Fresh upgrade from 9.1 to 10.1.0.7092. When bringing the site up as anonymous user the pencil icon appears in the top left corner.
The Everyone role only has Read site permission checked.
Any help is appreciated!
J.F.
Fresh upgrade from 9.1 to 10.1.0.7092. When bringing the site up as anonymous user the pencil icon appears in the top left corner.
The Everyone role only has Read site permission checked.
Any help is appreciated!
J.F.
When you open the menu as an anonymous user, what do yo have access to? That should identify the permissions that should be revoked to prevent the pencil from showing. The icon shows if the accessing user has permission to perform any managerial actions.
"Administration" appears in the list, but when you click on it it redirects to the login page.
What permissions are granted to the Everyone role and is the Anonymous user in any other roles?
Everyone as Read Site permission and Anonymous user is only in Everyone role (when looking at the administration interface.
We've run the following query in both the old and the new databases and the results are different. The old database has no results in the cs_Security_NodePermissions table whereas the new (upgraded) database has lots of results:
--Have these roles been granted any special permissions
select * from cs_Security_NodePermissions
where RoleId in (select RoleId from cs_Security_UserRoles where UserId = (select UserId from cs_users where IsAnonymous =1))
NodeId RoleId IsAllowed PermissionId
46943F19-146F-4689-B14C-6225DF46792F 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
08EF2503-9C22-4407-94E1-9826343015E0 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 4ECFE6C1-7BEF-450F-B823-0B099CE9F8E9
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 904172B1-6424-461F-8596-155CA9CE8687
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 5F31F03A-1E5D-4E68-AAFB-1BE9D8D03160
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 C6A0ADC7-DBA7-43E3-9B66-41D78BB98552
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 0898A3BD-CD57-45CE-9708-7D458D17E255
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 86594DFA-AACE-4F0F-BB5D-9A0B6C6993A6
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 41407D79-E3BA-4E25-8F54-A1650B8C72D0
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 4EC7CD6D-0DAA-4E4C-9EBA-B13D33143964
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 F0A00173-E22B-4A0E-BDD6-B4758CD3FF7B
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 BDB203A9-9D1D-4CEB-8E7E-BC37C96B25CE
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 F57FAD16-097A-49B1-B43A-CBC228F7324B
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 89E7B8B4-9B79-45E2-B537-CE6C1EDD9E27
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 16B1A200-2966-468C-9077-E9DE71BA6056
4D39F81E-C35E-4E5A-865D-E2762408B85C 1 1 F6E02DF5-CEFA-4CE2-A9F8-974C5DE02FBF
4D39F81E-C35E-4E5A-865D-E2762408B85C 1 1 BDB203A9-9D1D-4CEB-8E7E-BC37C96B25CE
That's interesting. Here are the mentioned permissions:
The Moderate and Review Abuse grant would cause the Administration option to be available which is probably why you're seeing the pencil icon.
The following query will identify the role that grants the Moderate and Review Abuse permission:
select r.Name from cs_Security_NodePermissions p inner join cs_Security_Roles r on p.RoleId = r.RoleId where p.PermissionId = 'C6A0ADC7-DBA7-43E3-9B66-41D78BB98552' and r.RoleId in ( select RoleId from cs_Security_UserRoles where UserId = (select UserId from cs_users where IsAnonymous =1) )
That's interesting. Here are the mentioned permissions:
The Moderate and Review Abuse grant would cause the Administration option to be available which is probably why you're seeing the pencil icon.
The following query will identify the role that grants the Moderate and Review Abuse permission:
select r.Name from cs_Security_NodePermissions p inner join cs_Security_Roles r on p.RoleId = r.RoleId where p.PermissionId = 'C6A0ADC7-DBA7-43E3-9B66-41D78BB98552' and r.RoleId in ( select RoleId from cs_Security_UserRoles where UserId = (select UserId from cs_users where IsAnonymous =1) )
I've cleared the entire cs_Security_NodePermissions table, did an IISRESET and the pencil icon is still there.
The only records in that table were for RoleId == 1 / Everyone.
Ok - so I've "worked around" this issue but it isn't ideal... Please let me know if you know why this happened during the upgrade and how to resolve it "properly"?
delete from Community.dbo.cs_Security_EffectivePermissions
where PermissionId='C6A0ADC7-DBA7-43E3-9B66-41D78BB98552' and RoleId=1
Original contents:
NodeId RoleId IsAllowed IsImmediate PermissionId
A5A630EC-395A-48BD-8C43-97F5AAE80F74 1 1 0 C6A0ADC7-DBA7-43E3-9B66-41D78BB98552
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 1 1 1 C6A0ADC7-DBA7-43E3-9B66-41D78BB98552
If you run this query, you'll be able to determine the context for this permission being granted (the NodeId and NodeTypeId/ApplicationTypeId in the result should identify the application/group that granted this permission):
select *
from cs_Nodes
where NodeId in ('A5A630EC-395A-48BD-8C43-97F5AAE80F74', 'FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61')
Is it possible that the permissions were manually adjusted for 'Everyone' in the scope identified by the result of this query? Or are you pretty certain it was only the upgrade that modified permissions since your last-known-good state?
We have the 9.1 database still available to review the tables and the NodePermissions table was empty prior to the upgrade. The query you just provided also shows 2 rows in upgraded DB but 0 rows in 9.1 db
I was just asking if its possible that a permission change was made post-upgrade.
What is the NodeTypeId / ApplicationTypeId for the two returned rows?
Thanks for your continued (quick) help:
NodeId ParentNodeId ApplicationTypeId
A5A630EC-395A-48BD-8C43-97F5AAE80F74 FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 CA0E7C80-8686-4D2F-A5A8-63B9E212E922
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 28F9A517-9A0E-4566-B3D0-39653B6AD650 23B05A61-C3E5-4451-90D9-BFA00453BCE4
So those are:
You can use this query to determine which blog and group these are:
select b.Name as BlogName, g.Name as GroupName from te_Blog_Blogs b inner join cs_Groups g on b.GroupId = g.GroupID where b.NodeId = 'A5A630EC-395A-48BD-8C43-97F5AAE80F74' select Name as GroupName from cs_Groups where NodeId = 'FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61'
The links back to the "Test Blogs" group (created 2016-09-07) and a "test blog" created on the same date. So definitely older.
I'm not sure how these permissions were added. The creation date of the group and blog aren't necessarily indicative of when permissions were last edited.
I can say that I'm not aware of this issue occurring in other communities and that the Everyone role is not granted these permission by default.
I am glad that we were able to resolve the immediate issue, at least.
Ben Tiedt, where can we find a table of these permission GUIDs and their labels? This would be very helpful for troubleshooting.