Rock icon indicating copy to clipboard operation
Rock copied to clipboard
verified publisher icon SparkDevNetwork

Content Channel Item View Block Does Not Respect Channel Item Set Permission

Open lacwebadmin opened this issue 1 year ago • 2 comments

Description

I have this HTML block in a page where I list a content channel items using contentchannelitem entity and I forgot to remove the option securityenabled:'false', and was wondering why am I seeing the content item (with permission ALL - Denied and Only Rock Admin can View) in the list page. So I removed it and the item went away when I refreshed the page.

image

The issue is with the page where the Content Channel Item View block is where you see the details of the content channel item. I tried to manually enter the supposed detail link of that item with slug as the url parameter and I can still see the details as non-logged in user where it supposed to ask me to login.

image

I don't know if this is intentional but to me it is a bug.

image

Actual Behavior

Please read my description above.

Expected Behavior

The Content Channel Item View Block should respect the permissions set in the channel item.

Steps to Reproduce

Please read description.

Issue Confirmation

  • [X] Perform a search on the Github Issues to see if your bug or enhancement is already reported.
  • [] Reproduced the problem on a fresh install or on the demo site.

Rock Version

16.4

Client Culture Setting

en-US

lacwebadmin avatar Jul 04 '24 01:07 lacwebadmin

@lacwebadmin To help us investigate this issue, it would be greatly appreciated if you could please provide the steps to reproduce the issue, along with screenshots.

chead4 avatar Jul 05 '24 16:07 chead4

@chead4 I've added screenshots from the demo site. The only difference with my setup is I use a Lava using Entity to list the content items but the issue is with with the Content Channel Item View block but the issue with permission is also happening in the Content Channel View block where it shouldn't show the item where the current session/user is without permission to view.

lacwebadmin avatar Jul 05 '24 16:07 lacwebadmin

@lacwebadmin Since Rock isn't sure which security verb you want to filter by, there's a general principle in Lava that it's the Lava admin's responsibility to decide what to display (if authorization or rights checking is needed).

Once you have set security for the ContentChannelItem, the Lava Template on the Content Channel View Item block can be updated to use the HasRightsTo filter. This filter will check the security of the model passed. (You can find more details on that filter here.

Update the Lava template to include the following (which can be seen in lines 75 and 76 of the screenshot), which will check security before displaying the child Content Channel Item.

{% for message in Item.ChildItems %}
   {% assign viewAuth =  message.ChildContentChannelItem | HasRightsTo:'View' %}
   {% if viewAuth != true %}{% continue %}{% endif %}
      <li> ...

chrome_W09VmODSCX

In this example, 'Of Myths and Money' does not display as security is set to All Users - Deny. image

I'll go ahead and close this issue.

chead4 avatar Jul 12 '24 19:07 chead4

@chead4 Yeah, but isn't that a work around via Lava? What if I forgot to do that check? That is still a security issue by default using the Content View Block and Content View Item Block.

lacwebadmin avatar Jul 15 '24 18:07 lacwebadmin

@lacwebadmin The way the security is designed for this block is intentional, not a workaround. Other blocks in Rock function similarly, like Group Types/Group Attributes. For example, in the Group View Lava Template under Display Options, you need to have the HasRightsTo filter.

If you forget to include the HasRightsTo filter on the Lava Template, security won’t be checked and users will be able to see the content.

chead4 avatar Aug 02 '24 16:08 chead4