New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMPORTANT! Security patch breaks backoffice for non-Administrator users #15435
Comments
Hi there @creativesuspects! Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better. We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.
We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions. Thanks, from your friendly Umbraco GitHub bot 🤖 🙂 |
I have also replicated this issue when trying to access the CSS file that is used for an RTE dropdown. Not sure if the fix will cover that? Obviously a lot of people are upgrading websites in light of the security alert this morning so an idea of when the new version would be available would be appreciated. |
Yep that bug has been report here: #15434 |
@benbracedigital Looks like its out |
We had to downgrade from the security to fix this for our users, as it stopped all the editors from doing their work. I can see that patch to fix it has been released now, so we were going to re-upgrade to get the security patch put back in place, but the package "Umbraco.Cms.StaticAssets" doesn't have a 12.3.5 version, and "Umbraco.Cms" requires at least 12.3.5, so any attempt to upgrade fails. The 10.8.2 package is out, but not the one for v12. |
It looks like it has released now, I've been able to upgrade |
This should now be fixed in 10.8.2 🚀 |
@bergmania @Zeegaan Might be a good idea to update the links in the security advisory to make sure people don't install the broken patch. |
Does this impact v7 for those of us with XLTS? |
@lukehook V7 should not be affected to the best of my knowledge 😁 |
We have a few websites in Umbraco Cloud and the update was applied last night, super. The error from yesterday seems to be fixed. We do see a new thing, the bin from both content and media is gone for custom user groups. We have to add the role 'editor' to get the bin back. |
@MartinTiemens which version is this on 😁 |
Thanks, is it possible to get definite confirmation of that from HQ please? Also, is the start node issue noted above something that is likely to also need another patch? (thinking ahead to deployments we had planned today) |
We are on the latest version 12.3.5. The rootnode was set to the first node (homepage) and not to the content root. If I change the rootnode to the content root the bin is back. Now I'm not sure if this is by design and was already there before 12.3.4 or that this changed today. |
@lukehook there was an official update to the blogpost, and 7 is not included in the issues, so thats the confirmation 😁 https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/ |
@MartinTiemens Testing on earlier versions of 12, you didn't have access to the recycle bin with that either, so luckily no more regeressions It seems (famous last words 🙈 ) |
Famous last words indeed.
|
I will test it further, but I don't seem to have the problem on another machine. |
I'm observing the same as DORE-PD, Users require access to the content section in order to view any section tree. This seems to be because the GetAllLanguages() endpoint has had a new authorisation policy added. |
Ufff, this is a fail... Testing team in HQ not having some kind of automated regression testing in place like Cypress, etc.? |
Well, I still have the problem. |
After Umbraco 13 was released today, I have now also updated the project to 13. But the problem still exists there too. |
Please reopen this. This issue still exists on 8.18.11. |
@DORE-PD a patch |
Hey @Zeegaan , thanks for the info. |
@DORE-PD, yes we will look into that. ETA next week |
@bergmania Good to hear, thank you! |
I'm also still seeing this issue for users that are in a custom group that only has access to a custom section. Only by adding these users to a group that has access to Content (like Writers, or Editors) are these users able to log in. |
@creativesuspects patch 8.18.12 is just out, and should fix this 🚀 |
@Zeegaan @Wolfkhan66 I can confirm that 8.18.12 fixes the issue for me. Thanks! |
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
8.18.10 and 10.8.1
Bug summary
After upgrading to 8.18.10 and 10.8.1 the
/umbraco/backoffice/UmbracoApi/Language/GetAllLanguages
endpoint returns a 401 in Umbraco 8 and a 403 in Umbraco 10 for non-Adminstrator users. On 8.18.10 the user gets redirected to the login screen. On 10.8.1 the user sees the backoffice, but the content tree fails to load. Users in the Administrator group can log in without a problem.https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/
Specifics
No response
Steps to reproduce
Upgrade Umbraco to version 8.18.10 or 10.8.1 and try to log in using a non-Administrator account.
Expected result / actual result
Umbraco 8.18.10
Umbraco 10.8.1
The text was updated successfully, but these errors were encountered: