You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems like the new caching is Glass Mapper v5 is not properly checking permissions set in Sitecore. Sample steps to reproduce:
Create a new content item and create a user who does not have read permission to this item
Create a template with a link field
Create a content item with the template from step 2 and point the link to the item from step 1
Create a Glass model for the template from step 2 and put in code to retrieve item with the link e.g. T val = mvcContext.GetDataSourceItem<T>()
Load the model from step 4 first with the user who does not have permissions to the link. The link field will be empty, this is expected since user does not have permission
Now load the same model with a user who has permissions to the item, the link is still empty, this is not expected as the user has permission to this link.
Changing the code from point 4 to T val = mvcContext.GetDataSourceItem<T>(x => x.CacheDisabled()) resolves this issue.
EDIT: the opposite is also true, Glass will return items to which the user does not have access to if they were requested by an authorized user initially.
The text was updated successfully, but these errors were encountered:
You are right. The cache does basic check on the path and configuration of the model that was requested and returns the cached model to avoid touching the Sitecore database. This means it won't check the Security of the time.
At this time I would recommend turning off caching for models that need security applied.
It seems like the new caching is Glass Mapper v5 is not properly checking permissions set in Sitecore. Sample steps to reproduce:
T val = mvcContext.GetDataSourceItem<T>()
Changing the code from point 4 to
T val = mvcContext.GetDataSourceItem<T>(x => x.CacheDisabled())
resolves this issue.EDIT: the opposite is also true, Glass will return items to which the user does not have access to if they were requested by an authorized user initially.
The text was updated successfully, but these errors were encountered: