Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REST API: Anonymous users cannot create contents with Category fields. #12150

Closed
joseorsini opened this issue Jul 19, 2017 · 2 comments
Closed

REST API: Anonymous users cannot create contents with Category fields. #12150

joseorsini opened this issue Jul 19, 2017 · 2 comments
Labels
dotCMS : Content Management dotCMS : Rest API Merged QA : Approved Release : 5.0.0
Milestone
4.3_5.0_02132018_Rex

Comments

@joseorsini
Copy link
Contributor

Despite that we have a property that bypasses some permissions related to creating contents via REST API

REST_API_CONTENT_ALLOW_FRONT_END_SAVING

once the parent content type has a Category field, it doesn't matter if the actual Category selected on the content to be created has CMS Anonymous -> View permission. Permissions validation would indicate that the Anonymous user does not have permission to view the Category, however it has the required permissions under normal circumstances.

Expected Behavior

In the same way the REST_API_CONTENT_ALLOW_FRONT_END_SAVING property is respected for saving contents after fields' validation, it should be checked once Categories are pulled and then added to the current contentlet object to be saved.

Current Behavior

Even if you set:

  • the REST_API_CONTENT_ALLOW_FRONT_END_SAVING property to true.
  • Set CMS Anonymous -> Edit permission on the Content Type.
  • Set CMS Anonymous -> View on the category and its child ones for the Category field on this same content type.

Contents cannot be created via REST API calls if you're not logged in to the frontend. Now, if you remove this Category field, content gets saved under the same config/settings detailed above.

Possible Solution

Update the ContentResource and honor this property upon lookup of categories, in case the content type has category fields and there were populated upon content submission.

Known Workarounds

None.

Steps to Reproduce (for bugs)

  1. Create a Test Content Type, called "Test Cat".
  2. Create a Text field, called "Title".
  3. Create a Categories field, Called "Event Type". Select "Event Types" for this field once it's being created.
  4. Make sure that Event Types category has CMS Anonymous -> View permission.
  5. On demo.dotcms.com site, set "CMS Anonymous -> Edit" Permission for Content Types and Contents/Files.
  6. run the following curl commands:

Without Category field on JSON sent to the application:

JoseMa-MacBook-Pro:3.7.1-dist joseorsini$ curl -v -XPUT https://demo.dotcms.com/api/content/save/1 -H "Content-Type:application/json" -d '{
>     stName:"TestCat",
>     languageId:1,
>     title:"test content"
> }'
*   Trying 54.165.137.45...
* TCP_NODELAY set
* Connected to demo.dotcms.com (54.165.137.45) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: demo.dotcms.com
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> PUT /api/content/save/1 HTTP/1.1
> Host: demo.dotcms.com
> User-Agent: curl/7.51.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 68
>
* upload completely sent off: 68 out of 68 bytes
< HTTP/1.1 200 OK
< Date: Wed, 19 Jul 2017 18:59:54 GMT
< Content-Length: 0
< Connection: keep-alive
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=964FB8F2055C2439B9A930A50485CE42; Path=/; Secure; HttpOnly
< Location: https://demo.dotcms.com/api/content/inode/e33c5c71-a2a7-49e3-954e-f80e53ab2057
< inode: e33c5c71-a2a7-49e3-954e-f80e53ab2057
< identifier: f4be4e35-c12b-4222-a7ff-1e2a6b27bd8b
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Authorization, Accept, Content-Type, Cookies
<
* Curl_http_done: called premature == 0
* Connection #0 to host demo.dotcms.com left intact

With a category field on the JSON sent to the application

JoseMa-MacBook-Pro:3.7.1-dist joseorsini$ curl -v -XPUT https://demo.dotcms.com/api/content/save/1 -H "Content-Type:application/json" -d '{
>     stName:"TestCat",
>     languageId:1,
>     title:"test content",
>     eventType:"seminars"
> }'
*   Trying 54.165.137.45...
* TCP_NODELAY set
* Connected to demo.dotcms.com (54.165.137.45) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: demo.dotcms.com
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> PUT /api/content/save/1 HTTP/1.1
> Host: demo.dotcms.com
> User-Agent: curl/7.51.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 94
>
* upload completely sent off: 94 out of 94 bytes
< HTTP/1.1 403 Forbidden
< Date: Wed, 19 Jul 2017 19:00:20 GMT
< Content-Type: text/plain
< Content-Length: 158
< Connection: keep-alive
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=9C0782D7D46BC3A26996CF5C54C6694E; Path=/; Secure; HttpOnly
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Authorization, Accept, Content-Type, Cookies
<
* Curl_http_done: called premature == 0
* Connection #0 to host demo.dotcms.com left intact
User doesn't have permission to save this category = 5193736b-b98c-425d-a12c-0391d2bef6a9 having as parent the category = 5193736b-b98c-425d-a12c-0391d2bef6a9

Context

Reproduced on current 4.1.1 release.
Reported by customer

https://my.dotcms.com/tickets/detail.dot?id=eb4f1f2e-2480-4a0e-ba2b-ec14d28b2a05

Your Environment

  • dotCMS 3.6.2, 3.7.1, 4.1.1.
  • Any Browser
  • Any Operating System.
  • Any Application Server.
  • Java 8u121.
  • Any supported Database.
joseorsini added a commit that referenced this issue Jul 19, 2017
@joseorsini
#12150 honor prop for anonymous submission upon lookup of categories …
4b1a7b1 
…and add missing permission validation
@joseorsini
Copy link
Contributor Author

PR: #12151

joseorsini added a commit that referenced this issue Jul 19, 2017
@joseorsini
#12150 fix as suggested by jenkins
2433a19
dsilvam added a commit that referenced this issue Jan 26, 2018
@dsilvam
#12150 Correct test name.
5f438af
dsilvam added a commit that referenced this issue Jan 26, 2018
@dsilvam
#12150 Code review changes.
617114c
dsilvam added a commit that referenced this issue Jan 26, 2018
@dsilvam
ContentResource: Pass value of REST_API_CONTENT_ALLOW_FRONT_END_SAVIN… (
91a5c8a 
#13510)

* ContentResource: Pass value of REST_API_CONTENT_ALLOW_FRONT_END_SAVING to methods to find cats by key or name
ContentResourceTest: Added two tests for both cases (true/false) for REST_API_CONTENT_ALLOW_FRONT_END_SAVING
when saving content via REST API with anonymous user

* #12150 Correct test name.

* #12150 Code review changes.
@dsilvam dsilvam added this to the Rex Current milestone Jan 26, 2018
@DeanGonzalez DeanGonzalez self-assigned this Jan 29, 2018
brentgriffin pushed a commit that referenced this issue Jan 30, 2018
Issue 13527 build docker image from gradle build (#13529)
5b15331 
* Updating commit reference for src/main/enterprise

* #13309 - Changes in the Upsert Command for Postgres -9.4 (#13403)

* #13309 - Changes in the Upsert Command for Postgres -9.4

* #13309 - Changes in the Upsert Command for Postgres -9.4

* Can't save new containers in a layout (#13377)

* Can't save new containers in a layout

* refactoring

* refactoring

* merge

* doing constructor public again

* refactoring

* refactoring

* #13196 (#13405)

* Wrong type #13196 (#13406)

* Issue 13352 dnd on workflow (#13382)

* #13352 adding drag and drop to workflow builder

* #13352 cool new hover trick

* #13352 we didn't need api changed

* #13352

* Add message key (#13412)

* #12991 Need to add action of push publish to content types

* #13236 Edit contentlets in page (#13400)

js changes

* bring back download data/assets changes (#13422)

* #13395 CopyContentlet done (#13415)

* Fix more jenkins tests (#13427)

* Updating commit reference for src/main/enterprise

* PermissionAPITest: converted from functional to integration
RoleAjax: remove unused user. Can now be tested with server down
UserAPITest: fix workflow issues
FolderAPITest: fix workflow issues
LinkFactoryTest: fix workflow issues
ContainerFactoryImpl: Reading version info from api instead of only cache.

* #13410 MSSQL Task 04315 Upgrade Fix (#13423)

* #13410 MSSQL Task 04315 Upgrade Fix

* #13410 MSSQL Task 04315 Upgrade Fix

* #13321: Clearing cache to force DB search (#13431)

* Remove permission tests from alltestsuite (#13434)

* Updating commit reference for src/main/enterprise

* PermissionAPITest: converted from functional to integration
RoleAjax: remove unused user. Can now be tested with server down
UserAPITest: fix workflow issues
FolderAPITest: fix workflow issues
LinkFactoryTest: fix workflow issues
ContainerFactoryImpl: Reading version info from api instead of only cache.

* Remove ITest from AllTestSuite.

* #13424 fixes the mysql lockup issue (#13426)

* #13424 fixes the mysql lockup issue

* #13424 closes the preparedstatement

* #13241 rethrow the original exception (#13416)

* Updating commit reference for src/main/enterprise

* Fix TreeTransformer for Oracle. (#13439)

* #13433 bring back Backup Data/Assets functionality (#13442)

* Added new starter

* #13321: Avoiding factory method with API find call inside (#13443)

* #13429 (#13432)

* Updating commit reference for src/main/enterprise

* Added new starter

* Clean folderapitest rename (#13456)

* Fix TreeTransformer for Oracle.

* Dont mess with cache in the test. FolderAPITest.rename

* #13384 - Delete Template dependencies popup should display Template Title (#13455)

* Workflows tests fixes (#13460)

* Workflows tests fixes

* Workflows tests fixes

* Workflows tests - Adding missing condition (#13461)

* #13196 fixing ut for oracle (#13463)

* #13196 fixes for upgrade task for msssql (#13462)

* Issue 12991 need to add actions push publish content types (#13444)

* issue #12991 push publish content types message keys

* #12991 push publish content types actions message keys

* #12991 push publish content types message keys

* Issue 13457 (#13465)

* #13457: Remove unused logic

* #13457: Add copyTemplate integration test

* #13419: Prevent NPE by avoiding Layout parsing when Template not drawn (#13458)

* #13419: Prevent NPE by avoiding Layout parsing when Template not drawed

* #13419: Adding Will's logic from no-code branch

* #12999 - Added MultiTree Transformer (#13438)

* #12999 - Added MultiTree Transformer

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* Fix condition check for user api test. More Logging. (#13473)

* #13474 Include lang properties changes. (#13476)

* Workflows tests - Fixing permissions (#13477)

* error common label (#13467)

* Include working:true in es query for reindexing content after updating user. Use isInodeIndex with live=false. (#13479)

* #13390 cherry-pick the email fix (#13484)

* Updating commit reference for src/main/enterprise

* http://#13295 set sidebar width in edit layout - Message keys (#13480)

* Include more logging for FolderAPITest.delete (#13488)

* Issue rest multiple binaries (#13472)

* #11620

* #11613

* #13466 - Fixes in Update System Folder when System folder has been re… (#13486)

* #13466 - Fixes in Update System Folder when System folder has been renamed

* #13466 - Fixes in Update System Folder when System folder has been renamed

* Folderapitest rename logging (#13491)

* Include more logging for FolderAPITest.delete

* more logging.

* Adding missing validation (#13489)

* Adding missing validation

* Fixing Typo

* Logging for FolderAPITest.delete

* UserAPITest.delete:Load Identifiers from db to avoid cache race conditions.

* Issue 13336 (#13487)

* #13336 remove CMIS

* #13336 remove commented code

* #13336 changes DBSearch

* #13336 revert changes DBSearch

* #13336 missing assignment

* Updating commit reference for src/main/enterprise

* Issue 13429 missing commit tika lowercase (#13501)

* #13429

* missing lowercase

* ESUtils: include case for text with whitespace (#13499)

ESUtilsTest: test for all special chars and whitespace

* Updating commit reference for src/main/enterprise

* #13375 - Folder API - Incorrect Query causing cartesian product and o… (#13493)

* #13375 - Folder API - Incorrect Query causing cartesian product and out of memory or closed resultsets errors

* #13375 - Folder API - Incorrect Query causing cartesian product and out of memory or closed resultsets errors

* #10604 add hover options for span tags in website browser (#13490)

* #12991 push publish content types - Messages keys (#13500)

* Issue 13502 npe on deleted bundle (#13503)

* #13429

* fixes #13502

* Use new ami (#13511)

* ContentResource: Pass value of REST_API_CONTENT_ALLOW_FRONT_END_SAVIN… (#13510)

* ContentResource: Pass value of REST_API_CONTENT_ALLOW_FRONT_END_SAVING to methods to find cats by key or name
ContentResourceTest: Added two tests for both cases (true/false) for REST_API_CONTENT_ALLOW_FRONT_END_SAVING
when saving content via REST API with anonymous user

* #12150 Correct test name.

* #12150 Code review changes.

* Update ami jenkins (#13512)

* Use new ami

* New AMI for jenkins continuous tests.

* Include isInodeIndexed in test.

* Issue 13469 workflow multi lang (#13509)

* #13469 multi language support for workflow task

* #13469 Adding the multi language step/action workflows

* #13469 codacy feedback

* Issue 11265 create 4 eyes workflow actionlet (#13366)

* #11265 : Adding initial version of the 4-Eyes actionlet.

* #11265 : Adding initial version of the 4-Eyes actionlet.

* #11265 :

- Wrapping up changes in the 4-eyes approval actionlet class.
- Adding utility class for common-use methods in actionlets.

* #11265 : Adding new type of actionlet parameter that includes validation of role keys.

* #11265 : Codacy and Sonar code changes.

* #11265 : More Codacy and Sonar code changes.

* #11265 : First draft of integration test. Fixing exception throws where the original exception was being swallowed.

* #11265 : Adding more tests to the four-eye sub-action integration test.

* #13333 need to add action of add to bundle to content types - Adding message keus (#13516)

* Missing import

* Fix TreeTransformer and ContentletTransformer (#13518)

TreeTransformer: Use conversion utils instead of a class for Oracle.
TransformerLocator: create only TreeTransformer
ContentletTransformer: Use conversion utils to avoid classCastException in oracle

* #13375 fix starting up oracle, bc join never finds inode column (#13519)

* Remove invalid import.

* Fixing failing Jenkins tests. (#13517)

* changes to build docker image from gradle file - still need to upgrade gradle wrapper version

* cosmetic commit to build.gradle

* changed docker tags and added blank line at end of file

* upgraded gradle wrapper to 4.4.1

* 4.4.1 gradle wrapper

* added reference comment

* fixes #13527
dsilvam pushed a commit that referenced this issue Jan 30, 2018
@dsilvam
Containerization (#13530)
4d1ecbe 
* fixes #13435 - changed so rename only happens based on ARCHIVE_IMPORTED_LICENSE_PACKS being true.  Also logs failure if appropriate. (#13464)

* Issue 13527 build docker image from gradle build (#13529)

* Updating commit reference for src/main/enterprise

* #13309 - Changes in the Upsert Command for Postgres -9.4 (#13403)

* #13309 - Changes in the Upsert Command for Postgres -9.4

* #13309 - Changes in the Upsert Command for Postgres -9.4

* Can't save new containers in a layout (#13377)

* Can't save new containers in a layout

* refactoring

* refactoring

* merge

* doing constructor public again

* refactoring

* refactoring

* #13196 (#13405)

* Wrong type #13196 (#13406)

* Issue 13352 dnd on workflow (#13382)

* #13352 adding drag and drop to workflow builder

* #13352 cool new hover trick

* #13352 we didn't need api changed

* #13352

* Add message key (#13412)

* #12991 Need to add action of push publish to content types

* #13236 Edit contentlets in page (#13400)

js changes

* bring back download data/assets changes (#13422)

* #13395 CopyContentlet done (#13415)

* Fix more jenkins tests (#13427)

* Updating commit reference for src/main/enterprise

* PermissionAPITest: converted from functional to integration
RoleAjax: remove unused user. Can now be tested with server down
UserAPITest: fix workflow issues
FolderAPITest: fix workflow issues
LinkFactoryTest: fix workflow issues
ContainerFactoryImpl: Reading version info from api instead of only cache.

* #13410 MSSQL Task 04315 Upgrade Fix (#13423)

* #13410 MSSQL Task 04315 Upgrade Fix

* #13410 MSSQL Task 04315 Upgrade Fix

* #13321: Clearing cache to force DB search (#13431)

* Remove permission tests from alltestsuite (#13434)

* Updating commit reference for src/main/enterprise

* PermissionAPITest: converted from functional to integration
RoleAjax: remove unused user. Can now be tested with server down
UserAPITest: fix workflow issues
FolderAPITest: fix workflow issues
LinkFactoryTest: fix workflow issues
ContainerFactoryImpl: Reading version info from api instead of only cache.

* Remove ITest from AllTestSuite.

* #13424 fixes the mysql lockup issue (#13426)

* #13424 fixes the mysql lockup issue

* #13424 closes the preparedstatement

* #13241 rethrow the original exception (#13416)

* Updating commit reference for src/main/enterprise

* Fix TreeTransformer for Oracle. (#13439)

* #13433 bring back Backup Data/Assets functionality (#13442)

* Added new starter

* #13321: Avoiding factory method with API find call inside (#13443)

* #13429 (#13432)

* Updating commit reference for src/main/enterprise

* Added new starter

* Clean folderapitest rename (#13456)

* Fix TreeTransformer for Oracle.

* Dont mess with cache in the test. FolderAPITest.rename

* #13384 - Delete Template dependencies popup should display Template Title (#13455)

* Workflows tests fixes (#13460)

* Workflows tests fixes

* Workflows tests fixes

* Workflows tests - Adding missing condition (#13461)

* #13196 fixing ut for oracle (#13463)

* #13196 fixes for upgrade task for msssql (#13462)

* Issue 12991 need to add actions push publish content types (#13444)

* issue #12991 push publish content types message keys

* #12991 push publish content types actions message keys

* #12991 push publish content types message keys

* Issue 13457 (#13465)

* #13457: Remove unused logic

* #13457: Add copyTemplate integration test

* #13419: Prevent NPE by avoiding Layout parsing when Template not drawn (#13458)

* #13419: Prevent NPE by avoiding Layout parsing when Template not drawed

* #13419: Adding Will's logic from no-code branch

* #12999 - Added MultiTree Transformer (#13438)

* #12999 - Added MultiTree Transformer

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* #12999 - MultiTree Transformer test and fixes

* Fix condition check for user api test. More Logging. (#13473)

* #13474 Include lang properties changes. (#13476)

* Workflows tests - Fixing permissions (#13477)

* error common label (#13467)

* Include working:true in es query for reindexing content after updating user. Use isInodeIndex with live=false. (#13479)

* #13390 cherry-pick the email fix (#13484)

* Updating commit reference for src/main/enterprise

* http://#13295 set sidebar width in edit layout - Message keys (#13480)

* Include more logging for FolderAPITest.delete (#13488)

* Issue rest multiple binaries (#13472)

* #11620

* #11613

* #13466 - Fixes in Update System Folder when System folder has been re… (#13486)

* #13466 - Fixes in Update System Folder when System folder has been renamed

* #13466 - Fixes in Update System Folder when System folder has been renamed

* Folderapitest rename logging (#13491)

* Include more logging for FolderAPITest.delete

* more logging.

* Adding missing validation (#13489)

* Adding missing validation

* Fixing Typo

* Logging for FolderAPITest.delete

* UserAPITest.delete:Load Identifiers from db to avoid cache race conditions.

* Issue 13336 (#13487)

* #13336 remove CMIS

* #13336 remove commented code

* #13336 changes DBSearch

* #13336 revert changes DBSearch

* #13336 missing assignment

* Updating commit reference for src/main/enterprise

* Issue 13429 missing commit tika lowercase (#13501)

* #13429

* missing lowercase

* ESUtils: include case for text with whitespace (#13499)

ESUtilsTest: test for all special chars and whitespace

* Updating commit reference for src/main/enterprise

* #13375 - Folder API - Incorrect Query causing cartesian product and o… (#13493)

* #13375 - Folder API - Incorrect Query causing cartesian product and out of memory or closed resultsets errors

* #13375 - Folder API - Incorrect Query causing cartesian product and out of memory or closed resultsets errors

* #10604 add hover options for span tags in website browser (#13490)

* #12991 push publish content types - Messages keys (#13500)

* Issue 13502 npe on deleted bundle (#13503)

* #13429

* fixes #13502

* Use new ami (#13511)

* ContentResource: Pass value of REST_API_CONTENT_ALLOW_FRONT_END_SAVIN… (#13510)

* ContentResource: Pass value of REST_API_CONTENT_ALLOW_FRONT_END_SAVING to methods to find cats by key or name
ContentResourceTest: Added two tests for both cases (true/false) for REST_API_CONTENT_ALLOW_FRONT_END_SAVING
when saving content via REST API with anonymous user

* #12150 Correct test name.

* #12150 Code review changes.

* Update ami jenkins (#13512)

* Use new ami

* New AMI for jenkins continuous tests.

* Include isInodeIndexed in test.

* Issue 13469 workflow multi lang (#13509)

* #13469 multi language support for workflow task

* #13469 Adding the multi language step/action workflows

* #13469 codacy feedback

* Issue 11265 create 4 eyes workflow actionlet (#13366)

* #11265 : Adding initial version of the 4-Eyes actionlet.

* #11265 : Adding initial version of the 4-Eyes actionlet.

* #11265 :

- Wrapping up changes in the 4-eyes approval actionlet class.
- Adding utility class for common-use methods in actionlets.

* #11265 : Adding new type of actionlet parameter that includes validation of role keys.

* #11265 : Codacy and Sonar code changes.

* #11265 : More Codacy and Sonar code changes.

* #11265 : First draft of integration test. Fixing exception throws where the original exception was being swallowed.

* #11265 : Adding more tests to the four-eye sub-action integration test.

* #13333 need to add action of add to bundle to content types - Adding message keus (#13516)

* Missing import

* Fix TreeTransformer and ContentletTransformer (#13518)

TreeTransformer: Use conversion utils instead of a class for Oracle.
TransformerLocator: create only TreeTransformer
ContentletTransformer: Use conversion utils to avoid classCastException in oracle

* #13375 fix starting up oracle, bc join never finds inode column (#13519)

* Remove invalid import.

* Fixing failing Jenkins tests. (#13517)

* changes to build docker image from gradle file - still need to upgrade gradle wrapper version

* cosmetic commit to build.gradle

* changed docker tags and added blank line at end of file

* upgraded gradle wrapper to 4.4.1

* 4.4.1 gradle wrapper

* added reference comment

* fixes #13527
@DeanGonzalez
Copy link

Passed: CMS Anonymous can add content with category as long as the anonymous role has save on the content type.

@DeanGonzalez DeanGonzalez removed their assignment Feb 7, 2018
@wezell wezell closed this as completed Feb 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dotCMS : Content Management dotCMS : Rest API Merged QA : Approved Release : 5.0.0
Projects
None yet
Milestone
4.3_5.0_02132018_Rex
Development

No branches or pull requests
5 participants
@wezell @DeanGonzalez @dsilvam @joseorsini @erickgonzalez