Comments (6)
Hi there @kows!
Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.
We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.
- We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
- If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
- We'll replicate the issue to ensure that the problem is as described.
- We'll decide whether the behavior is an issue or if the behavior is intended.
We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.
Thanks, from your friendly Umbraco GitHub bot 🤖 🙂
from umbraco-cms.
Hey @kows do I understand correctly that
If you manipulate the content model in SendingContentNotification by either
- marking a blocklist based property as readonly
- or make the property not belong to any propertycollections
And then save OR Save & publish, you get the error you described?
If so, could you give me a (trimmed down) code example of your notificationHandler?
from umbraco-cms.
Yes and the block list editor must contain data for it to happen.
internal sealed class SendingContentNotificationHandler()
: INotificationHandler<SendingContentNotification>
{
public void Handle(SendingContentNotification notification)
{
if (notification.Content.ContentTypeAlias.Equals(Website.ModelTypeAlias))
{
foreach (ContentVariantDisplay variant in notification.Content.Variants)
{
//exclude 'groupToHideAlias' tab/group which contains a blocklist editor
variant.Tabs = variant.Tabs.Where(x => !x.Alias.InvariantEquals("groupToHideAlias"));
}
}
if (notification.Content.ContentTypeAlias.Equals(ContentPage.ModelTypeAlias))
{
foreach (ContentVariantDisplay variant in notification.Content.Variants)
{
//making all editors on tabs readonly except 'Generic' tab
foreach (Tab<ContentPropertyDisplay> tab in variant.Tabs.Where(t => t.Type == "Tab"))
{
foreach (ContentPropertyDisplay prop in tab.Properties ?? [])
{
prop.Readonly = true;
}
}
}
}
}
}
from umbraco-cms.
Hey @kows I had a look and was able to reproduce this with the following simplified NotificationHandler
using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Core.Events;
using Umbraco.Cms.Core.Models.ContentEditing;
using Umbraco.Cms.Core.Notifications;
namespace Umbraco.Cms.Web.UI.App_Data;
public class issue16288 : IComposer
{
public void Compose(IUmbracoBuilder builder)
{
builder.AddNotificationHandler<SendingContentNotification, ReadOnlyBlockSendingNotificationHandler>();
}
}
public class ReadOnlyBlockSendingNotificationHandler : INotificationHandler<SendingContentNotification>
{
public void Handle(SendingContentNotification notification)
{
ContentPropertyDisplay? property =
notification.Content.Variants
.SelectMany(v => v.Tabs)
.SelectMany(t => t.Properties ?? [])
.FirstOrDefault(p => p.Alias == "blocklist");
if (property is not null && property.SupportsReadOnly)
{
property.Readonly = true;
}
}
}
Looking at the code that processes property updates, we have some code in place that checks whether a property editor is marked as read-only. When you however mark the property as read-only/remove it from the outbound model, the client does not send any property data back for those properties while the property editor expects there to be a value.
In short: We do not expect you to change that value. The reason why this works for other editors and not this one is complex.
Because the system was not purposefully designed to handle this kind of manipulation, I am going to close this bug report. Feel free to open a discussion to express the use case where you would need this kind of functionality.
from umbraco-cms.
@Migaroez
whenever you want to tie security towards specific properties?
There's even a package out there: https://marketplace.umbraco.com/package/our.umbraco.community.adminonlyproperty
Kind of weird to say Because the system was not purposefully designed to handle this kind of manipulation, I am going to close this bug report.
if you have a Readonly
flag.
EDIT: this was no issue in older versions with Nested Content.
from umbraco-cms.
I do not deem setting an outbound (display) model flag as a way of enforcing security
To make something truly secure (in an editing context), you need to control the inbound flow, and the outbound just to be friendly. If you only control the outbound, you end up with security by obscurity as shown in the video below. To save time I used the package you linked with 2 users. But it should (and I am pretty sure it will) work the same with marking it read-only as I tested the client's behaviour regarding payload construction previously.
16288_obscurity.mp4
With purposefully designed
I meant: I do not think all possible outcomes were considered when a feature was build that gave you the outbound model and just said "hey, update this however you want".
I can only guess as I was not a core developer at the time, but I believe the intent was that if you were to change anything or all things on an outbound model, you would make sure it wouldn't brake things when the client then send it back. And I am pretty sure that there was no clear intent to allow this feature to support implementers make things "more secure" (as per previous statement and example)
from umbraco-cms.
Related Issues (20)
- An issue with a custom Extension Condition in the Backoffice HOT 1
- Codespace doesnt fails on creation HOT 1
- Multi Url Picker allows you to pick content and media at the same time HOT 1
- Restricted Public Access and having "install" in the first url segment HOT 1
- V13.5-RC Content fields to stay disabled when save and publishing HOT 4
- UmbracoHelper does not contain a definition for RenderMacroAsync HOT 1
- Icon bug on settings>members section HOT 3
- V13.4.0 ContentPublishingNotification behaviour broken, runs after the prepublishing validation instead of before HOT 1
- IConfigureNamedOptions<MemberExternalLoginProviderOptions> Configure methods never called to setup autolinking HOT 1
- Deletion dialog shows incorrect block label HOT 2
- v14.2.0 - Issues with schedueled content HOT 2
- Content Delivery API - Missing Accept-Language in Vary header HOT 2
- SendingContentNotification missing, still mentioned in "additional preview environments" documentation HOT 1
- v14.2 - Long datatype names collaps in list HOT 1
- `RichTextOutputAsJson` skips space between inline elements HOT 1
- Export/Expose Lit "Task" HOT 3
- Readonly Color Picker Property Editor UI
- [BUG] Editing default member type doesn't work when over 500 members exist HOT 1
- Can not login to BackOffice after remove UI Culture of user
- popup error when trying to send for approval HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from umbraco-cms.