Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes the authorization for certain endpoints on the UsersController #4994

merged 2 commits into from Mar 15, 2019


Copy link

commented Mar 15, 2019

The UsersController is responsible for editing users in the back office. We authorize access to all actions on this controller based on section access so if users don't have access to the users section, none of these actions will be authorized. We also go a step further with persisting users so that non-admins cannot save admins, however there are a few endpoints that will allow non-admins to view admin information and also change their avatars or disable them.

This PR fixes that authorization.

Testing - ensure that normal user editing experience continues to work, that admins can edit other admins and users and that non-admins cannot edit, modify, etc... other admins. To go a step further test that a non admin cannot navigate directly to edit an admin (i.e. go do /umbraco#/users/users/user/ID-OF-AN-ADMIN?subview=users)

Shazwazza added 2 commits Mar 15, 2019
Fixes the authorization for certain endpoints by non admins so that d…
…ata cannot be seen and avatars cannot be changed

@ghost ghost assigned Shazwazza Mar 15, 2019

@Shazwazza Shazwazza removed their assignment Mar 15, 2019

@bergmania bergmania self-assigned this Mar 15, 2019

@bergmania bergmania merged commit 7d67a73 into dev-v7 Mar 15, 2019

1 check passed

Cms 7 Continuous #201903150003 succeeded

@bergmania bergmania deleted the temp-user-controller-authz branch Mar 15, 2019

@ghost ghost removed the state/review label Mar 15, 2019


This comment has been minimized.

Copy link

commented Mar 15, 2019

Code looks fine. Nothing unexpected found in my tests.
We should remember merging V7 into V8 before next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.