bin/wcmcommand with cmd "movePage" or "deletePage" triggered for a readonly user | Community
Skip to main content
R
RishabhSinha
Level 2
October 23, 2023
Solved

bin/wcmcommand with cmd "movePage" or "deletePage" triggered for a readonly user

  • October 23, 2023
  • 3 replies
  • 1652 views

We have a filter for "bin/wcmcommad" for cmd "movePage" and "deletePage" and it is expected to perform certain operations when a Delete operation or Move operation is performed from AEM consoles. 

Although we observed that the filtered was active for a read-only user while loading the AEM sites console. We are trying to understand what could trigger "bin/wcmcommad" with cmd as "movePage" or "deletePage" from the sites console (except move or delete button - as these will be disabled for the read only user)

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by aanchal-sikka

Hello @rishabhsinha 

 

The operations would be done from User's session. So, if the user doesn't have access, the operations would fail.

Thus, even if someone triggers it explicitly, they shouldn't succeed.

 

May be you can simulate the same request via Postman and confirm.

3 replies

aanchal-sikka
Community Advisor
aanchal-sikkaCommunity Advisor
Community Advisor
October 23, 2023

@rishabhsinha 

 

The read-only access should take of the buttons via render condition. Also, current user session should be used by the WCMCommand OOTB. Thus, preventing the move and delete

Are you seeing any discrepancies?

Aanchal Sikka
    R
    RishabhSinhaAuthor
    Level 2
    October 26, 2023

    Yes, I could see that the move/delete buttons are disabled for the user. But this doesn't restricted AEM to trigger "bin/wcmcommand" with "cmd" as "deletePage" or "movePage". Hence, we are trying to figure out if there is any possibility to trigger the same via any other operation as it should have happened in our case!

      aanchal-sikka
      Community Advisor
      aanchal-sikkaCommunity AdvisorAccepted solution
      Community Advisor
      October 26, 2023

      Hello @rishabhsinha 

       

      The operations would be done from User's session. So, if the user doesn't have access, the operations would fail.

      Thus, even if someone triggers it explicitly, they shouldn't succeed.

       

      May be you can simulate the same request via Postman and confirm.

      Aanchal Sikka
        arunpatidar
        Community Advisor
        arunpatidarCommunity Advisor
        Community Advisor
        October 23, 2023

        Hi @rishabhsinha 
        You can cannot restrict the filter based on the ACL.

        you need to check this manually in the Filter and restrict operations based on user permissions.

        Arun Patidar
          R
          RishabhSinhaAuthor
          Level 2
          October 26, 2023

          Thanks! What I understood is that you are suggesting to check the user permissions in filter itself before performing any operation, and if the permission is allowed for the user to move/delete then can continue with the operation. Will give it a try.

          But I am still trying to understand how "/bin/wcmcommand" got triggered for a READ-ONLY user with command "deletePage" or "movePage" so that we are sure that the servlet was only invoked via move/delete button and not via any other operation. As if it would have triggered via any other operation then we need to have a check on that scenario irrespective of the user.

            kautuk_sahni
            Community Manager
            kautuk_sahniCommunity Manager
            Community Manager
            October 26, 2023

            @rishabhsinha  Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

            Kautuk Sahni
            Terms & ConditionsAccessibility statement

            Loading footer...