Public User can log into Edit+ on one page - bug?

Cwestney · 2018-10-15 09:45:44 UTC

Matrix Version: 5.3.4.0

I’ve got one page on my site which when an editor goes to it directly and then into Edit+ shows the Edit+ user as Public User.

They don’t have permission to edit the page, but surely that account shouldn’t let them into Edit+ at all, it should give them the login page?

http://www.lakedistrict.gov.uk/visiting/planyourvisit/travelandtransport/toilets/_edit

We can work around it by going to another page, logging in, and then using Asset Finder to navigate to this page. That keeps the editors’ login and so then gives them the correct permissions.

I’ve checked all the permission settings, can’t see anything different on this page. Does this sound like a bug to you?

Thanks!
Charlie

Chris_Horikx · 2018-10-16 03:41:27 UTC

Following

Strange that the page gets a 403 but doesn’t show the login prompt.

I usually wouldn’t let the API or other edit specific JS/CSS have public read: http://www.lakedistrict.gov.uk/_web_services/easy-edit-suite.js - 200 OK

Changing these scripts to public deny and edit user read might trigger a login prompt, but that would seem to only hide an issue here.

Bart · 2018-10-19 11:13:21 UTC

Could potentially be a bug in that version, but might be implementation related as well. I’d suggest you contact Squiz Support for someone to login to your Admin backend and have a closer look there at the implementation and configuration of your Edit+.