-
Notifications
You must be signed in to change notification settings - Fork 745
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource Manager permissions bug/issue in DNN 9.8.1 and above (HTML Editor Browse Server showing all folders) #4573
Comments
Using deny permission should only be used, if necessary and if global roles "all Users" are granted access. |
Even if I only have the "Browse" checked and the "Open Files in Folder" and "Write to Folder" not set. I can still see the Test folder when logged in as the Role. Previously when our site was on DNN 9.3.2 this is how I had it set. Then after upgrading to DNN 9.7.2 I had to set the folders I did not want the Role to see to deny "Open Files in Folder". Now after upgrading to 9.8.1 not even the deny works when trying to hide a folder. How would you set the folder permissions to restrict a Role from viewing? Thanks. |
We are a local city government and I have around 20 Roles setup to edit content. I need to have the Site Assets folder permissions set so All Users cannot see all the folders when using the HTML Editor to "Browse Server". Then I assign permissions in the Site Assets for only certain Roles to see their folders. This used to work prior to DNN 9.8.1 Note: the folder permissions should also allow anyone, when viewing our website, to see an image or file in the folder. Can you test your DNN site and see if you can restrict viewing a folder to a Role when using the HTML Editor "Browse Server"? |
you don't need to deny permission for "all users" - this is default. |
I understand. I only used deny after I upgraded to DNN 9.7.2 because the permissions were not working properly. Now in DNN 9.8.1 no matter how I have the permissions set in Asset Manager you cannot hide folders per Roles. Yes, please let me know how your tests go. Thanks |
Has anyone tested to verify? |
Can anyone test their DNN site 9.8.1 and above, and see if you can restrict viewing a folder to a "Role" when using the HTML Editor "Browse Server"? To replicate the issue I am describing above, go to the Site Assets and assign folder permissions on a folder to hide it from a "Role". Then login as a user assigned to that Role and use the HTML module "Browse Server" and you will see the folder you are trying to hide. |
I tested this out, first with a fresh install of DNN 9.9.1 before and after removing the Digital Asset Manager and the permissions do not work correctly as described. I then installed a fresh copy of DNN 9.3.2 and confirm they do work accordingly. I then upgraded to the DNN 9.7.2 and the users that should not be able to see a specific folder now can when browsing for files in the CKE file browser. Using the "deny" does stop users that should not see it from seeing it, but as @sleupold said, by default the users should not be able to see the folder or its contents without being given permissions to do so. I don't think the problem is in the Resource Manager or the Digital Asset Manager, but rather with the CKE editor's file browser. |
Thank you for testing and verifying! Everything you said about 9.3.2, then upgrading to 9.7.2, and then to 9.8.1 or above is true and things I noticed when I upgrading. The only thing I would ask is, did anything change with the DNN CKE editor from versions 9.3.2 to 9.7.2 and then 9.8.1. If not, then you would think it would have to be something with the Core DNN software and maybe the Resource Manager. My thoughts were that it was with the Resource Manager because that is where the most changes have been taking place lately. At this point I CANNOT upgrade to anything above 9.7.2 because of the permissions issues described in this issue. I hope someone looks into this issue soon. Thanks, Craig |
Actually I'm not sure 9.7.2 is the culprit. I tested upgrading the working copy 9.3.2 and the issue is partially introduced in version 9.4.0. I found that once I move to 9.4.0 the test user that was given rights to browse folder and files can see the test directory they should but can't see the files, and they can also see a second test folder and files in it that no users but the admin was supposed to see. I'm going to keep testing and checking the changes from version to version in the 9.4.x path. |
Thanks for looking into this further, I really appreciate it. I was looking back through the version notes of DNN above 9.3.2 and below is what I found. Could it be related to any of these updates/fixes? CKE editor related fixes: Permissions, Resource Manager or the Digital Asset Manager related fixes: |
You directed me right to the issue. #4364 alters the |
Will this issue be resolved when issue #4649 is resolved? |
@sleupold you have any input on the correct fix for this issue ? |
@cgentryls the code I originally wrote was not correct and @sleupold had already been working on a solution that he provided the code for. We altered the PR with his code, but he may still be working on it, so the PR was closed. I think he'll post a full solution with his code in a PR to solve this issue. |
I am still looking for a proper solution - my stored procedure does not handle all permission correctly. |
Do any of you know when this issue will be resolved? I cannot upgrade our website from DNN 9.7.2 because of this issue. |
This being an open source project, we never know when any specific issue will get fixed until someone submits a fix. @sleupold any progress on this? |
I propose I re-submit my code again from the original PR to fix the issue addressed. I understand that the current SP is in need of more work. I can see that by the wonderful code that was provided. I can also help out @sleupold with the efficiency and use of permissions issues you mentioned if you would need a hand. Version 10 could have a better working version of this SP. |
Awesome, thanks for all the hard work, I'll assign you the issue. |
@yog-it That is awesome, and just to be 100% clear on this, we CANNOT accept just a copy of the code that was there from Sebastian as we must have a unique contribution (Can be enhancement from his) to be clear on ownership claims etc. (For you to be compliant with the CLA agreement etc) |
@mitchelsellers crystal clear 👍 |
I believe the Resource Manager has a folder permissions bug/issue. The HTML Editor "Browse Server" is showing ALL folders to Roles after upgrading from DNN 9.7.2 to 9.8.1 no matter how the permissions are set in the Resource Manager.
When using the HTML Editor, selecting the image or file icon, selecting the "Browse Server" button. The Folder Tree shows all folders no matter what the folder permissions are set to for Roles in the Resource Manager. In DNN 9.7.2 I had folder permissions set so that I could hide some of the folders from certain Roles, but after upgrading to 9.8.1 it shows all the folders.
I have tried different folder permission settings in the PB > Site Assets, but nothing works. I have even tried replacing with the new Resource Manger but that did not work either.
I have tested this on a test production site and a test dnndev.me site and both have the same issue.
To replicate the issue. Go to the Site Assets and assign folder permissions on a folder to hide it from a "Role". Then login as a user assigned to that Role and use the HTML module "Browse Server" and you will see the folder you are trying to hide.
I have attached a couple of screen shots.
Thanks,
Craig
The text was updated successfully, but these errors were encountered: