Details
-
Bug
-
Status: Needs priority
-
High
-
Resolution: Unresolved
-
14.6.0
-
None
-
None
-
Flagged
-
Orion
-
Puma sprint 272, Puma Sprint 273, Puma Sprint 274, Puma sprint 275, Puma sprint 276, Puma sprint 277, Team Quasar sprint 278, Quasar sprint 279
Description
If we have a readonly user, with these userroles (similar as in CMS-14599):
- xm.cms.user - Required to login and use the CMS application
- xm.channel.viewer - Allows viewing channels through role channel-viewer; implies xm.webfiles.reader
- xm.content.viewer - Allows viewing content through role readonly
then viewing an xpage in the Experience Manager does not show the Channel and Page menus, because the XHR call to org.hippoecm.hst.pagecomposer.jaxrs.services.ComponentResource#getActionsAndStates returns a 403.
It returns a 403 because the method is checked for privilege ChannelManagerPrivileges.XPAGE_REQUIRED_PRIVILEGE_NAME = "hippo:author" however this user only has jcr:read.
See
Reproduction path
On cms.demo.onehippo.com, create an xpage as admin, create a user with above userroles and view the xpage.
Also reproducible on 14.6 archetype.
Suggested fix
- Change the @PrivilegesAllowed on ComponentResource#getActionsAndStates to have jcr:read since it's a GET. Maybe also for other GET methods using XPAGE_REQUIRED_PRIVILEGE_NAME.
- Account for workflow not being available: tweaking the roles in configuration came up with a NullPointerException at XPageContextFactory:74 (workflow.listBranches() call)
Attachments
Issue Links
- relates to
-
-
- Needs priority
-