custom role permission bug

I'm having trouble with permission for users in custom roles. I'm also having a hard time finding this issue listed in previous threads.

These are the steps I went through.

1. Create a new role and give this role full permissions for pages.
2. Create a new user for this role.
3. Create a page or collection of pages that only admins and this new role will have permission to. This new role will only have access to this section of pages. Therefore, I have to break inheritance on these pages to give this role permissions on this section only and no other page. In the "Permissions for all pages" this role is not added to any permissions, but on the individual pages it is.
4. Give this role View permissions on the backend "pages" so this new role can see the pages menu when logged in. Oh, and I also gave this role backend permission.

After logging in with this new user, the pages tab/menu is not visible. It can't edit or see any page.

Furthermore, I went back in as an admin and added permissions for this custom role on the "permissions for all pages". I just gave this new role permission to edit content. I logged in again and could see the pages section. I could edit and publish on the pages I gave specific permission to (broken inheritance ones) but on the other pages I tried to publish some changes and it said I wasn't allowed to. That means those pages I didn't break inheritance didn't truly inherit permissions when I gave them content editing permissions globally.

So, am I doing something wrong or is this a bug? I need custom roles (lots of them) that have access to their specific pages and content. Now what?

Hi Jaime,

Please excuse us for the inconvenience this issue might be causing. We have registered this behavior as a bug with permissions not applying correctly for custom roles. You can track the bug status and vote for it in PITS on this public URL. We'll be working on providing a timely fix for this problem. in the meantime, as a possible workaround, you can use the default roles, which should work without any problems.

Greetings,
Boyan Barnev
the Telerik team

I did not find where I can give a user access to see the main Menu 'Pages'

This is what I did:

Created Role 'DoesOnlyGroup'
Created user 'JohnDoe' in Role 'DoesOnlyGroup'


Create 10 Page with standard roles
Create 1 Page and break inheritance and give 'DoesOnlyGroup' also access.

Now when loggin in as JohnDoe I can not see any pages?

Or am I missing somewhere how to set permission to the pages. I looked at the roles section and did set as much views as I can (images, ImageGalleries and stuff) but they dont appear under Main Menu either (only Newsletter Beta)

Is this related to this bug, or am I missing something?

Markus

Hi Markus,

To make the Pages menu visible for the selected users you need to go to "Permissions for all pages" (see attached) and then give modify permissions to the specific role or user.  

The Pages link will become visible in the menu and all pages will become accessible. If you want to deny access to some of the pages you can do this separately for every page from its permissions menu.

Best wishes,
Antoaneta
the Telerik team

Dear Antoaneta

So what you tell me is that

I have to grant access to the role 'DoesOnlyGroup' to all 10 pages and then remove them from 9 pages.

I was under the impression I could simply grant the role 'DoesOnlyGroup' access to 1 page where he should have access. Thats why I can break permissions, not?

So I ask the question again. Could this be a bug?

Try make a fresh 4.1 project

Create 2 users (one admin, one in a new group called 'DoesOnlyGroup'

Create 10 pages
Take permissions for one page and grant access for this 1 page only to 'DoesOnlyGroup'

Log in as user with this group and see if it works.

Markus

Markus,

Don't waste your time. Custom roles as you described don't work.

You can try to test your scenario using two different standard roles to test you understanding of permissions. If it doesn't work you might have missed a step.

Good luck,
Jaime

See my post here for more information that might be of assistance related to this topic. The latest internal build 4.1.1367, (to be included in the SP due out soon), addresses some of this, but I still have some concerns which I discuss in the other post.

Boy, I really regret day by day for putting our client on 4.0 prematurely.  Learning every day about things that just don't work. Don't even know what to tell our client anymore.   I think Telerik definitely jumped the gun on this one.  I know when the bugs are mostly worked out it will be an amazing product but for those of us who took the leap of faith are paying for it severely with the clients! At least in 3.7 I knew how to do the workarounds...  now it is a completely different beast!

Hello,

Thank you all for participating in this discussion

As you have already discovered there are few problems related to custom roles and permissions. The process of assigning permissions is very time consuming (but it at least it is working). We will do our best to fix these problems as soon as possible.

We have also logged this issue in PITS where you can go and vote for it. The ID is 5966

Best wishes,
Antoaneta
the Telerik team

Dear Antoanetta

I was under the impression that cutom roles would be working after the expected release of 4.1 SP1? An I wrong? The status in PITS is still open.

If custom roles wont work after the SP1 expected today - then I really start to worrie.

Markus

Thank You,

Everyone, please vote on these related issues: 5965 and 5966.

Tom

Hi Markus,

Custom roles are currently working and you can create your own role with specific permissions.
The problem is that assigning permissions is a hard and time-consuming procedure, because for some very simple settings you will need to make several additional steps.

Best wishes,
Antoaneta
the Telerik team

Hi Markus,

Custom roles are currently working and you can create your own role with specific permissions.
The problem is that assigning permissions is a hard and time-consuming procedure, because for some very simple settings you will need to make several additional steps.

Best wishes,
Radoslav Georgiev
the Telerik team

That is great if only we could upgrade to 4.1 which we can't as there are problems!

Dear Radoslav

Just to make things clear

I have a custom role calle "RestrictedAccess"

I create pages

page1
page2
page3
page4
page5

The role "RestrictedAccess" should have Access to page5 only.

Expected
Break permission and grand role RestrictedAcess access to page5

What I hear from Telerik
Grand acces for role "RestirctedAccess" to ALL pages
Break permission on every other page (1-4) and remove role "RestrictedAccess"

Is that true?

If yes. Would every user who creates a new page have to remember to remove role "RestircedAccess" from the newly created page?

What if the user who created that page has no rights to remove roles?

Markus

Markus,

Sounds like you are interpreting things correctly and you make a very good point about users not having access to remove roles.

Internal build (4.1.1367), was supposed to contain the permissions fix to be rolled into SP1. In this internal build, granting "Modify Pages" to all pages did not really grant modify pages to all pages, (which by definition is another bug), It did, at least, allow the Pages menu to be visible to the user and it blocked the user from being able to modify other pages for which he was not the owner.

 With the release of the SP, we are pretty much back to the way it worked in the opriginal 4.1 release.

As far as addressing the permissions issues, the 4.1 SP1 has provided no fixes that I can see. It works the exact same way that it did.

If all you need to do is create a simple site with a few users, then having to remove permissions from all the other pages might work, but it is beyond impractical if your web site has many users with complex permissions.

Tom

@Tom

I sure hope you are wrong about this.

@Radoslav

Is Tom true. Please tell me - NO!

Markus

@Radoslav

How about the question about removing roles from pages needed for every new page created?
How about the question that user might not have the rights to do this?

Question still stands - The only way is

Grant a small group access to every page, and remove them from all pages they should not see

vs. 

Grant a small group access to a single page.

If this is still the case are we to expect changes in Q2 at least?

Markus

@Radsolav

Please answer the post above before answering this!

I tried the approach grant access to my customrole to all pages.

When I break inheritance of pages the custom role should not have access and remove the right to edit content. the pages get grayed out when accessing the back-end as a user of this group. So this is somewhat good. I rather have the pages not visible at all but this can be a problem when you have access to a page in 3rd level but do not have access to the partent pages.

However some  questions remain

1) When I grand Access to My Group to a page 'Seiteninhalt bearbeiten' (sf_custom_roles_01.png - which I cant get back to english) the user of My Role can enter into edit the page BUT I have no save buttons (workflow maybe)

2) I then granted access also to 'Eine Seite ändern' (I assume the difference is draging stuff around????)

3) I can grant rights in the role (sf_custom_roles_02.png) how do they play into this whole thing

At the moment my conclusion is one of the following

a) custom roles simply are not working
b) I have not yet understood how custom roles should work

I hope its b) and someone can explain it to me. If it realy is a) then I sure hope Q2 will fix that!

Markus

Just to follow up. It seems I'm still having this same issue with 6.1. Like those above, if I have 50 pages (about what we do have) and I want to allow a role access just one page, the only way to get the Pages tab visible is to ALLOW edit in "permissions for all pages", but then DENY for 49 pages?

 It's not even just trying to get the Pages tab to show. Say the page I want this role sole access to is /careers. Even if that user tries to go to /careers/action/edit, it blows the site up (500 error, object not set to instance of an object). 

So, is this bug from 4.0 still in 6.1? Is my only option of explicitly setting deny permissions for 49 pages (plus any new ones) the only workaround? Thanks.

Hi,

Thank you for your feedback. We are aware of this behavior and we are going to create an article about how permissions should be configured including some detailed information.

Regarding the problem that you are having what we could suggest you is to Deny Edit permissions for pages for all users on global or parent level and then break inheritance per page level and remove this deny permissions. Then you there will be no need to go through all pages and deny permissions. You will go through only these page which you want to be edit by your users.

If you have 50 pages and you globally change the permissions to Deny some roles or users and then you go to one page, which a role or user should be able to edit, break the inheritance and remove this Deny permissions, then the role or user will be able to access only this page and will not be able to access the other page.

Regards,
Stefani Tacheva
Telerik