CatalogManagers role cannot edit catalog after update

Vote:
 

Hi,

We updated our project to the newest Commerce 12.14 from Commerce 11.2.3. After that, users with role CatalogManagers, but without CommerceAdmins can see the Catalog in Catalog Editor UI, but everything is read-only, the user cannot create any new entry or modify an existing one. In the previous version CatalogManagers had write access to the catalog as well.

If I assign the user CommerceAdmins role as well, it can edit the catalog. I have checked the role-configuration and security configuration in UI and everything is correct and like in the old version, there is no difference.

What could cause this change of behavior and how could it be solved? I have debugged, and the user gets the CatalogManagers claim, but apparently it is not enough.

Thank you in advance!

#200197
Edited, Jan 04, 2019 15:27
Vote:
 

It sounds like that is something to do with 11.6 when we added the catalog access rights feature. Make sure to set the access rights correctly to your users, and you should be fine:

https://world.episerver.com/blogs/Quan-Mai/Dates/2017/12/catalog-content-permission-handling/ 

#200203
Edited, Jan 04, 2019 17:35
Vote:
 
Thank you, that was it!
#200209
Jan 04, 2019 18:15
Vote:
 
There is still a minor problem, my Catalog Manager is not allowed to create a new Catalog, because I could only set the access on Catalogs, but not on Catalog Root. Is it possible to create a new catalog with CatalogManagers role?
#200389
Jan 10, 2019 13:08
Vote:
 

You can assign the write access right to CatalogManagers like this

            IContent content;
            if (_contentLoader.TryGet<IContent>(_referenceConverter.GetRootLink(), out content))
            {
                var securableContent = (IContentSecurable)content;
                var defaultAccessControlList = (IContentSecurityDescriptor)securableContent.GetContentSecurityDescriptor().CreateWritableClone();
                defaultAccessControlList.AddEntry(new AccessControlEntry("CommerceManagers", AccessLevel.Create, SecurityEntityType.Role));
                _contentSecurityRepository.Save(content.ContentLink, defaultAccessControlList, SecuritySaveType.Replace);
            }
#200395
Jan 10, 2019 15:13
Vote:
 
Thanks for your answer. I tried your code, but it makes no difference, the permission on Catalog Root seems to be ignored. I tried also with FullAccess, no difference. I verified that after restart the permission is still there, I also did a logout-login with my Catalog Manager, but it can still have no permission to create a new catalog. If I remove the permissions applied on the catalogs (see your previous answer), it also does not get inherited down. Any ideas?
#200416
Jan 11, 2019 11:28
Vote:
 

Then I would suggest you to contact developer support service. It sounds like something is wrong somewhere, it's just not easy to tell from this thread 

#200417
Jan 11, 2019 12:24
Vote:
 

I debugged into AccessControlList.QueryAccess() and noticed that the ACL has the wrong role - in your snippet it's CommerceManagers instead of CatalogManagers, that was the problem.

At the end I gave FullAccess to CatalogManagers, so there is no need to configure anything on Catalog, I put this in an InitializationModule, the code:

IContent content;
if (contentLoader.TryGet(referenceConverter.GetRootLink(), out content))
{
	var securableContent = (IContentSecurable)content;
	var contentSecurityDescriptor = securableContent.GetContentSecurityDescriptor();
	if (!contentSecurityDescriptor.Entries.Any(entry =>
		entry.Name == "CatalogManagers" &&
		entry.Access == AccessLevel.FullAccess &&
		entry.EntityType == SecurityEntityType.Role))
	{
		var defaultAccessControlList = (IContentSecurityDescriptor)contentSecurityDescriptor.CreateWritableClone();
		defaultAccessControlList.AddEntry(new AccessControlEntry("CatalogManagers", AccessLevel.FullAccess, SecurityEntityType.Role));
		contentSecurityRepository.Save(content.ContentLink, defaultAccessControlList, SecuritySaveType.Replace);
	}
}

Thanks for your help!

#200424
Edited, Jan 11, 2019 13:12
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.