the error 200 OK message is back when the user is going to a resource to update. See the forum for more info about this error, many had this problem in the past, I also. When checking 'view_template' the error is gone. To me that seems like a bug.

@jaygilmore
Member

Are you suggesting that the Admin or SUDO user doesn't have View Template access by default or is this after creating a new user with a specific set of user permissions?

@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

It sounds more like you restricted the user account in the past, but never logged out and back in to update the permissions cached in the session. Then along comes 2.5.4, which wipes the session table, and now a simple configuration issue is a bug in a new version? :P

Improving the error message is tracked in #12568.

@funkyduke

For the Admin or SUDO everything is fine. It's after creating a new user who has a set of user permissions. Or in the case of Modx 2.5.4. after upgrading to 2.5.4. the existing user permissions of that policy.

@jaygilmore
Member

Right, @Mark-H, and thanks for sharing the error message task. @funkyduke, I think we need to understand the nature of the user in question for sure.

@jaygilmore
Member
jaygilmore commented Jan 6, 2017 edited

I'd say if we fail to give users the appropriate permissions, only the error message is the problem, then. The proper message would lead you, the site builder, to be able to associate the problem with the lack of permission on the user account. I am not sure if this is a bug either at this point.

@funkyduke
funkyduke commented Jan 6, 2017 edited

I have updated more than 50 sites to 2.5.4 and all of them have the error-message. I am now logging in one by one to check view_template. I don't know how to fix this in another way.

@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

Sorry if I'm being too dismissive of this issue @funkyduke, I'll gladly be proven wrong that this is an actual bug in 2.5.4, but it just sounds like "I didn't give my user the right permission and they got a pop-up telling them they didn't have the right permission".

If you can provide further information that this is an actual bug, and not just a configuration issue you've copy/pasted into those 50 sites, that would be most welcome.

@jaygilmore
Member

What version of MODX are the sites needing upgrade on currently @funkyduke?

@funkyduke
funkyduke commented Jan 6, 2017 edited

@Mark-H I know it's a very annoying issue, but like you can see in the forum many had this problem in the past. And I also had this problem in the past and then we had to give certain permission not to have this error and everything did go fine until now this upgrade to 2.5.4. Most of my sites were on 2.5.2 before upgrade, some had an earlier version (but never very old). So if the user shouldn't have the right permissions, why did it work in the past without 'error 200 OK'-message, and now with the upgrade the error is back? On all of my websites? When upgrading nobody was logged in and I cleared the cache before upgrade.

@funkyduke

for info: If you click away the error you can normally update the resource.

@jaygilmore
Member

@Mark-H any chance #13174 could have affected this? I don't have any clue, though. There really aren't that many changes between 2.5.2 and 2.5.4 so I am a little unsure of why this would show up.

@funkyduke

The full message is this:

Code: 200 OK {"success":false,"message":"Toegang geweigerd!","total":0,"data":[],"object":[]}

@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

Actually, yes, that could be related Jay. Good find, didn't realise that had been merged in.

Iirc that permission would've been checked already though, so older releases wouldn't have been able of viewing the list of templates. The pop-up would be new, but it wouldn't have worked properly before.

@funkyduke

If it can help, I can always send you my editor.policy.xml file.

@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

Ugh, looks like it only checked the list permission on the object before (I think that's the category permission it checks there), not view_template.

Not sure if I'd call it a bug because of what's in #13174 but that does explain why the popup only started showing in 2.5.4.

@Mark-H Mark-H changed the title from 200 OK error is back to 2.5.4 requires view_template permission for listing templates, triggers permission denied popup ("200 OK error") Jan 6, 2017
@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

@funkyduke How would that help? You already identified the permission in your first post.

@funkyduke

@Mark-H No problem. Maybe you needed a full list of all permissions checked. But I see you have found the issue in mean time. Thx for the help.

@jaygilmore
Member

In consideration, I think the UI should not throw an error when viewing a Resource if you don't have view_template permissions but just not display the field or disable the field. It should only throw an error if someone were to somehow try to access templates in the Elements tree or via a direct link.

@ckburnett
ckburnett commented Jan 6, 2017 edited

@Mark-H, @jaygilmore - One other thing beyond the popup error comes from this change of perm. check from list object to view_template: if view_template isn't selected in the policy, you can't view the list of templates and thus can't change the template for a resource.

You're right. It's not really a bug, but it is a change in how the permissions are used, and thus something that worked before might not on upgrade (depending on the access policies in use), without a change in impacted access policies.

@Mark-H
Collaborator
Mark-H commented Jan 6, 2017

That's a good summary @ckburnett. Oversight on my part when adding the permission to that processor.

Another consideration is that the default content editor policy that ships with MODX doesn't have the view_template permission, meaning the defaults result in an error, so this'll need to get fixed one way or another.

@rsdesign007

Thanks funkyduke. I try to keep all my sites updated to the latest version. After updating my first site to 2.5.4 today I spent several hours reading old forum solutions, and pulling my hair out to solve the old famous Code: 200 OK error. The only suggestion that solved the problem was to check the permission for view_template. Now I'll try updating all the others. Thank you!

@OptimusCrime
Contributor

@Mark-H Adding this permission to the default policies would be a viable solution for this problem?

@jaygilmore
Member

@OptimusCrime I don't think so. I think there is a legitimate reason that you'd want to prevent the error from displaying on the resource create/update view yet still prevent the access to the templates from the tree. I am also not sure if changing the default ACL for the built-in perms will update on upgrade.

@OptimusCrime
Contributor

That is true. However, the error box has always been there and has more "problems" than just this one incident.

@pixelchutes
Collaborator

To me, it comes down to if view_template is strictly for viewing the actual contents of the template (not to be confused with edit_template), vs. fetching a list of available Templates.

Based on how load, list, view works in other areas throughout the system, to me this seems like a valid bug. Fetching a list should probably only require listing permissions (likely why it was list before #13174), especially since we don't have list_template, etc for finer control.

It's tricky, where do you draw the line? Should all /getlist processors only require one single list permission?

Basic permission to "list" any object. List means to get a collection of objects.

Example:

...
- element/tv/getlist 		set to view_tv
- element/template/getlist 	set to view_template
- element/plugin/getlist 	set to view_plugin
- element/chunk/getlist 	set to view_chunk
- element/category/getlist 	set to view_category
- element/snippet/getlist	set to view_snippet

vs.

...
- element/tv/getlist 		set to list
- element/template/getlist 	set to list
- element/plugin/getlist 	set to list
- element/chunk/getlist 	set to list
- element/category/getlist 	set to list
- element/snippet/getlist	set to list
@davidpede
Contributor
davidpede commented Jan 31, 2017 edited

Had the same issue. Upgraded sites to 2.5.4 and all manager users with a custom policy received 'error 200 OK' popup when trying to edit any resource. The console showed it was the getList action returning the error.

The 'uses template' drop down showed zero and the list was blank. I ticked the 'view_template' option in their access policy and problem solved.

No issue in ver 2.5.2. This is very confusing because of the access policy labels and the non-descriptive error. For example 'view_tv' is not selected for these users but no errors or issues viewing or editing resource tv's.

@pmacswebteam

Our team is having this issue as well. Glad to know there is a fix!

@himurovich

actual for me too, forgot to create issue but always someone is faster :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment