Umbraco-CMS: IMPORTANT! Security patch breaks backoffice for non-Administrator users
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
8.18.10 and 10.8.1
Bug summary
After upgrading to 8.18.10 and 10.8.1 the /umbraco/backoffice/UmbracoApi/Language/GetAllLanguages endpoint returns a 401 in Umbraco 8 and a 403 in Umbraco 10 for non-Adminstrator users. On 8.18.10 the user gets redirected to the login screen. On 10.8.1 the user sees the backoffice, but the content tree fails to load. Users in the Administrator group can log in without a problem.
Specifics
No response
Steps to reproduce
Upgrade Umbraco to version 8.18.10 or 10.8.1 and try to log in using a non-Administrator account.
Expected result / actual result
Umbraco 8.18.10
Umbraco 10.8.1
About this issue
- Original URL
- State: closed
- Created 7 months ago
- Comments: 31 (12 by maintainers)
Commits related to this issue
- Remove content section access policy from GetAllLanguages endpoint. #15435 — committed to Reaction77/Umbraco-CMS by Reaction77 7 months ago
- Remove content section access policy from GetAllLanguages endpoint. #15435 (#15450) — committed to umbraco/Umbraco-CMS by Reaction77 7 months ago
- Remove content section access policy from GetAllLanguages endpoint. #15435 (#15450) — committed to umbraco/Umbraco-CMS by Reaction77 7 months ago
- Remove content section access policy from GetAllLanguages endpoint. #15435 (#15450) (cherry picked from commit cedfdcc9b20cbb9ce588d5b2bd49eb3b7553f14d) — committed to umbraco/Umbraco-CMS by Reaction77 7 months ago
- Remove content section access policy from GetAllLanguages endpoint. #15435 (#15450) (cherry picked from commit cedfdcc9b20cbb9ce588d5b2bd49eb3b7553f14d) — committed to umbraco/Umbraco-CMS by Reaction77 7 months ago
@bergmania @Zeegaan Might be a good idea to update the links in the security advisory to make sure people donβt install the broken patch.
https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/
@benbracedigital Looks like its out
https://www.nuget.org/packages/Umbraco.Cms/10.8.2
@Zeegaan @Wolfkhan66 I can confirm that 8.18.12 fixes the issue for me. Thanks!
@MartinTiemens Testing on earlier versions of 12, you didnβt have access to the recycle bin with that either, so luckily no more regeressions It seems (famous last words π )
@lukehook there was an official update to the blogpost, and 7 is not included in the issues, so thats the confirmation π https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-8-10-11-and-12-now-available/
@lukehook V7 should not be affected to the best of my knowledge π
This should now be fixed in 10.8.2 π
Yep that bug has been report here: https://github.com/umbraco/Umbraco-CMS/issues/15434 And will also be covered by the fix π