November Happy Hour will be moved to Thursday December 5th.
November Happy Hour will be moved to Thursday December 5th.
Hi,
Which version you are using? I'm trying this on latest nuget package (which should be same as 7.5 as we haven't made changes to this area since), and it works as intended - I got this messge, which is correct:
Access Denied |
Your account does not have rights to access this feature of the commerce manager. Please contact your system administrator for more information. |
/Q
Hi,
I can confirm that this bug happens on Commerce R3. However, as this bug appears to be fixed in 7.5, we recommend to upgrade to EPiServer Commerce 7.5 - which included new features and other bug fixes.
My appologies for initial response. We recommend to upgrade instead.
Regards.
/Q
I feel its a bug in the episerver ecommerce security module.
Issue : when a unauthorized user logs into episerver ecommerce and directly browses any URL in commerce except BFO views he is able to view them without any restriction.
Example scenario to replicate the problem :
1. Create a role "Report viewer" with only login and view to reporting tab
2.Create a user "XYZ" in commerce and assign "Report viewer" role.
3. Login as "XYZ" as per the given permission he is able to see "Reporting tab"
4. It is fine upto here. But if we browse "Catalog batch update" link URL (Catalog management > Catalog batch update) with out any restriction he is able to view it. (Example url : http://localhost:61000/Apps/Shell/Pages/default.aspx#right=http%253A%2F%2Flocalhost%253A61000%2FApps%2FShell%2FPages%2FContentFrame.aspx%253F_a%253DCatalog%252526_v%253DCatalogBatchUpdate-List)
This is the issue. Because the role doesn't have even view permission to Catalog management.
I have verified the "CatalogBatchUpdate-List.xml" where we specify <ViewConfig> tag along with its permission attribute
-------------------------------------------------------------------------------------------------------------------------------
<ViewConfig>
<setAttributes id="CatalogBatchUpdate-List" name="{CatalogStrings:Catalog_Catalog_Batch_Update}" controlUrl="catalog/CatalogBatchUpdate.ascx" permissions="catalog:ctlg:entries:mng:edit" help="Catalog+Management"></setAttributes>
</ViewConfig>
------------------------------------------------------------------------------------------------------------------------------
Please note that it is already having "permissions="catalog:ctlg:entries:mng:edit"" attribute, but the restriction is not applied while loading.
I found the same issue with other links also like all the links and product urls under catalog management , links under Order management tab... etc.
Note that the view level security only applied to the BFOs. all the other links are not restricted when browsed directly Especially Catalog management and Order management links (important).
A straight forward question is "Where is the security in Episerver Ecommerce" ? It is a bug or am i missing any other configurations ? should any thing to be configured to apply the restriction? Please let me know
Thanks in advance,
Nani