volto icon indicating copy to clipboard operation
volto copied to clipboard
verified publisher icon plone

Some controlpanels are accessible via direct link for unauthorized users

Open avoinea opened this issue 5 years ago • 10 comments

See:

  • https://volto.kitconcept.com/controlpanel/addons
  • https://volto.kitconcept.com/controlpanel/users
  • https://volto.kitconcept.com/controlpanel/moderate-comments
  • https://volto.kitconcept.com/controlpanel/database

We should handle backend errors on all controlpanels using the Error component: https://github.com/plone/volto/blob/d07c17c91274292a1fcca3d9d15b51af4d0da385/src/components/manage/Controlpanels/Controlpanels.jsx#L125-L128

avoinea avatar Oct 13 '20 15:10 avoinea

I've tackled Addons in https://github.com/plone/volto/commit/cab089b74ba839551d1383bde7048e11e9d5923e I am not 100% happy with how this acts as when calling listAddons there is a delay until you get the call to rest api which gives an error in case you are anonymous and then you get the unauthorized code.

This means that you get Addons 0 briefly followed by the correct message. I would have preferred not to render anything until communicating with the rest api but perhaps this will be acceptable in the end as other control panels were given error messages similary.

ichim-david avatar Dec 12 '20 20:12 ichim-david

I had a go at Database, Users and ModetateComments in 08dd6f24835a36c68c1e84118d5ea83788f1c5d4 and db43ccb697fc8c476c0da4a9a8bcd1b4c28aa3a2. I used the listControlpanels action to determine if the user had sufficient permissions in all three use cases. Is there a better way?

mikejmets avatar Dec 14 '20 06:12 mikejmets

Hi @avoinea, is this issue still open? If yes, I would like to contribute to this. If I understood this correctly, visiting these URLs without signing should behave like https://volto.kitconcept.com/controlpanel/users, which seems to be fixed. Although it does render Users' view on initial load.

But these URLs still show some views:

  1. https://volto.kitconcept.com/controlpanel/addons
  2. https://volto.kitconcept.com/controlpanel/moderate-comments
  3. https://volto.kitconcept.com/controlpanel/database

Expected Behaviour

image

avimishra18 avatar Mar 14 '22 15:03 avimishra18

@avimishra18 Yes, everything under /controlpanel should raise Unauthorized if not authenticated.

avoinea avatar Mar 14 '22 15:03 avoinea

Hi @avoinea, for https://volto.kitconcept.com/controlpanel/moderate-comments error scenario is not ocurring. It is a successful request with an "empty" response. This appears to be a backend-related issue. Correct me, if I am wrong.

Redux

Screenshot 2022-03-15 at 01 39 15

Network Tab

Screenshot 2022-03-15 at 01 42 31

No request with 401 HTTP response code found.

avimishra18 avatar Mar 14 '22 20:03 avimishra18

Hi @avoinea, for https://volto.kitconcept.com/controlpanel/moderate-comments error scenario is not ocurring. It is a successful request with an "empty" response. This appears to be a backend-related issue. Correct me, if I am wrong.

@avimishra18 Indeed, this one is a backend issue.

avoinea avatar Mar 15 '22 06:03 avoinea

@avimishra18 Hi, is there any update on your linked PR, i saw there's some suggestions from core devs so are you still working on this and if not I would like to contribute to this :) thanks!

Yug063 avatar Sep 05 '24 17:09 Yug063

Please go ahead.

avimishra18 avatar Sep 05 '24 17:09 avimishra18

@avimishra18 thanks for the quick response, but if you got time can you update me till where u have been worked on this and is there any problem you faced?

Yug063 avatar Sep 05 '24 17:09 Yug063

I can't recollect the context here, it will be helpful to look at the last MR

avimishra18 avatar Sep 27 '24 18:09 avimishra18