CatalogManagers role cannot edit catalog after update

 

Hi,

We updated our project to the newest Commerce 12.14 from Commerce 11.2.3. After that, users with role CatalogManagers, but without CommerceAdmins can see the Catalog in Catalog Editor UI, but everything is read-only, the user cannot create any new entry or modify an existing one. In the previous version CatalogManagers had write access to the catalog as well.

If I assign the user CommerceAdmins role as well, it can edit the catalog. I have checked the role-configuration and security configuration in UI and everything is correct and like in the old version, there is no difference.

What could cause this change of behavior and how could it be solved? I have debugged, and the user gets the CatalogManagers claim, but apparently it is not enough.

Thank you in advance!

#200197 Edited, Jan 04, 2019 15:29
  • Quan Mai
    Member since: 2011
     

    It sounds like that is something to do with 11.6 when we added the catalog access rights feature. Make sure to set the access rights correctly to your users, and you should be fine:

    https://world.episerver.com/blogs/Quan-Mai/Dates/2017/12/catalog-content-permission-handling/ 

    #200203 Edited, Jan 04, 2019 18:25
  •  
    Thank you, that was it!
    #200209 Jan 04, 2019 18:15
  •  
    There is still a minor problem, my Catalog Manager is not allowed to create a new Catalog, because I could only set the access on Catalogs, but not on Catalog Root. Is it possible to create a new catalog with CatalogManagers role?
    #200389 Jan 10, 2019 13:08
  • Quan Mai
    Member since: 2011
     

    You can assign the write access right to CatalogManagers like this

                IContent content;
                if (_contentLoader.TryGet<IContent>(_referenceConverter.GetRootLink(), out content))
                {
                    var securableContent = (IContentSecurable)content;
                    var defaultAccessControlList = (IContentSecurityDescriptor)securableContent.GetContentSecurityDescriptor().CreateWritableClone();
                    defaultAccessControlList.AddEntry(new AccessControlEntry("CommerceManagers", AccessLevel.Create, SecurityEntityType.Role));
                    _contentSecurityRepository.Save(content.ContentLink, defaultAccessControlList, SecuritySaveType.Replace);
                }
    #200395 Jan 10, 2019 15:13
  •  
    Thanks for your answer. I tried your code, but it makes no difference, the permission on Catalog Root seems to be ignored. I tried also with FullAccess, no difference. I verified that after restart the permission is still there, I also did a logout-login with my Catalog Manager, but it can still have no permission to create a new catalog. If I remove the permissions applied on the catalogs (see your previous answer), it also does not get inherited down. Any ideas?
    #200416 Jan 11, 2019 11:28
  • Quan Mai
    Member since: 2011
     

    Then I would suggest you to contact developer support service. It sounds like something is wrong somewhere, it's just not easy to tell from this thread 

    #200417 Jan 11, 2019 12:24
  •  

    I debugged into AccessControlList.QueryAccess() and noticed that the ACL has the wrong role - in your snippet it's CommerceManagers instead of CatalogManagers, that was the problem.

    At the end I gave FullAccess to CatalogManagers, so there is no need to configure anything on Catalog, I put this in an InitializationModule, the code:

    IContent content;
    if (contentLoader.TryGet(referenceConverter.GetRootLink(), out content))
    {
    	var securableContent = (IContentSecurable)content;
    	var contentSecurityDescriptor = securableContent.GetContentSecurityDescriptor();
    	if (!contentSecurityDescriptor.Entries.Any(entry =>
    		entry.Name == "CatalogManagers" &&
    		entry.Access == AccessLevel.FullAccess &&
    		entry.EntityType == SecurityEntityType.Role))
    	{
    		var defaultAccessControlList = (IContentSecurityDescriptor)contentSecurityDescriptor.CreateWritableClone();
    		defaultAccessControlList.AddEntry(new AccessControlEntry("CatalogManagers", AccessLevel.FullAccess, SecurityEntityType.Role));
    		contentSecurityRepository.Save(content.ContentLink, defaultAccessControlList, SecuritySaveType.Replace);
    	}
    }
    

    Thanks for your help!

    #200424 Edited, Jan 11, 2019 13:19