Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-25522

Impossible to login in PlatformUI if the user does not have read access to its content

    XMLWordPrintable

    Details

      Description

      When you're logged as non-administrator user and ask for variation of your profile image (AJAX call to ie./api/ezp/v2/content/binary/images/102-491/variations/platformui_profileview) you get Unauthorized 401 error ie.

      {
          "ErrorMessage": {
              "_media-type": "application\/vnd.ez.api.ErrorMessage+json",
              "errorCode": 401,
              "errorMessage": "Unauthorized",
              "errorDescription": "User does not have access to 'read' 'content' with: contentId '102'",
              "trace": "#0 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/Repository\/ContentService.php(230): eZ\\Publish\\Core\\Repository\\ContentService->loadContentInfo(102)\n#1 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/Repository\/ContentService.php(211): eZ\\Publish\\Core\\Repository\\ContentService->loadVersionInfoById(102, NULL)\n#2 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/SignalSlot\/ContentService.php(120): eZ\\Publish\\Core\\Repository\\ContentService->loadVersionInfo(Object(eZ\\Publish\\API\\Repository\\Values\\Content\\ContentInfo), NULL)\n#3 \/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/REST\/Server\/Controller\/BinaryContent.php(73): eZ\\Publish\\Core\\SignalSlot\\ContentService->loadVersionInfo(Object(eZ\\Publish\\API\\Repository\\Values\\Content\\ContentInfo))\n#4 [internal function]: eZ\\Publish\\Core\\REST\\Server\\Controller\\BinaryContent->getImageVariation('102-491', 'platformui_prof...')\n#5 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/HttpKernel.php(139): call_user_func_array(Array, Array)\n#6 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/HttpKernel.php(62): Symfony\\Component\\HttpKernel\\HttpKernel->handleRaw(Object(Symfony\\Component\\HttpFoundation\\Request), 1)\n#7 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/DependencyInjection\/ContainerAwareHttpKernel.php(69): Symfony\\Component\\HttpKernel\\HttpKernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request), 1, true)\n#8 \/usr\/local\/var\/www\/ezs.dev\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/Kernel.php(184): Symfony\\Component\\HttpKernel\\DependencyInjection\\ContainerAwareHttpKernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request), 1, true)\n#9 \/usr\/local\/var\/www\/ezs.dev\/web\/app.php(66): Symfony\\Component\\HttpKernel\\Kernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request))\n#10 {main}",
              "file": "\/usr\/local\/var\/www\/ezs.dev\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/Repository\/ContentService.php",
              "line": 138
          }
      }
      

      BinaryContent::getImageVariation() use loadContent() and loadVersionInfo() methods that check users permissions to read content, whitch fails for common users (like editors or members), because being able to read User contenttype objects is permission restricted to administrator(-like) users.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              slawomir.uchto@ez.no SÅ‚awomir Uchto
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: