Umbraco-CMS icon indicating copy to clipboard operation
Umbraco-CMS copied to clipboard

Published 20 hours ago verified publisher icon umbraco

Listview not showing content to editor

Open thomashdk opened this issue 3 years ago • 10 comments

Which Umbraco version are you using?

8.14

Bug summary

User Groups with only Granular permissions Browse node access can't view content when it's a listview no matter if they access to the full node, but only if they have Browse node set on the Default permissons sections for user groups.

Pagination are loading correctly.

...

Specifics

I have diffrent user groups for my editors.

In the Default permissions the "Browse Node" are off. and then i the Granular permissions I have specifyed for a user groups that they have all the access they need for each root node. image

When I have set an Browse Node access on a node then on the node types that has a listview, the content are not showed. image

THe pagination and all are loading correctly...

Steps to reproduce

  • Create a user group where all default permissions at turned off and add a user that only are in that user group.

  • In Granular permissions grant access to a node with all permission allowed.

  • Login with that user an try go to a node that has a listview, they list with all the child nodes shouldn't load.

  • Now try in the default permissions to turn on "Browse node" to see the user can see all the child nodes on the list.

Expected result / actual result

Expected the user to be able to see all the child nodes in the list view.

thomashdk avatar Jun 21 '21 12:06 thomashdk

Interesting, that does indeed seem like a weird bug. I've reproduced in v8.1 so it's existed for a while. We'd love some help with this one! 🙏

nul800sebastiaan avatar Jun 22 '21 07:06 nul800sebastiaan

Hi @thomashdk,

We're writing to let you know that we would love some help with this issue. We feel that this issue is ideal to flag for a community member to work on it. Once flagged here, folk looking for issues to work on will know to look at yours. Of course, please feel free work on this yourself ;-). If there are any changes to this status, we'll be sure to let you know.

For more information about issues and states, have a look at this blog post

Thanks muchly, from your friendly Umbraco GitHub bot :-)

umbrabot avatar Jun 22 '21 07:06 umbrabot

The editor can't see the list of nodes when they will sort nodes in the tree

thomashdk avatar Jun 22 '21 08:06 thomashdk

Anything new here ? It's a big issue that some of the user groups can't see list content and can't sort nodes because they can't see the list

thomashdk avatar Aug 25 '21 10:08 thomashdk

As noted @thomashdk we're looking for some help getting this fixed, we don't have it on our list of priorities.

nul800sebastiaan avatar Sep 13 '21 11:09 nul800sebastiaan

Any update on this? I'm having the issue on 9.2.

I more have an issue with deleting items. I'm using a list view with "Edit in Infinite Editor" enabled, but with this enabled, the only way to delete items is from the list view (which I have as a granular permission). As a temp work around I'm disabling the Infinite editing here, but it would be nice to be able to use it.

kmeilander avatar Feb 18 '22 19:02 kmeilander

Same issue in 9.5 ... Really a big issue for our clients.. Need to disable list view on nodes.

The issue comes when a user has more en two user groups assigned with diffrent permissions

thomashdk avatar Jul 20 '22 07:07 thomashdk

Hi @thomashdk and everyone else on this issue 👋

I can reproduce this on V10 as well. We'd love some help fixing it if anyone is up for the challenge 😄

kjac avatar Jan 13 '23 10:01 kjac

I dived into this over the last days: Currently:

  • ContentController returns the items, but a policy is set FilterAllowedOutgoingContent. (as expected)
  • In FilterAllowedOutgoingContent.cs line 93 the _userService.GetPermissions() is called (all good)
  • This checks in UserGroupRepository.cs if the current user group you are in has any permissions set on the specific nodes that are returned from the ContentController. This returns empty, as no view permissions are set on the nodes. This works correct when setting a specific Browse Node on a content item that is returned. (So, seems as expected)
  • If no explicit permissions are set on the node, it falls back to default permissions(which are null, as the usergroup has no default permissions set)

Hence all items are removed as they are not allowed to be returned.

When comparing it to the GetChildren method thats called to show subitems under a node in the content tree, a different method is used that only checks if the nodes are in a branch of the start node, and if so, shows them (GetSingleTreeNodeWithAccessCheck in ContentTreeControllerBase.cs)

I hope this helps someone as I'm a bit unsure on how to fix this currently. Approaches:

  • Modify the `UserGroupRepository.GetPermissions that checks the DB for permissions to also include parent nodes for visibility?
  • When nothing is returned in FilterAllowedOutgoingConttentAttribute.cs do an extra check to see if a parent has browse node set?

It seems a bit odd that in one case you only check the parent, and in the other case you only check the specific node, shouldnt this be consistent?

note: I might have failed interpreting somewhere as this is the first time digging this deep into the permissions

Ambertvu avatar Jun 26 '23 09:06 Ambertvu

This issue might be related: https://github.com/umbraco/Umbraco-CMS/issues/15608 I've been able to reproduce on both local and clean solution

KristofferEriksen avatar Jan 19 '24 08:01 KristofferEriksen