IMPORTANT! Security patch breaks backoffice for non-Administrator users

[creativesuspects]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

8.18.10 and 10.8.1

Bug summary

After upgrading to 8.18.10 and 10.8.1 the /umbraco/backoffice/UmbracoApi/Language/GetAllLanguages endpoint returns a 401 in Umbraco 8 and a 403 in Umbraco 10 for non-Adminstrator users. On 8.18.10 the user gets redirected to the login screen. On 10.8.1 the user sees the backoffice, but the content tree fails to load. Users in the Administrator group can log in without a problem.

https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/

Specifics

No response

Steps to reproduce

Upgrade Umbraco to version 8.18.10 or 10.8.1 and try to log in using a non-Administrator account.

Expected result / actual result

Umbraco 8.18.10

Umbraco 10.8.1

[github-actions]

Hi there @creativesuspects!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[benbracedigital]

I have also replicated this issue when trying to access the CSS file that is used for an RTE dropdown. Not sure if the fix will cover that?

Obviously a lot of people are upgrading websites in light of the security alert this morning so an idea of when the new version would be available would be appreciated.

[Zeegaan]

Yep that bug has been report here: #15434
And will also be covered by the fix 👍

[AaronSadlerUK]

@benbracedigital Looks like its out

https://www.nuget.org/packages/Umbraco.Cms/10.8.2

[paulwoodland]

We had to downgrade from the security to fix this for our users, as it stopped all the editors from doing their work. I can see that patch to fix it has been released now, so we were going to re-upgrade to get the security patch put back in place, but the package "Umbraco.Cms.StaticAssets" doesn't have a 12.3.5 version, and "Umbraco.Cms" requires at least 12.3.5, so any attempt to upgrade fails. The 10.8.2 package is out, but not the one for v12.

[paulwoodland]

We had to downgrade from the security to fix this for our users, as it stopped all the editors from doing their work. I can see that patch to fix it has been released now, so we were going to re-upgrade to get the security patch put back in place, but the package "Umbraco.Cms.StaticAssets" doesn't have a 12.3.5 version, and "Umbraco.Cms" requires at least 12.3.5, so any attempt to upgrade fails. The 10.8.2 package is out, but not the one for v12.

It looks like it has released now, I've been able to upgrade

[Zeegaan]

This should now be fixed in 10.8.2 🚀

[creativesuspects]

@bergmania @Zeegaan Might be a good idea to update the links in the security advisory to make sure people don't install the broken patch.

https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/

[lukehook]

Does this impact v7 for those of us with XLTS?

[Zeegaan]

@lukehook V7 should not be affected to the best of my knowledge 😁

[MartinTiemens]

We have a few websites in Umbraco Cloud and the update was applied last night, super. The error from yesterday seems to be fixed. We do see a new thing, the bin from both content and media is gone for custom user groups. We have to add the role 'editor' to get the bin back.

[Zeegaan]

@MartinTiemens which version is this on 😁
If your group doesn't have a start node, that might be causing it.
(Just did a quick test on 12, and at least there, adding a start node to my custom user grp showed the recycle-bin)

[lukehook]

@lukehook V7 should not be affected to the best of my knowledge 😁

Thanks, is it possible to get definite confirmation of that from HQ please? Also, is the start node issue noted above something that is likely to also need another patch? (thinking ahead to deployments we had planned today)

[MartinTiemens]

We are on the latest version 12.3.5.

The rootnode was set to the first node (homepage) and not to the content root. If I change the rootnode to the content root the bin is back. Now I'm not sure if this is by design and was already there before 12.3.4 or that this changed today.

[Zeegaan]

@lukehook there was an official update to the blogpost, and 7 is not included in the issues, so thats the confirmation 😁 https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/

[Zeegaan]

@MartinTiemens Testing on earlier versions of 12, you didn't have access to the recycle bin with that either, so luckily no more regeressions It seems (famous last words 🙈 )

[DORE-PD]

Famous last words indeed.
Issue still exists. What I did:

• New project with version 12.3.5 created and installed (SQLite as database).
• Creation of a new user group "Test". Selected "Members" for Sections and "Content root" for Content start node.
• New user "Test" created and added to the "Test" group.
• Added a new language in the settings, German (de).
• Created a new empty document type called "Test". Permissions: "Allow as root" and "Allow vary by culture". No property editor added.
• Created and published new content based on the document type "Test".
• Log in as test user -> Same error message as above.

[DORE-PD]

[DORE-PD]

I will test it further, but I don't seem to have the problem on another machine.
Maybe it is fixed after all and I just have a caching problem here. If I can reproduce it on another machine, I'll let you know again.

[Reaction77]

I'm observing the same as DORE-PD, Users require access to the content section in order to view any section tree. This seems to be because the GetAllLanguages() endpoint has had a new authorisation policy added. [Authorize(Policy = AuthorizationPolicies.SectionAccessContent)]
73fab10#diff-8d8fbe3f2ff9e3c84d8ab1cf337de7e88d7708c41e69d99528bb6ca8f5ffd5f3

[brano]

Ufff, this is a fail... Testing team in HQ not having some kind of automated regression testing in place like Cypress, etc.?
Lucky that we were postponing this patch for 10+ on premise websites since we already had these kind of upgrade troubles with Umbraco.

[DORE-PD]

Well, I still have the problem.
@Reaction77, you're right. When I add content, everything works.
However, it also works for me without, but only with new projects.
I have now used one of my VMs and created a new Umbraco project there and went through the steps I mentioned above. In the end, everything works, even though the user has no authorisation for content. However, he can see the members and the section tree.
I then copied the project from my local machine (where I do have the problem) to the VM and started it, connected with the same database that I use locally. I made sure that both projects are on version 12.3.5. But I also have the problem on the VM. So it doesn't seem to be a caching problem as I had initially suspected. Obviously something must have gone wrong here during the upgrade?

[DORE-PD]

After Umbraco 13 was released today, I have now also updated the project to 13. But the problem still exists there too.

[Wolfkhan66]

Please reopen this. This issue still exists on 8.18.11.
Non admin users hit a 401 for umbraco/backoffice/UmbracoApi/Language/GetAllLanguages and get logged back out immediately.

[Zeegaan]

@DORE-PD a patch 13.0.1 has been released with a fix for this 🚀

[DORE-PD]

Hey @Zeegaan , thanks for the info.
I have now upgraded the project to version 13 again (13.0.1) and now it seems to work as it should.
Will there also be a hotfix for the other major versions (e.g. 12)?

[bergmania]

@DORE-PD, yes we will look into that. ETA next week

[DORE-PD]

@bergmania Good to hear, thank you!

[creativesuspects]

Please reopen this. This issue still exists on 8.18.11. Non admin users hit a 401 for umbraco/backoffice/UmbracoApi/Language/GetAllLanguages and get logged back out immediately.

I'm also still seeing this issue for users that are in a custom group that only has access to a custom section. Only by adding these users to a group that has access to Content (like Writers, or Editors) are these users able to log in.

[Zeegaan]

@creativesuspects patch 8.18.12 is just out, and should fix this 🚀

[creativesuspects]

@Zeegaan @Wolfkhan66 I can confirm that 8.18.12 fixes the issue for me. Thanks!