Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-25522

Impossible to login in PlatformUI if the user does not have read access to its content

    XMLWordPrintable

Details

    Description

      When you're logged as non-administrator user and ask for variation of your profile image (AJAX call to ie./api/ezp/v2/content/binary/images/102-491/variations/platformui_profileview) you get Unauthorized 401 error ie.

      {
    "ErrorMessage": {
        "_media-type": "application\/vnd.ez.api.ErrorMessage+json",
        "errorCode": 401,
        "errorMessage": "Unauthorized",
        "errorDescription": "User does not have access to 'read' 'content' with: contentId '102'",
        "trace": "#0 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/Repository\/ContentService.php(230): eZ\\Publish\\Core\\Repository\\ContentService->loadContentInfo(102)\n#1 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/Repository\/ContentService.php(211): eZ\\Publish\\Core\\Repository\\ContentService->loadVersionInfoById(102, NULL)\n#2 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/SignalSlot\/ContentService.php(120): eZ\\Publish\\Core\\Repository\\ContentService->loadVersionInfo(Object(eZ\\Publish\\API\\Repository\\Values\\Content\\ContentInfo), NULL)\n#3 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/REST\/Server\/Controller\/BinaryContent.php(73): eZ\\Publish\\Core\\SignalSlot\\ContentService->loadVersionInfo(Object(eZ\\Publish\\API\\Repository\\Values\\Content\\ContentInfo))\n#4 [internal function]: eZ\\Publish\\Core\\REST\\Server\\Controller\\BinaryContent->getImageVariation('102-491', 'platformui_prof...')\n#5 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/HttpKernel.php(139): call_user_func_array(Array, Array)\n#6 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/HttpKernel.php(62): Symfony\\Component\\HttpKernel\\HttpKernel->handleRaw(Object(Symfony\\Component\\HttpFoundation\\Request), 1)\n#7 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/DependencyInjection\/ContainerAwareHttpKernel.php(69): Symfony\\Component\\HttpKernel\\HttpKernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request), 1, true)\n#8 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/Kernel.php(184): Symfony\\Component\\HttpKernel\\DependencyInjection\\ContainerAwareHttpKernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request), 1, true)\n#9 \/usr\/local\/var\/www\/ezs.dev\/web\/app.php(66): Symfony\\Component\\HttpKernel\\Kernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request))\n#10 {main}",
        "file": "\/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/Repository\/ContentService.php",
        "line": 138
    }
}

      BinaryContent::getImageVariation() use loadContent() and loadVersionInfo() methods that check users permissions to read content, whitch fails for common users (like editors or members), because being able to read User contenttype objects is permission restricted to administrator(-like) users.

      Attachments

        Activity

          People

            Unassigned Unassigned
            slawomir.uchto@ibexa.co Sławomir Dołżycki-Uchto
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: