Custom role permissions

I have…

  • [ ] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [X] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

We created a custom role with access to multiple contents items. Sample of assigned:

contents.brands
contents.posts
contents.specials
contents.pages
contents.aboutus

When the contributor logged in the first time they could see all of these assigned to them.

ISSUE 1:
We then removed contents.posts and content.specials from the role, but the user could still see all of the original assigned to them. We also logged out and back in.

ISSUE 2:
adding contents.xxxxxx to a user does not allow a user to edit content.

Expected behavior

ISSUE 1:
If you removed permissions from a role the permissions should update when the user next log in.

ISSUE 2:
If you added the whole content structure to a role, they should have access to all the options underneath that contents i.e.

contents.brands > should give access to read, update, delete, publish etc

Minimal reproduction of the problem

  1. Created a new custom role with permissions contents.xxxxxxx, contents.yyyyyyyy
  2. Created new user and assigned the the role to them
  3. Logged in to CMS and could see both permissions
  4. Unable to edit the content
  5. Removed contents.yyyyyyyy from permission
  6. Logged user out and back in. User could still see contents.xxxxxxx, contents.yyyyyyyy

Environment

  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [X] Self hosted with other version
  • [ ] Cloud version

Version: 4.0.3 running on Centos

Browser:

  • [X] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [X] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Others:

Have you tried a refresh (F5)? … Could be a caching issue. The UI heavily caches stuff.

Does your content.xxx and content.yyy have relation fields?
You might need to give read permission to those related schema as well.
Otherwise you won’t be able to edit or even view content.xxx.
I might be wrong but I just discovered that last week for my permission issue and once related schema was given read permission the user can edit main authorized content.

I have also tested it and i made the mistake that I have forgotten to press “Save” :smiley:

This resolved issue 1. I left it for a while and restarted the cms and it seems to have resolved this. Good thing is that even though you coudl still see these content areas when you tried to save the CMS knew you did not have the rights

I think the caching is causing issue 1 and 2, but will keep in mind the related schema issue.

SOLVED, but very handy to keep this in mind.

NOT SOLVED.

We created a role called Contributor. For this role we want to give access to certain content pieces.

If we add contents.home to this role the expectation is that they can edit and update that content. Instead they get the following error:

This is what the role settings look like now after we added the create and update to it.

How can we only set contents.home, contents.posts etc so that all rights are applied?

Thanks

You need something like contents.home.read|create|update

If it does not work you should check your networks tab in the browser and have a look if you see guids in the request when querying content lists

This does not work, but we worked out that you need to give as a minimum READ access to any relational content like ‘Assets’ or other schemas that are used in the content item