Fresh upgrade from 9.1 to 10.1.0.7092. When bringing the site up as anonymous user the pencil icon appears in the top left corner.
The Everyone role only has Read site permission checked.
Any help is appreciated!
J.F.
Fresh upgrade from 9.1 to 10.1.0.7092. When bringing the site up as anonymous user the pencil icon appears in the top left corner.
The Everyone role only has Read site permission checked.
Any help is appreciated!
J.F.
Thanks for your continued (quick) help:
NodeId ParentNodeId ApplicationTypeId
A5A630EC-395A-48BD-8C43-97F5AAE80F74 FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 CA0E7C80-8686-4D2F-A5A8-63B9E212E922
FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61 28F9A517-9A0E-4566-B3D0-39653B6AD650 23B05A61-C3E5-4451-90D9-BFA00453BCE4
So those are:
You can use this query to determine which blog and group these are:
select b.Name as BlogName, g.Name as GroupName from te_Blog_Blogs b inner join cs_Groups g on b.GroupId = g.GroupID where b.NodeId = 'A5A630EC-395A-48BD-8C43-97F5AAE80F74' select Name as GroupName from cs_Groups where NodeId = 'FC71C97B-15D8-4EC7-BBBD-9BF46B69FF61'
The links back to the "Test Blogs" group (created 2016-09-07) and a "test blog" created on the same date. So definitely older.
I'm not sure how these permissions were added. The creation date of the group and blog aren't necessarily indicative of when permissions were last edited.
I can say that I'm not aware of this issue occurring in other communities and that the Everyone role is not granted these permission by default.
I am glad that we were able to resolve the immediate issue, at least.
We have the same thing happening in our 10.0.2 installation. I'll read through this thread, try some of the ideas, and tag onto the end if I can't resolve it.
Ben Tiedt, where can we find a table of these permission GUIDs and their labels? This would be very helpful for troubleshooting.
This isn't necessarily a complete list, but I opened the Permissions panel of the Control Panel within a group and ran this quick script in the browser's console to get a JSON text representation of the permissions that I quickly converted to a CSV file for easy reference. You'll need to focus on the control panel before running this.
// Get permission id/description pairs as array. var list = []; $.each($('li.field-item.permission'), function(i,o) { var me = $(this); var id = me.find('input[name="permissions"]').attr('value'); list.push({ id: id, description: me.find('label').text()}); }); // Create JSON string for conversion to CSV. console.log( JSON.stringify(list) );
We have thousands of groups, but if one group grants excessive permissions to the Everyone role, the pencil shows up globally for all anonymous users:
We removed these permissions and the pencil eventually disappeared for anonymous users.
I'm not sure if it's possible to code around this, but it is there any way to prevent the pencil from globally appearing for the special anonymous user? Are there use cases where one would want that pencil to be available?
Its not the user its the role that triggers it and every user is in the everyone role which is why it shows up for everyone. Could you code around it? Sure, but you aren't solving the actual problem where not logged in users or users in that role were given more privileges than they should, which could be compromising areas of your site or API surface area other than entering the admin area.
Thanks for clarifying that it's the role not the anonymous user. I could have stated that clearer.
I hear what you're saying, but on the other hand, should a single group have the power to change the global UI shared by all groups? In our case, someone gave the Everyone role the ability to moderate and review abusive content within their group. It would make sense to see the pencil within that group, but exposing it while on other groups doesn't seen quite right for the UX, especially when they have to sign in to use the granted permission.